Thanks for the note. Would you mind capturing the issue into a JIRA? Found this link that appropriately explains AD behavior: http://technet.microsoft.com/en-us/library/ee198831.aspx
-Misagh > -----Original Message----- > From: Philippe MARASSE [mailto:[email protected]] > Sent: Friday, August 24, 2012 11:07 AM > To: [email protected] > Subject: Re: [cas-user] LPPE : handling accounts with "password never > expires" > > Yes we're using Active Directory, and dateFormat is set as "AD", spring beans > lppe-configuration.xml has been used unmodified. But I don't understand how > the check for "password does not expire" is done. A value seems to be > compared to 2^63-1 but as far as I remember, one need to fetch > userAccessControl AD attribute and never expire bit is 2^16. > > Rgds. > Philippe. > > > On 24/08/2012 18:21, Misagh Moayyed wrote: > > If you're using Active Directory, specify the dateFormat as such. The > > code should automatically check for accounts that are set to never > > expire with AD. OpenLdap and others, I don't think the support is > > there, other than setting noWarn attributes. > > > > -Misagh > > > > > > > >> -----Original Message----- > >> From: Philippe MARASSE [mailto:[email protected]] > >> Sent: Friday, August 24, 2012 7:26 AM > >> To: [email protected] > >> Subject: [cas-user] LPPE : handling accounts with "password never > > expires" > >> Hello, > >> > >> I was about to put my LPPE enabled CAS 3.5 into production when I > >> tested > > a > >> login with an > >> account which have "Password never expires" : access is refused ! > >> From > > my > >> server log : > >> > >> 2012-08-24 15:07:57,903 ERROR > >> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - > >> Authentication failed because account password has expired with -831 > >> to expiration date. > >> Verify the value of the pwdlastset attribute and make sure it's not > > before > >> the current > >> date, which is 2012-08-24T13:07:57.890Z :Authentication failed > >> because account password has expired with -831 to expiration date. > >> Verify the value of the pwdlastset attribute and make sure it's not > > before > >> the current > >> date, which is 2012-08-24T13:07:57.890Z > >> > >> of course computed date is before today... because "password does not > > expire" > >> flag is set > >> for this account. > >> > >> I've found a noWarnAttribute property for LdapPasswordPolicyEnforcer > >> but > > it > >> does not fit > >> well with userAccountControl AD attribute (bitmask, the 16th bit > >> means "password does not expire"). If I would use it as > >> noWarnAttribute, I'll have to provide all possibles values which is > >> nearly impossible. > >> > >> How can I handle this case ? > >> Thanks. > >> Regards. > >> > >> -- > >> Philippe MARASSE > >> > >> Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 > >> avenue Jacques Coeur > >> 86021 Poitiers Cedex > >> Tel : 05.49.44.57.19 > >> > > > > > -- > You are currently subscribed to [email protected] as: > [email protected] To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
