Jira issue filled : https://issues.jasig.org/browse/CAS-1173
By the way, I'm working on AD fine grained password policies, If there's
someone interested in, I can write a PasswordPolicyEnforcer that rely
upon AD 2008 policies.
Philippe.
On 25/08/2012 04:33, Misagh Moayyed wrote:
Thanks for the note. Would you mind capturing the issue into a JIRA?
Found this link that appropriately explains AD behavior:
http://technet.microsoft.com/en-us/library/ee198831.aspx
-Misagh
-----Original Message-----
From: Philippe MARASSE [mailto:[email protected]]
Sent: Friday, August 24, 2012 11:07 AM
To: [email protected]
Subject: Re: [cas-user] LPPE : handling accounts with "password never
expires"
Yes we're using Active Directory, and dateFormat is set as "AD", spring
beans
lppe-configuration.xml has been used unmodified. But I don't understand
how
the check for "password does not expire" is done. A value seems to be
compared to 2^63-1 but as far as I remember, one need to fetch
userAccessControl AD attribute and never expire bit is 2^16.
Rgds.
Philippe.
On 24/08/2012 18:21, Misagh Moayyed wrote:
If you're using Active Directory, specify the dateFormat as such. The
code should automatically check for accounts that are set to never
expire with AD. OpenLdap and others, I don't think the support is
there, other than setting noWarn attributes.
-Misagh
-----Original Message-----
From: Philippe MARASSE [mailto:[email protected]]
Sent: Friday, August 24, 2012 7:26 AM
To: [email protected]
Subject: [cas-user] LPPE : handling accounts with "password never
expires"
Hello,
I was about to put my LPPE enabled CAS 3.5 into production when I
tested
a
login with an
account which have "Password never expires" : access is refused !
From
my
server log :
2012-08-24 15:07:57,903 ERROR
[org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] -
Authentication failed because account password has expired with -831
to expiration date.
Verify the value of the pwdlastset attribute and make sure it's not
before
the current
date, which is 2012-08-24T13:07:57.890Z :Authentication failed
because account password has expired with -831 to expiration date.
Verify the value of the pwdlastset attribute and make sure it's not
before
the current
date, which is 2012-08-24T13:07:57.890Z
of course computed date is before today... because "password does not
expire"
flag is set
for this account.
I've found a noWarnAttribute property for LdapPasswordPolicyEnforcer
but
it
does not fit
well with userAccountControl AD attribute (bitmask, the 16th bit
means "password does not expire"). If I would use it as
noWarnAttribute, I'll have to provide all possibles values which is
nearly impossible.
How can I handle this case ?
Thanks.
Regards.
--
Philippe MARASSE
Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370
avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives,
see
http://www.ja-sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
