In our LDAP instance, we are not storing passwordLastChanged, or any of the values you mention in the configuration or docs. shadowLastChange is a literal value in the directory with the days since epoch that the password was last changed.
We are deriving the password expiration from (now since epoch in days) - passwordLastChanged > shadowMax or shadowWarning. I currently have shadowMax in the validDaysAttribute; but the dateAttribute either needs to be calculated in AD style or in some datetime format - the code has not reached the step where it is comparing - it throws an exception in its inability to convert the dateAttribute into a valid date. Thanks for the reply; I hope this explains what is in our system. I thought I read that you haven't really tested in an openLDAP environment, which ours is. Anyone else out there using Open or Sun LDAP with CAS? -Michael. From: Misagh Moayyed [mailto:[email protected]] Sent: Tuesday, October 23, 2012 11:02 AM To: [email protected] Subject: RE: [cas-user] CAS 3.5.1, LDAP, LPPE, and datetime values I am assuming that the attributes that are based on days for instance, are calculated and added to a different attribute such as "passwordLastChanged" and the like, etc? If that is so, you could specify that attribute as the password expiration date and specify the name of the attribute for the "validDays" property which will be added to the date retrieved to calculate the final expiration date, etc. -Misagh From: Lazar, Michael E [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: Monday, October 22, 2012 1:55 PM To: [email protected]<mailto:[email protected]> Subject: [cas-user] CAS 3.5.1, LDAP, LPPE, and datetime values Hello! We are working with LPPE on a CAS 3.5.1 war overlay. CAS is connected to our LDAP instance, which is a sun directory with values that started with an OpenLDAP installation. I have a CAS instance running locally, connected to eclipse to pursue debugging. We use attributes shadowWarning, shadowMax, and shadowLastChange which are fields that are in days from epoch. We also store a value that is in seconds from the epoch. When I entered these values into the cas.properties, the system authenticated me and then went straight to the error flow, so I started digging. It seems that I am having trouble convincing the LdapPasswordPolicyEnforcer code to accept our values as seconds or days from the epoch. the setting ldap.authentication.lppe.dateAttribute seems to be expecting a value that is either an AD representation of the last password change dttm or something in an actual datetime format. Epoch days or seconds are neither. Is there anyone out there with information about using DateTimeFormat.forPattern() method with a string for days or seconds since epoch, or should I be requesting (or writing) a new method or two to handle days or seconds from epoch? Let me know, here is the mentioned code, from LdapPasswordPolicyEnforcer.java, lines 374 to 396. Happy to help, and thanks in advance! -Michael. private DateTime convertDateToActiveDirectoryFormat(final String pswValue) { final long l = Long.parseLong(pswValue.trim()); final long totalSecondsSince1601 = l / 10000000; final long totalSecondsSince1970 = totalSecondsSince1601 - TOTAL_SECONDS_FROM_1601_1970; final DateTime dt = new DateTime(totalSecondsSince1970 * 1000, DEFAULT_TIME_ZONE); logInfo("Recalculated " + this.dateFormat + " " + this.dateAttribute + " attribute to " + dt.toString()); return dt; } /** * Parses and formats the retrieved date value from Ldap * @param ldapResult * @return newly constructed date object whose value was passed */ private DateTime formatDateByPattern(final String ldapResult) { final DateTimeFormatter fmt = DateTimeFormat.forPattern(this.dateFormat); final DateTime date = new DateTime(DateTime.parse(ldapResult, fmt), DEFAULT_TIME_ZONE); return date; } -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
