I use the LPPE extension with Sun LDAP, but the internal password policy
system uses a string format for the date like this: 20121023132345Z (i.e.
2012-10-23 13:23:45) which works well with the date formatter. Is your
passwordLastChanged value getting set by pam_ldap or some other external
library? I haven't seen Sun LDAP use Unix time for tracking dates before.
You'll need to add a new method to support Unix time since that's a time
format that SimpleDateFormat doesn't support. JodaTime will create a new
DateTime object given milliseconds since the beginning of the epoch, so
you'll just have to do something like this:
private DateTime convertDateToUnixTime(final String value) {
final long seconds = Long.parseLong(value.trim());
final DateTime dt = new DateTime(seconds * 1000, DEFAULT_TIME_ZONE);
return dt;
}
and then modify getExpirationDateToUse() to call this function instead
of formatDateByPattern()
On Tue, Oct 23, 2012 at 2:19 PM, Lazar, Michael E <[email protected]>wrote:
> In our LDAP instance, we are not storing passwordLastChanged, or any of
> the values you mention in the configuration or docs.****
>
> shadowLastChange is a literal value in the directory with the days since
> epoch that the password was last changed.****
>
> ** **
>
> We are deriving the password expiration from (now since epoch in days) –
> passwordLastChanged > shadowMax or shadowWarning.****
>
> I currently have shadowMax in the validDaysAttribute; but the
> dateAttribute either needs to be calculated in AD style or in some datetime
> format – the code has not reached the step where it is comparing – it
> throws an exception in its inability to convert the dateAttribute into a
> valid date.****
>
> ** **
>
> Thanks for the reply; I hope this explains what is in our system. I
> thought I read that you haven’t really tested in an openLDAP environment,
> which ours is. Anyone else out there using Open or Sun LDAP with CAS?****
>
> -Michael.****
>
> ** **
>
> *From:* Misagh Moayyed [mailto:[email protected]]
> *Sent:* Tuesday, October 23, 2012 11:02 AM
> *To:* [email protected]
> *Subject:* RE: [cas-user] CAS 3.5.1, LDAP, LPPE, and datetime values****
>
> ** **
>
> I am assuming that the attributes that are based on days for instance, are
> calculated and added to a different attribute such as “passwordLastChanged”
> and the like, etc? If that is so, you could specify that attribute as the
> password expiration date and specify the name of the attribute for the
> “validDays” property which will be added to the date retrieved to calculate
> the final expiration date, etc. ****
>
> ** **
>
> *-*Misagh**
>
> ** **
>
> *From:* Lazar, Michael E [mailto:[email protected]]
> *Sent:* Monday, October 22, 2012 1:55 PM
> *To:* [email protected]
> *Subject:* [cas-user] CAS 3.5.1, LDAP, LPPE, and datetime values****
>
> ** **
>
> Hello!****
>
> ** **
>
> We are working with LPPE on a CAS 3.5.1 war overlay. ****
>
> CAS is connected to our LDAP instance, which is a sun directory with
> values that started with an OpenLDAP installation.****
>
> I have a CAS instance running locally, connected to eclipse to pursue
> debugging.****
>
> ** **
>
> We use attributes shadowWarning, shadowMax, and shadowLastChange which are
> fields that are in days from epoch. We also store a value that is in
> seconds from the epoch.****
>
> When I entered these values into the cas.properties, the system
> authenticated me and then went straight to the error flow, so I started
> digging.****
>
> ** **
>
> It seems that I am having trouble convincing the
> LdapPasswordPolicyEnforcer code to accept our values as seconds or days
> from the epoch.****
>
> the setting ldap.authentication.lppe.dateAttribute seems to be expecting a
> value that is either an AD representation of the last password change dttm
> or something in an actual datetime format. Epoch days or seconds are
> neither.****
>
> ** **
>
> Is there anyone out there with information about using
> DateTimeFormat.forPattern() method with a string for days or seconds since
> epoch, or should I be requesting (or writing) a new method or two to handle
> days or seconds from epoch?****
>
> ** **
>
> Let me know, here is the mentioned code, from
> LdapPasswordPolicyEnforcer.java, lines 374 to 396.****
>
> Happy to help, and thanks in advance!****
>
> ** **
>
> -Michael.****
>
> ** **
>
> private DateTime convertDateToActiveDirectoryFormat(final String
> pswValue) {****
>
> final long l = Long.parseLong(pswValue.trim());****
>
> ** **
>
> final long totalSecondsSince1601 = l / 10000000;****
>
> final long totalSecondsSince1970 = totalSecondsSince1601 -
> TOTAL_SECONDS_FROM_1601_1970;****
>
> ** **
>
> final DateTime dt = new DateTime(totalSecondsSince1970 * 1000,
> DEFAULT_TIME_ZONE);****
>
> ** **
>
> logInfo("Recalculated " + this.dateFormat + " " +
> this.dateAttribute + " attribute to " + dt.toString());****
>
> ** **
>
> return dt;****
>
> }****
>
> ** **
>
> /******
>
> * Parses and formats the retrieved date value from Ldap****
>
> * @param ldapResult****
>
> * @return newly constructed date object whose value was passed****
>
> */****
>
> private DateTime formatDateByPattern(final String ldapResult) {****
>
> final DateTimeFormatter fmt =
> DateTimeFormat.forPattern(this.dateFormat);****
>
> final DateTime date = new DateTime(DateTime.parse(ldapResult,
> fmt), DEFAULT_TIME_ZONE);****
>
> return date;****
>
> }****
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user****
>
> --
> You are currently subscribed to [email protected] as:
> [email protected]
>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user****
>
> --
> You are currently subscribed to [email protected] as: [email protected]
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
Eric Pierce
Identity Management Architect
Information Technology
University of South Florida
(813) 974-8868 -- [email protected]
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
