I ran across this issue as well (with Oracle DS LDAP as backend.) Once the typo was resolved, even with an extended number of warning days AND warnAll set to true in config, there is no modification of behavior for any type of account state.
Are the github.io docs missing a lot of material, or are the old wiki docs still relevant for 4.x? (ie. Should I be adding ldapErrorDefinitions and modifying login-webflow.xml etc?) via: https://wiki.jasig.org/pages/viewpage.action?pageId=26149328 Thanks much for any info. — Raymond Walker Software Systems Engineer StSp. ITS - Northern Arizona University From: wa <[email protected]<mailto:[email protected]>> Reply-To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Date: Monday, July 14, 2014 at 11:21 AM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Cc: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>>, "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: Re: [cas-user] CAS 4 LPPE Configuration There is a typo in the documentation. <bean id="accountStateHandler" class="org.jasig.cas.authentication.support.DefaultAccountStateHander" /> should be <bean id="accountStateHandler" class="org.jasig.cas.authentication.support.DefaultAccountStateHandler" /> There is a missing 'l' in handler. On Wednesday, July 9, 2014 10:52:39 PM UTC+5, Daniel Fisher wrote: Marvin offered to update the documentation once you confirmed the fix. Thank you for closing the loop on this. --Daniel Fisher On Wed, Jul 9, 2014 at 1:36 PM, wa <[email protected]<javascript:>> wrote: > BTW this should be updated in the documentation at > http://jasig.github.io/cas/4.0.0/installation/LDAP-Authentication.html > > > On Wednesday, July 9, 2014 10:34:15 PM UTC+5, wa wrote: >> >> Figured it out. Had to add the >> ActiveDirectoryAuthenticationResponseHandler as below to be able to parse AD >> response. >> >> >> <bean id="authenticator" class="org.ldaptive.auth.Authenticator" >> c:resolver-ref="dnResolver" >> c:handler-ref="authHandler"> >> <property name="authenticationResponseHandlers"> >> <list> >> <bean >> class="org.ldaptive.auth.ext.ActiveDirectoryAuthenticationResponseHandler" >> /> >> </list> >> </property> >> </bean> >> >> >> On Monday, July 7, 2014 6:56:40 PM UTC+5, wa wrote: >>> >>> Active Directory is running on Windows 2008 Server >>> >>> On Monday, July 7, 2014 11:46:53 AM UTC+5, wa wrote: >>>> >>>> LPPE configuration is as below >>>> >>>> <bean id="ldapAuthenticationHandler" >>>> class="org.jasig.cas.authentication.LdapAuthenticationHandler" >>>> p:principalIdAttribute="sAMAccountName" >>>> c:authenticator-ref="authenticator" >>>> p:passwordPolicyConfiguration-ref="passwordPolicy"> >>>> <property name="principalAttributeMap"> >>>> <map> >>>> <!-- >>>> | This map provides a simple attribute resolution >>>> mechanism. >>>> | Keys are LDAP attribute names, values are CAS attribute >>>> names. >>>> | Use this facility instead of a PrincipalResolver if >>>> LDAP is >>>> | the only attribute source. >>>> --> >>>> <entry key="member" value="member" /> >>>> <entry key="mail" value="mail" /> >>>> <entry key="displayName" value="displayName" /> >>>> </map> >>>> </property> >>>> </bean> >>>> >>>> ***************lppe-configuration.xml*************** >>>> >>>> <beans xmlns="http://www.springframework.org/schema/beans"; >>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; >>>> xmlns:p="http://www.springframework.org/schema/p"; >>>> xsi:schemaLocation="http://www.springframework.org/schema/beans >>>> http://www.springframework.org/schema/beans/spring-beans.xsd";> >>>> >>>> <!-- >>>> | Sample LDAP password policy configuration. >>>> | There are notable configuration requirements for LDAP components >>>> required for password policy >>>> | depending on the directory (Active Directory, OpenLDAP, etc). >>>> | See CAS documentation for more information. >>>> --> >>>> <bean id="passwordPolicy" >>>> class="org.jasig.cas.authentication.support.LdapPasswordPolicyConfiguration" >>>> >>>> p:alwaysDisplayPasswordExpirationWarning="${password.policy.warnAll}" >>>> p:passwordWarningNumberOfDays="${password.policy.warningDays}" >>>> p:passwordPolicyUrl="${password.policy.url}" >>>> p:accountStateHandler-ref="accountStateHandler" /> >>>> >>>> <!-- This component is suitable for most cases but can be replaced >>>> with a custom component for special cases. --> >>>> <bean id="accountStateHandler" >>>> class="org.jasig.cas.authentication.support.DefaultAccountStateHander" /> >>>> >>>> </beans> >>>> >>>> >>>> I will check and confirm the Windows server version. Thanks. >>>> >>>> >>>> On Saturday, July 5, 2014 9:43:22 AM UTC+5, Daniel Fisher wrote: >>>>> >>>>> On Thu, Jun 26, 2014 at 7:59 AM, wa <[email protected]> wrote: >>>>> > 2014-06-26 16:42:50,134 DEBUG >>>>> > [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP >>>>> > response: >>>>> > >>>>> > [org.ldaptive.auth.AuthenticationResponse@1850787950::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, >>>>> > ldapEntry=[dn=CN=test8\, Bpo,OU=agent ou,OU=BPO test >>>>> > OU,OU=Campaigns,OU=xxxx,OU=Sites,DC=xxxx,DC=com[]], >>>>> > accountState=null, >>>>> > result=false, resultCode=INVALID_CREDENTIALS, >>>>> > message=javax.naming.AuthenticationException: [LDAP: error code 49 - >>>>> > 80090308: LdapErr: DSID-0C0903AA, comment: AcceptSecurityContext >>>>> > error, data >>>>> > 775, v1772\00], controls=null] >>>>> > >>>>> >>>>> accountState is null, so either the authentication response handler >>>>> failed to parse the response or it isn't configured correctly. What >>>>> does your lppe configuration look like? >>>>> >>>>> --Daniel Fisher >>>>> >>>>> -- >>>>> You are currently subscribed to [email protected] as: >>>>> [email protected] >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> -- >>>> You are currently subscribed to [email protected]<javascript:> as: >>>> [email protected]<javascript:> >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to [email protected]<javascript:> as: >>> [email protected]<javascript:> >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<javascript:> as: [email protected]<javascript:> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
