With this added, I get the following debug info from ldaptive: 2014-07-21 09:56:47,040 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolve user=XXX> 2014-07-21 09:56:47,041 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <searching for DN using userFilter> 2014-07-21 09:56:47,058 DEBUG [org.ldaptive.auth.PooledSearchDnResolver] - <resolved dn=YYY for user=XXX> 2014-07-21 09:56:47,059 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate dn=YYY with request=[org.ldaptive.auth.AuthenticationRequest@1646883060::user=XXX, retAttrs=[]]> 2014-07-21 09:56:47,060 DEBUG [org.ldaptive.auth.PooledBindAuthenticationHandler] - <authenticate criteria=[org.ldaptive.auth.AuthenticationCriteria@246863237::dn=YYY, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@1646883060:: user=XXX, retAttrs=[]]]> 2014-07-21 09:56:47,088 DEBUG [org.ldaptive.auth.PooledBindAuthenticationHandler] - <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@271859923::connec tion=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@2053405583::c onfig=[org.ldaptive.ConnectionConfig@1525426191::ldapUrl=ldap://ldap-dev.na u.edu, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=null], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory @1178214251::connectionCount=1, environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@300207570::op erationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=DEFAULT, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null, controlProcessor=org.ldaptive.provider.ControlProcessor@44849f2b]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@5eede331], result=true, resultCode=SUCCESS, message=null, controls=[[org.ldaptive.control.PasswordPolicyControl@-350057371::criticali ty=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]]] for criteria=[org.ldaptive.auth.AuthenticationCriteria@246863237::dn=YYY, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@1646883060:: user=XXX, retAttrs=[]]]> 2014-07-21 09:56:47,091 DEBUG [org.ldaptive.auth.SearchEntryResolver] - <resolve criteria=[org.ldaptive.auth.AuthenticationCriteria@246863237::dn=YYY, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@1646883060:: user=XXX, retAttrs=[]]]> 2014-07-21 09:56:47,217 DEBUG [org.ldaptive.auth.SearchEntryResolver] - <resolved result=[SCRUBBED RETURN OF * ATTRS] for criteria=[org.ldaptive.auth.AuthenticationCriteria@246863237::dn=YYY, authenticationRequest=[org.ldaptive.auth.AuthenticationRequest@1646883060:: user=XXX, retAttrs=[]]]> 2014-07-21 09:56:47,217 INFO [org.ldaptive.auth.Authenticator] - <Authentication succeeded for dn: YYY> 2014-07-21 09:56:47,221 DEBUG [org.ldaptive.auth.Authenticator] - <authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@271859923::connec tion=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@2053405583::c onfig=[org.ldaptive.ConnectionConfig@1525426191::ldapUrl=ldap://ldap-dev.na u.edu, connectTimeout=3000, responseTimeout=-1, sslConfig=null, useSSL=false, useStartTLS=false, connectionInitializer=null], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory @1178214251::connectionCount=1, environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@300207570::op erationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=DEFAULT, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null, controlProcessor=org.ldaptive.provider.ControlProcessor@44849f2b]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@5eede331], result=true, resultCode=SUCCESS, message=null, controls=[[org.ldaptive.control.PasswordPolicyControl@-350057371::criticali ty=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]]] for dn=YYY with request=[org.ldaptive.auth.AuthenticationRequest@1646883060::user=XXX, retAttrs=[]]> 2014-07-21 09:56:47,224 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <LdapAuthenticationHandler successfully authenticated XXX+password> 2014-07-21 09:56:47,227 INFO [org.jasig.cas.authentication.PolicyBasedAuthenticationManager] - <Authenticated XXX with credentials [XXX+password].>
I’m not seeing anything here related to determining the password expiration time for the user, nor am I seeing any webflow shift to display warning for this user, even though their password is not expired. Any ideas? I’m specifically referring to my initial email concerning the old docs and modifications of web flow, ldapErrorDefinitions, LPPE settings, etc. Also, the scrubbed portion of this shows a large number of returned attributes, is it possible to retrieve one of these (uid) to replace the principalID? This may be off topic, as I’ve started another thread about this. ― Raymond Walker Software Systems Engineer StSp. ITS - Northern Arizona University On 7/21/14, 9:25 AM, "Daniel Fisher" <[email protected]> wrote: >On Mon, Jul 21, 2014 at 12:12 PM, Raymond Drew Walker ><[email protected]> wrote: >> I¹ll crank up logging to see if anything comes up. Here¹s my deployer >> config: >> >> <bean id="authHandler" >> class="org.ldaptive.auth.PooledBindAuthenticationHandler" >> p:connectionFactory-ref="bindPooledLdapConnectionFactory" /> >> > >Try adding the password policy control: > ><bean id="authHandler" >class="org.ldaptive.auth.PooledBindAuthenticationHandler" > p:connectionFactory-ref="bindPooledLdapConnectionFactory"> > <property name="authenticationControls"> > <util:list> > <bean >class="org.ldaptive.control.PasswordPolicyControl" /> > </util:list> > </property> ></bean> > >Unlike active directory, ppolicy requires both a request and response >control. > >--Daniel Fisher > >-- >You are currently subscribed to [email protected] as: >[email protected] >To unsubscribe, change settings or access archives, see >http://www.ja-sig.org/wiki/display/JSG/cas-user > -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
