Cool, I got it to connect to the global catalog port and I can authenticate against the parent and the child domain. However, when I add back in the <transition on="success" to="passwordPolicyCheck" />
I get the error message SEVERE: Servlet.service() for servlet [cas] in context with path [/cas] threw exception [Request processing failed; nested exception is org.springframework.webflow.execution.ActionExecutionException: Exception thrown executing org.jasig.cas.web.flow.PasswordPolicyEnforcementAction@5d0b76b7 in state 'passwordPolicyCheck' of flow 'login' -- action execution attributes were 'map[[empty]]'] with root cause I am able to switch back to the ldap port and it works, just only in the one domain. Is there a list of attributes that LPPE is looking for that I may need to add to the global catalog index? Or is there one of the password policy checks that I can just ignore? Thanks again for all the help From: John Gasper [mailto:[email protected]] Sent: Monday, October 6, 2014 9:39 PM To: [email protected] Subject: Re: [cas-user] LPPE and multiple Domains The Global Catalog is available by default on port 3268, 3269 for ldaps. See http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx. I think you can point to any (set of) DC(s) and be good. You'll likely need to play with filter & searchbase to get everything even. On 10/6/14 4:40 PM, Stephen Meier wrote: Just knowing that it will work helps a lot. Before trying to use LPPE, I was able to authenticate against both domains, but since the configuration for LPPE is considerably different I didn't have a clue as to where to define the additional domain. The two domains are in the same AD forest and the password policy will be the same for both. I will try to use a global catalog server to process the users for both domains. I am not really sure how to proceed on this. Perhaps I will go back into the documents. From: John Gasper [mailto:[email protected]] Sent: Monday, October 6, 2014 11:54 AM To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] LPPE and multiple Domains I'll response to your question in a different angle than Misagh did... assuming you meant multiple AD domains, like student and staff being in different domains, but still an AD ldap. There are issues with using LPPE against multiple AD domains (if the domains are in the same forest then the global catalog ldap connection can be used to potentially get around these limitations). The two places that I recall there being issues are if the urls to the self service password change application are different. LPPE gives you a single URL to configure. If each domain has it own self service password (re)set application then there is an issue. The other is that the password expiration warning only works for a single domain. The reason is that AD doesn't actually have a user attribute that defines when a password expires. It is calculated based on when the password was last set and a value in the Group Policy. Upon successful authentication, the login-webflow.xml calculates when the expiration is due and presents a warning view to the user. The calculation doesn't know which authN source authenticated the user and will just use whichever one it is connected to in the lppe configuration. So if a username exists in both domains, then things get interesting depending upon the status of the account in both domains. States/messages like locked account, must change password upon next login, bad workstation (if anyone actually uses it), etc should work fine with multiple domains because the status is returned when the authn is tested against the ldap. I hope that helps. John On 10/6/14 11:02 AM, Misagh Moayyed wrote: For the most part, yes. It's merely tested against AD, but I know we have gotten it to work with OpenLdap as well with some mods. It really depends on your LDAP schema and what it's going to report back. At best, I think it's safe to say that non-AD deployments of LPPE with 3.5.2 do require mods to CAS and that portion that handles that stuff. From: Stephen Meier [mailto:[email protected]] Sent: Monday, October 6, 2014 10:12 AM To: [email protected]<mailto:[email protected]> Subject: [cas-user] LPPE and multiple Domains Good morning All, I am trying to implement LPPE for CAS 3.5.2. It looks like if you want to use LPPE, you can only use one AD domain. Is this the case? I have been looking around and not finding much in terms of how to do this. Regards, -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
