The passwordPolicyCheck makes a second call back to LDAP to grab info to determine if the password is about to expire.
Check out your configuration for "ldap.authentication.lppe.dateAttribute=". The value of the field is what it is trying to return, usually for AD it is "pwdlastset". On 10/8/14 11:04 AM, Stephen Meier wrote: > > Cool, I got it to connect to the global catalog port and I can > authenticate against the parent and the child domain. However, when I > add back in the > > <transition on="success" to="passwordPolicyCheck" /> > > > > I get the error message > > > > SEVERE: Servlet.service() for servlet [cas] in context with path > [/cas] threw exception [Request processing failed; nested exception is > org.springframework.webflow.execution.ActionExecutionException: > Exception thrown executing > org.jasig.cas.web.flow.PasswordPolicyEnforcementAction@5d0b76b7 in > state 'passwordPolicyCheck' of flow 'login' -- action execution > attributes were 'map[[empty]]'] with root cause > > > > I am able to switch back to the ldap port and it works, just only in > the one domain. > > > > Is there a list of attributes that LPPE is looking for that I may need > to add to the global catalog index? Or is there one of the password > policy checks that I can just ignore? > > > > Thanks again for all the help > > > > > > *From:*John Gasper [mailto:[email protected]] > *Sent:* Monday, October 6, 2014 9:39 PM > *To:* [email protected] > *Subject:* Re: [cas-user] LPPE and multiple Domains > > > > The Global Catalog is available by default on port 3268, 3269 for > ldaps. See > http://technet.microsoft.com/en-us/library/cc728188%28v=ws.10%29.aspx. > I think you can point to any (set of) DC(s) and be good. > > You'll likely need to play with filter & searchbase to get everything > even. > > > > On 10/6/14 4:40 PM, Stephen Meier wrote: > > Just knowing that it will work helps a lot. Before trying to use > LPPE, I was able to authenticate against both domains, but since > the configuration for LPPE is considerably different I didn’t have > a clue as to where to define the additional domain. > > > > The two domains are in the same AD forest and the password policy > will be the same for both. I will try to use a global catalog > server to process the users for both domains. I am not really sure > how to proceed on this. Perhaps I will go back into the documents. > > > > *From:*John Gasper [mailto:[email protected]] > *Sent:* Monday, October 6, 2014 11:54 AM > *To:* [email protected] <mailto:[email protected]> > *Subject:* Re: [cas-user] LPPE and multiple Domains > > > > I'll response to your question in a different angle than Misagh > did... assuming you meant multiple AD domains, like student and > staff being in different domains, but still an AD ldap. > > > There are issues with using LPPE against multiple AD domains (if > the domains are in the same forest then the global catalog ldap > connection can be used to potentially get around these > limitations). The two places that I recall there being issues are > if the urls to the self service password change application are > different. LPPE gives you a single URL to configure. If each > domain has it own self service password (re)set application then > there is an issue. > > The other is that the password expiration warning only works for a > single domain. The reason is that AD doesn't actually have a user > attribute that defines when a password expires. It is calculated > based on when the password was last set and a value in the Group > Policy. Upon successful authentication, the login-webflow.xml > calculates when the expiration is due and presents a warning view > to the user. The calculation doesn't know which authN source > authenticated the user and will just use whichever one it is > connected to in the lppe configuration. So if a username exists in > both domains, then things get interesting depending upon the > status of the account in both domains. > > States/messages like locked account, must change password upon > next login, bad workstation (if anyone actually uses it), etc > should work fine with multiple domains because the status is > returned when the authn is tested against the ldap. > > I hope that helps. > > John > > On 10/6/14 11:02 AM, Misagh Moayyed wrote: > > For the most part, yes. It’s merely tested against AD, but I > know we have gotten it to work with OpenLdap as well with some > mods. It really depends on your LDAP schema and what it’s > going to report back. At best, I think it’s safe to say that > non-AD deployments of LPPE with 3.5.2 do require mods to CAS > and that portion that handles that stuff. > > > > *From:* Stephen Meier [mailto:[email protected]] > *Sent:* Monday, October 6, 2014 10:12 AM > *To:* [email protected] <mailto:[email protected]> > *Subject:* [cas-user] LPPE and multiple Domains > > > > Good morning All, > > > > I am trying to implement LPPE for CAS 3.5.2. It looks like if > you want to use LPPE, you can only use one AD domain. Is this > the case? I have been looking around and not finding much in > terms of how to do this. > > > > Regards, > > > > -- > > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > > -- > > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > > > > > -- > You are currently subscribed to [email protected] > <mailto:[email protected]> as: [email protected] > <mailto:[email protected]> > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user > -- > You are currently subscribed to [email protected] as: > [email protected] > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
