Misagh, I’m still looking into options for the UnboundID response modification.
Ldaptive’s documentation is lacking in the area of provider specification, at least for Spring. Rather, it’s only mentioned as a JVM property setting: http://www.ldaptive.org/docs/guide/providers#TOC-UnboundID-Provider If possible, I’d rather opt to configuring this in the deployerConfigContext.xml. Is this possible? If so, how? I’ve tried a few different attempts to make this happen, but have been unsuccessful as of yet. -- Raymond Walker Software Systems Engineer StSp. ITS Northern Arizona University From: Misagh Moayyed Reply-To: "[email protected]<mailto:[email protected]>" Date: Tuesday, April 21, 2015 at 9:16 AM To: "[email protected]<mailto:[email protected]>" Subject: RE: [cas-user] LPPE expired password flow So it looks like, judging by your logs, that CAS is handling the error correctly. In both cases, the error that is returned from the authentication event is password-expired. This may be an issue with your UnboundID provider. In your DefaultConnectionFactory, are you specifying the provider as UnboundID? That might help better translate the error for CAS. From: Raymond Drew Walker [mailto:[email protected]] Sent: Tuesday, April 21, 2015 8:47 AM To: [email protected]<mailto:[email protected]> Subject: Re: [cas-user] LPPE expired password flow Misagh, The answer to your first question is yes. Our authn source is LDAP (UnboundID). The login-webflow.xml is stock so there is no transition config to post (unless I’m misunderstanding your request.) From what I can tell from the logs, difference between the two scenarios is only contained the extended LDAP response information, not any response codes. The logs look something like this: Good password & Expired (note: “LDAP: error code 49 - Rejecting a bind request for user X=X,ou=people,dc=nau,dc=edu because that user's password is expired") 2015-04-08 13:34:36,777 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@1168138181::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, ldapEntry=[dn=X=X,ou=people,dc=nau,dc=edu[]], accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@602907193::accountWarnings=null, accountErrors=[PASSWORD_EXPIRED]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - Rejecting a bind request for user X=X,ou=people,dc=nau,dc=edu because that user's password is expired], controls=[[org.ldaptive.control.PasswordPolicyControl@1215014544::criticality=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] 2015-04-08 13:34:36,778 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying password policy to [org.ldaptive.auth.AuthenticationResponse@1168138181::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, ldapEntry=[dn=naueduregid=X,ou=people,dc=nau,dc=edu[]], accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@602907193::accountWarnings=null, accountErrors=[PASSWORD_EXPIRED]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - Rejecting a bind request for user X=X,ou=people,dc=nau,dc=edu because that user's password is expired], controls=[[org.ldaptive.control.PasswordPolicyControl@1215014544::criticality=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] 2015-04-08 13:34:36,778 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - Handling PASSWORD_EXPIRED Bad password & Expired (note: "LDAP: error code 49 - The password provided by the user did not match any password(s) stored in the user's entry”) 2015-04-14 13:51:06,204 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - LDAP response: [org.ldaptive.auth.AuthenticationResponse@1179554844::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, ldapEntry=[dn=X=X,ou=people,dc=nau,dc=edu[]], accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@1356717651::accountWarnings=null, accountErrors=[PASSWORD_EXPIRED]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - The password provided by the user did not match any password(s) stored in the user's entry], controls=[[org.ldaptive.control.PasswordPolicyControl@448359676::criticality=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] 2015-04-14 13:51:06,205 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - Applying password policy to [org.ldaptive.auth.AuthenticationResponse@1179554844::authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, ldapEntry=[dn=X=X,ou=people,dc=nau,dc=edu[]], accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@1356717651::accountWarnings=null, accountErrors=[PASSWORD_EXPIRED]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - The password provided by the user did not match any password(s) stored in the user's entry], controls=[[org.ldaptive.control.PasswordPolicyControl@448359676::criticality=false, timeBeforeExpiration=0, graceAuthNsRemaining=0, error=PASSWORD_EXPIRED]]] 2015-04-14 13:51:06,206 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - Handling PASSWORD_EXPIRED I’m currently looking into our LDAP config options to see if anything can be tweaked to provide more info to LPPE. -- Raymond Walker Software Systems Engineer StSp. ITS Northern Arizona University From: Misagh Moayyed Reply-To: "[email protected]<mailto:[email protected]>" Date: Tuesday, April 21, 2015 at 12:33 AM To: "[email protected]<mailto:[email protected]>" Subject: Re: [cas-user] LPPE expired password flow So what you are saying is, regardless of the password if the account has an expired status you are redirected to the expired-password screen? This is strange. I don’t think account status can be determined without first fully authenticating the user. What is your authn source? Could you share your transitions configuration and the logs? - Misagh On Apr 20, 2015, at 11:42 PM, Raymond Drew Walker <[email protected]<mailto:[email protected]>> wrote: All, Noticing interesting default behavior for logins with expired passwords, that are also using incorrect passwords (neither expired or valid). The user is still transitioned to the casExpiredPassView.url Is this expected behavior for users entering bad passwords? I suppose this behavior could allow for users attempting to scrape user logins for expired users as part of a larger vector of attack (social, etc.) Is there a preferred method to correct this behavior as to not reveal the existence of an account when an incorrect password is used? I have not checked this behavior for the password warning or other “handleAuthenticationFailure” transitions. -- Raymond Walker Software Systems Engineer StSp. ITS Northern Arizona University -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected]<mailto:[email protected]> as: [email protected]<mailto:[email protected]> To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
