I'm trying to get LPPE working with the new CAS 4.0 server, but am finding that the policies don't seem to be enforced, even though I have set the maximum password age (on the AD side) to 1 day.
My question: is this a misconfiguration on my part (CAS), or a problem with the AD server not sending the proper details to Ldaptive? And what else can I do to troubleshoot and determine where the communication is breaking down? The AD server is Windows Server 2012 R2. My *cas.properties* file for LPPE is as follows: password.policy.warnAll=true password.policy.warningDays=14 *Catalina.out* My test user successfully logs in but is not warned that password is about to expire: 2015-07-23 11:59:17,714 DEBUG [org.jasig.cas.authentication.LdapAuthenticationHandler] - <Applying password policy to [org.ldaptive.auth.AuthenticationResponse@14851959 38::authenticationResultCode=AUTHENTICATION_HANDLER_SUCCESS, ldapEntry=[dn=CN=CAS Tester 55508,ou=fuller,DC=id,DC=fuller,DC=edu[[lastLogonTimestamp[130820850247901100]] , [countryCode[0]], [givenName[CAS]], [whenChanged[20150723003024.0Z]], [memberOf[CN=castest,OU=groups,OU=fuller,DC=id,DC=fuller,DC=edu, CN=LibraryMembers,OU=groups,OU= fuller,DC=id,DC=fuller,DC=edu]], [instanceType[0]], [codePage[0]], [dSCorePropagationData[16010101000000.0Z]], [uSNCreated[1223840]], [uSNChanged[1223840]], [badPwdCoun t[0]], [whenCreated[20150723002824.0Z]], [description[CAS]], [name[CAS Tester 55508]], [objectCategory[CN=Person,CN=Schema,CN=Configuration,DC=id,DC=fuller,DC=edu]], [o bjectClass[organizationalPerson, person, user, top]], [mail[ [email protected]]], [sn[Tester]], *[userAccountControl[512]]*, [sAMAccountType[805306368]], *[pwdLastSet[13* *0820850169765345]]*, [badPasswordTime[0]], [distinguishedName[CN=CAS Tester 55508,OU=fuller,DC=id,DC=fuller,DC=edu]], [cn[CAS Tester 55508]], [primaryGroupID[513]], [sAM AccountName[castester]], [objectSid[^A^E^@^@^@^@^@^E^U^@^@^@��^Z2�Zy<��^_Uz^F^@^@]], [accountExpires[130961088000000000]], [userPrincipalName[ [email protected]]], [o bjectGUID[Rءџ��O�8jRIP^W�]], [displayName[CAS Tester 55508]]], *responseControls=null*, messageId=-1], *accountState=null*, result=true, resultCode=SUCCESS, message=null, c ontrols=null]> 2015-07-23 11:59:17,714 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] -* <Account state not defined>* 2015-07-23 11:59:17,715 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - <Handling null> 2015-07-23 11:59:17,715 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - <No LDAP error mapping defined for null> 2015-07-23 11:59:17,715 DEBUG [org.jasig.cas.authentication.support.DefaultAccountStateHandler] - <Account state warning not defined> -- *Michael Seiler* -------------------------------------------------- Systems Integration Engineer Fuller Theological Seminary Phone: (970) 306-6105 [email protected] *Fuller Summer Hours:* Please note that all Fuller offices will be closed on Fridays from 7/3-8/28 *Mike's Vacation Notice:* From 7/3-8/28 I will also be taking Mondays off, and will be out of the office for vacation 7/31 - 8/31 *Please NOTE:* I respond to email at 8 AM, 1PM, and at 4:30PM. If you need more immediate help, please contact TSS (626.584.5675) and they can route the issue to the appropriate person. If this is a business process life or death emergency, you may call me at the above number. -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
