Dear All, Using tcpdump I was able to see that the CAS server is actually sending the request 5 times, which causes the Active Directory account to get locked up.
My CAS configuration (deployerConfigContext.xml) looks like this (it may be found here as well: http://pastebin.ca/1059708): <bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" > <property name="filter" value="sAMAccountName=%u" /> <property name="searchBase" value="OU=A,DC=B,DC=C,DC=D" /> <property name="contextSource" ref="contextSource" /> <property name="ignorePartialResultException" value="yes" /> </bean> [...] <bean id="contextSource" class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource"> <property name="authenticatedReadOnly" value="true" /> <property name="userName" value="xxxxxxxxx" /> <property name="password" value="yyyyyyyyy" /> <property name="urls"> <list> <value>ldap://10.123.8.47:389</value> <value>ldap://10.123.8.46:389</value> <value>ldap://10.130.0.45:389</value> <value>ldap://10.100.0.45:389</value> <value>ldap://10.190.0.45:389</value> </list> </property> <property name="baseEnvironmentProperties"> <map> <entry> <key><value>java.naming.security.authentication</value></key> <value>simple</value> </entry> </map> </property> </bean> I have tried setting "ignorePartialResultException" to "no", with the same results (i.e. CAS sends 5 consecutive invalid requests which causes the AD account to get locked up). Is there any setting to control this? thanks, unai > Dear All, > > I have set up CAS with an Active Directory backend. The CAS server details > are: > > - CAS version 3.0.5 > - OS: Debian Linux 3.1 (Sarge) > - Tomcat version 5.5.23 > > The Active Directory has some rules set (which are meant to be kept) which > lock up accounts that attempt to login providing the wrong password 5 > consecutive times. > > The issue is that if I provide the wrong password through CAS login page, > my AD account will be locked (ie with only one failed attempt). > > 1) Is this behavior expected/normal? > 2) How can I tweak/change this? > > Thank you so much, > unai _______________________________________________ Yale CAS mailing list [email protected] http://tp.its.yale.edu/mailman/listinfo/cas
