RE: AD account gets locked up using CAS.

Mon, 30 Jun 2008 23:53:03 -0700 

Dear All,

Using tcpdump I was able to see that the CAS server is actually sending the
request 5 times, which causes the Active Directory account to get locked
up.

My CAS configuration (deployerConfigContext.xml) looks like this (it may be
found here as well: http://pastebin.ca/1059708):

<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
        <property name="filter" value="sAMAccountName=%u" />
        <property name="searchBase" value="OU=A,DC=B,DC=C,DC=D" />
        <property name="contextSource" ref="contextSource" />
        <property name="ignorePartialResultException" value="yes" />
</bean>

[...]

<bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
        <property name="authenticatedReadOnly" value="true" />
        <property name="userName" value="xxxxxxxxx" />
        <property name="password" value="yyyyyyyyy" />
        <property name="urls">
                <list>
                        <value>ldap://10.123.8.47:389</value>
                        <value>ldap://10.123.8.46:389</value>
                        <value>ldap://10.130.0.45:389</value>
                        <value>ldap://10.100.0.45:389</value>
                        <value>ldap://10.190.0.45:389</value>
                </list>
        </property>
        <property name="baseEnvironmentProperties">
                <map>
                     <entry>
                             
<key><value>java.naming.security.authentication</value></key>
                             <value>simple</value>
                     </entry>
                </map>
        </property>
</bean>

I have tried setting "ignorePartialResultException" to "no", with the same
results (i.e. CAS sends 5 consecutive invalid requests which causes the AD
account to get locked up).

Is there any setting to control this?

thanks,
unai


> Dear All,
> 
> I have set up CAS with an Active Directory backend. The CAS server
details
> are:
> 
> - CAS version 3.0.5
> - OS: Debian Linux 3.1 (Sarge)
> - Tomcat version 5.5.23
> 
> The Active Directory has some rules set (which are meant to be kept)
which
> lock up accounts that attempt to login providing the wrong password 5
> consecutive times.
> 
> The issue is that if I provide the wrong password through CAS login page,
> my AD account will be locked (ie with only one failed attempt).
> 
> 1) Is this behavior expected/normal?
> 2) How can I tweak/change this?
> 
> Thank you so much,
> unai

_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas

Reply via email to