Cas 6.2 - Implmentation of Custom Password Policy for JDBC Authentication

[Ritesh Tripathi]

Hello All,

We have a requirement that "after 5 unsuccessful login attempts - we need to lock the account for a day for the said user."

We are having a JDBC Authentication.

We were just curious if anyone has implemented custom password policy using groovy scripts or some other method for requirements as above.

The CAS documentation - seems to be specific for LDAP and other cases. Was not able to get more information on JDBC.

https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties-Common.html#password-policy-settings

Will the groovy script method as given in above documentation link work for JDBC as well ? Any comments or points to implement the above type and similar requirements.

Best Regards

R

[King, Robert]

I believe that the JDBC password policy settings are in the database authentication settings:

 

https://apereo.github.io/cas/6.2.x/configuration/Configuration-Properties.html#database-authentication

 

Specifically         

 

# cas.authn.jdbc.query[0].field-expired=

# cas.authn.jdbc.query[0].field-disabled=

 

Where both queries determine if an account is expired or disabled.

 

I am not certain, but I think you need a separate system, other than CAS, to expire and disable accounts in JDBC.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/33d653bb-392c-457e-9d4b-b86785e2b26cn%40apereo.org.

[Ritesh Tripathi]

Updating this thread so that this may be useful to others:

A. Started Using ApacheDS - https://directory.apache.org/apacheds/ as LDAP Server on windows machine.

B. Delegated all the password policy constraints to ApacheDS. The apache DS can be administered via Apache Directory Studio and didn't do any implementation of custom code for implementing the same thing in JDBC.

C. CAS worked wonderfully with LDAP authentication - including password update in LDAP at the time of password expiry etc.

Thank you

[Chun-Yao Wang]

Dear Ritesh Tripathi:

    I have the same requirement with you.

    I  neet to  "Lock user account for 30min after 3 unsuccessful login attempts"

    Could you give me more detail about how to configure ApereoCAS + ApacheDS to achieve the requirements

?

    Great Thanks!!

Ritesh Tripathi 在 2020年11月19日 星期四上午12:45:13 [UTC+8] 的信中寫道：

[Ritesh Tripathi]

Dear Chun-Yao,

Apache DS is LDAP Server. In all LDAP Server - including the implementation of LDAP by Microsoft - which is called Active Directory - have the feature of Password Policies. [Pl see - https://ldapwiki.com/wiki/Password%20Policy]

Apache DS also offers the password policy ;complying to the Draft Specifications of Password Policy - https://ldapwiki.com/wiki/Draft-behera-ldap-password-policy

These can be easily configured in the Directory Studio Admin - by opening the configuration file - going to Password Policies Tab. Pl see the screenshot enclosed below [red indicates the parameters in your case to be added to the system].

The CAS properties that i used for getting the application up and running are given below. [version 6.2.x for CAS].

#########local LDAP Connection String for authentication using the Managers Bind Tested as OK on localhost.#################
cas.authn.ldap[0].ldapUrl=ldap://localhost:389/
cas.authn.ldap[0].bindDn=uid=admin,ou=system
cas.authn.ldap[0].bindCredential=xxxx

cas.authn.ldap[0].poolPassivator=BIND
#cas.authn.ldap[0].connectionStrategy=DEFAULT
#cas.authn.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
cas.authn.ldap[0].type=AUTHENTICATED
#cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].baseDn=dc=tbitslocal,dc=com
cas.authn.ldap[0].subtreeSearch=true
cas.authn.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
cas.authn.ldap[0].principalAttributeList=sn,cn:commonName,displayName,l,o,postalAddress,mail,mobile,ou
cas.authn.ldap[0].minPoolSize=3
cas.authn.ldap[0].maxPoolSize=10
cas.authn.ldap[0].blockWaitTime=PT3S
#cas.authn.ldap[0].useSsl=false
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].responseTimeout=PT5S
cas.authn.ldap[0].allowMultipleDns=false
cas.authn.ldap[0].allowMultipleEntries=false
cas.authn.ldap[0].followReferrals=false
cas.authn.ldap[0].name=localhostLDAP

#################LDAP Password Policy##############################
cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.enabled=true
cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException
cas.authn.ldap[0].passwordPolicy.loginFailures=5
#cas.authn.ldap[0].passwordPolicy.warningAttributeValue=
#cas.authn.ldap[0].passwordPolicy.warningAttributeName=
cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=true
cas.authn.ldap[0].passwordPolicy.warnAll=true
cas.authn.ldap[0].passwordPolicy.warningDays=1
cas.authn.ldap[0].passwordPolicy.accountStateHandlingEnabled=true


#############Properties for LDAP Password Management############
cas.authn.pm.ldap[0].type=GENERIC
cas.authn.pm.ldap[0].username-attribute=uid
cas.authn.pm.ldap[0].ldapUrl=ldap://localhost:389/
cas.authn.pm.ldap[0].bindDn=uid=admin,ou=system
cas.authn.pm.ldap[0].bindCredential=xxxx
cas.authn.pm.ldap[0].poolPassivator=BIND
cas.authn.pm.ldap[0].connectionStrategy=RANDOM
cas.authn.pm.ldap[0].connect-timeout=PT5S
#cas.authn.pm.ldap[0].providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
#cas.authn.pm.ldap[0].type=AUTHENTICATED
#cas.authn.pm.ldap[0].useSsl=false
cas.authn.pm.ldap[0].useStartTls=false
cas.authn.pm.ldap[0].baseDn=dc=tbitslocal,dc=com
cas.authn.pm.ldap[0].subtreeSearch=true
cas.authn.pm.ldap[0].searchFilter=(&(objectClass=person)(uid={user}))
#cas.authn.pm.ldap[0].principalAttributeList=sn,cn:commonName,displayName,l,o,postalAddress,mail,mobile
cas.authn.pm.ldap[0].minPoolSize=3
cas.authn.pm.ldap[0].maxPoolSize=10
cas.authn.pm.ldap[0].blockWaitTime=PT3S
#cas.authn.pm.ldap[0].useSsl=false
cas.authn.pm.ldap[0].useStartTls=false
cas.authn.pm.ldap[0].responseTimeout=PT5S
cas.authn.pm.ldap[0].allowMultipleDns=false
cas.authn.pm.ldap[0].allowMultipleEntries=false
cas.authn.pm.ldap[0].followReferrals=false
cas.authn.pm.ldap[0].name=localhostLDAP_PM_Feature

#######################

Some words of advice - to save time

1. While dealing with LDAP - pl test all your settings using the commandline first before using them for configuration in CAS. Execute the basic commands etc  "ldapsearch" using your settings - first using the command line to ensure that your connections and values are working - before filling in the CAS properties as applicable in your case.

2. Pll don't blindly copy paste cas properties - think and understand what you are doing.

3. The only constraint that faced was that at the time of :"forget username" or "forget password" - there can be only be a single search query that can be defined - if you integrate with LDAP as against JDBC, where you can define 2 different queries - one for getting usename and another for fetching the email address etc. I overcame the above constraint - but setting the username = email , for my use case.

4. Before implementing a Directory Services as LDAP / ApacheDS - think if you already have access to your LDAP or any other directory services internally. All Standard Directory Services will offer you Password Policies Features, better use them before introducing a new software in your organization.

Please feel free to contact me - if you have any further questions.

Best Regards & Best Wishes for New Year 2021!

Ritesh Tripathi

[Chun-Yao Wang]

Dear Ritesh Tripathi:

     I’m very grateful for your speedy reply, this is the best New Year gift I have got!!

     Before I read you post, it never came to my mind that the password policy can be set in LDAP.

     I am using the CAS6.0+OpenLdap on Ubuntu server, I will try your suggestion and test it.

     

     Could you allow me to ask some more question?

1. Can CAS show a "Account Locked due to too much attempt" message to user when the user's account was lock?
2. Can I redirect the user to my specific url when the user password is expired?

     Thank you so much for your reply!

     Best Regards & Best Wishes for New Year 2021!

     Sincerely

     Chunyao Wang.

Ritesh Tripathi 在 2020年12月31日 星期四下午11:55:31 [UTC+8] 的信中寫道：

[Ritesh Tripathi]

Dear Chun-Yao,

1. OpenLDAP offers Password policy implementation - pl see https://tobru.ch/openldap-password-policy-overlay/. You don't need to opt for Apache-DS as you already have openLDAP.

2. The CAS interacts with LDAP server using the standard - ldaptive java library. https://www.ldaptive.org/

3. The error codes - that are given by the LDAP Server - are translated to the end user messages inside CAS. Pl have a look at messages.properties file inside CAS [you can get this file either by gradlew explodewar command or equivalent or this file is inside tomcat\webapps\cas\WEB-INF\classes path, its advisable that you follow overlay standards and keep this separate like your application.properties file.] and customize the messages as per your requirements [that you want the user to see]. The concerned properties are

authenticationFailure.AccountDisabledException=This account has been disabled.
authenticationFailure.AccountLockedException=This account has been locked.
authenticationFailure.AccountExpiredException=This account has expired and is forbidden to login at this time.
authenticationFailure.CredentialExpiredException=Your password has expired.

There are many more - pl see the authentication failure messages section in the messages.properties.

Now - when you are giving the messages - all HTML Tags are supported.

Example -  This account has been locked ....BLA...BLA.....BLA . Visit -  <a href="http://www.abc.com">Identity server self service</a> to take corrective actions. 

So - please customize the messages as per your requirements and your job should be done. The above will possibly be the easiest method for implementation of your use cases.

Best Regards

Ritesh Tripathi

[Chun-Yao Wang]

Dear Ritesh Tripathi:

     Thank you again for such a wonderful reply.

     Now I have idea how to solve my problem.

     Wishing you and yours a safe, healthy, and prosperous new year!

 Sincerely

Chunyao Wang

Ritesh Tripathi 在 2021年1月1日 星期五下午4:01:04 [UTC+8] 的信中寫道：