CAS 5.2.3 - Password Management and Active Directory password history policy
65 views
Skip to first unread message
Bruno ELIE
Mar 21, 2018, 7:14:02 AM3/21/18
to CAS Community
Hi,
I'm using cas 5.2.3, and the ldap password management module against an Active Directory with Password Settings Object (PSO) enabled on a security group to have a password history strategy. The bind account have the rights to modify and reset the password of user's account.
Here's the password management config:
When a user's password expired, Cas normally presents the CasMustChangePassword page and the user can modify his password. But at this moment, the password history policy defined in AD via PSO is not applied. It seems it's because ldaptive use the RESET/REPLACE method to modify the password attribute as i can see in the debug log:
I'va also noticed when i remove the "Reset password" rights for the bind account in Active Directory (with modify password right still enabled), the password modify operation failed with the insufficient rights error :LDAPException(resultCode=50 (insufficient access rights). So it means when we use a bind account in CAS Password Management, a reset password is done when modify account's password.
From Microsoft, there's 2 types of change password:
- CHANGE_PASSWORD : PSO policy is applied but in that case, the bind user must be the authenticated user
- RESET_PASSWORD: PSO is not applied, and this is my case actually...
Is there's a way to modify this to take care of AD Password policy?
Thanks for your time and your answers
Bruno
I'm using cas 5.2.3, and the ldap password management module against an Active Directory with Password Settings Object (PSO) enabled on a security group to have a password history strategy. The bind account have the rights to modify and reset the password of user's account.
Here's the password management config:
cas.authn.pm.enabled=true
cas.authn.pm.ldap.type=AD
cas.authn.pm.ldap.ldapUrl=ldaps://my-domain.fr
cas.authn.pm.ldap.useSsl=true
cas.authn.pm.ldap.useStartTls=false
cas.authn.pm.ldap.connectTimeout=5000
cas.authn.pm.ldap.baseDn=ou=adm,dc=my-domain,dc=fr
cas.authn.pm.ldap.userFilter=sAMAccountName={user}
cas.authn.pm.ldap.subtreeSearch=true
cas.authn.pm.ldap.bindDn=cn=CAS,cn=Users,dc=my-domain,dc=fr
cas.authn.pm.ldap.bindCredential=*******
cas.authn.pm.ldap.keystore=file:/etc/cas/config/my-domain.p12
cas.authn.pm.ldap.keystorePassword=*****
cas.authn.pm.ldap.keystoreType=PKCS12
cas.authn.pm.ldap.poolPassivator=NONE
cas.authn.pm.ldap.minPoolSize=3
cas.authn.pm.ldap.maxPoolSize=10
cas.authn.pm.ldap.validateOnCheckout=false
cas.authn.pm.ldap.validatePeriodically=true
cas.authn.pm.ldap.validatePeriod=600
cas.authn.pm.ldap.validateTimeout=5000
cas.authn.pm.ldap.failFast=true
cas.authn.pm.ldap.idleTime=500
cas.authn.pm.ldap.prunePeriod=600
cas.authn.pm.ldap.blockWaitTime=5000
cas.authn.pm.ldap.providerClass=org.ldaptive.provider.unboundid.UnboundIDProvider
When a user's password expired, Cas normally presents the CasMustChangePassword page and the user can modify his password. But at this moment, the password history policy defined in AD via PSO is not applied. It seems it's because ldaptive use the RESET/REPLACE method to modify the password attribute as i can see in the debug log:
2018-03-20 14:28:24,166 DEBUG [org.ldaptive.ModifyOperation] - execute request=[org.ldaptive.ModifyRequest@722220644::modifyDn=CN=Test-Account,OU=my-ou,DC=my-domain,DC=fr, /
attrMods=[[org.ldaptive.AttributeModification@1592014853::attrMod=REPLACE, attribute=[unicodePwd[IgBCAGwAYQBCAGwAYQAxAAZSqsazqsdDIAMwAhACCIIA]]]], controls=null, referralHandler=null, /
intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@22420243::config=[org.ldaptive.ConnectionConfig@1431827077::ldapUrl=ldaps://my-domain.fr, /
connectTimeout=PT1H23M20S, responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@166011805::credentialConfig=[org.ldaptive.ssl.KeyStoreCredentialConfig@-1381955502::trustStore=null, /
trustStoreType=null, trustStoreAliases=null, keyStore=file:/etc/cas/config/my-domain.fr.p12, keyStoreType=PKCS12, keyStoreAliases=null], trustManagers=null, hostnameVerifier=null, /
hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, /
connectionInitializer=[org.ldaptive.BindConnectionInitializer@296242715::bindDn=cn=CAS,cn=Users,dc=my-domain,dc=fr, bindSaslConfig=null, bindControls=null], /
connectionStrategy=org.ldaptive.DefaultConnectionStrategy@cab0ca0], /
providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@1004675057::metadata=[ldapUrl=ldaps://my-domain.fr, count=1], /
providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@2116114915::operationExceptionResultCodes=[SERVER_DOWN], properties={}, /
controlProcessor=org.ldaptive.provider.ControlProcessor@2f1ebf51, connectionOptions=null, socketFactory=null, sslSocketFactory=null, /
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@4eef43cc]>
2018-03-20 14:28:24,274 DEBUG [org.ldaptive.ModifyOperation] - execute response=[org.ldaptive.Response@632770826::result=null, resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, /
referralURLs=[], messageId=3] for request=[org.ldaptive.ModifyRequest@722220644::modifyDn=CN=Test-Account,OU=my-ou,DC=my-domain,DC=fr, attrMods=[[org.ldaptive.AttributeModification@1592014853::attrMod=REPLACE, /
attribute=[unicodePwd[IgBCAGwAYQBCAGwAYQAxAAZSqsazqsdDIAMwAhACCIIA]]]], controls=null, referralHandler=null, intermediateResponseHandlers=null] with /
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@22420243::config=[org.ldaptive.ConnectionConfig@1431827077::ldapUrl=ldaps://my-domain.fr, connectTimeout=PT1H23M20S, /
responseTimeout=PT5S, sslConfig=[org.ldaptive.ssl.SslConfig@166011805::credentialConfig=[org.ldaptive.ssl.KeyStoreCredentialConfig@-1381955502::trustStore=null, trustStoreType=null, trustStoreAliases=null, /
keyStore=file:/etc/cas/config/my-domain.fr.p12, keyStoreType=PKCS12, keyStoreAliases=null], trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, /
handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@296242715::bindDn=cn=CAS,cn=Users,dc=my-domain,dc=fr, bindSaslConfig=null, bindControls=null], /
connectionStrategy=org.ldaptive.DefaultConnectionStrategy@cab0ca0], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory@1004675057::metadata=[ldapUrl=ldaps://my-domain.fr, count=1], /
providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig@2116114915::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor@2f1ebf51, /
connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection@4eef43cc]>
I'va also noticed when i remove the "Reset password" rights for the bind account in Active Directory (with modify password right still enabled), the password modify operation failed with the insufficient rights error :LDAPException(resultCode=50 (insufficient access rights). So it means when we use a bind account in CAS Password Management, a reset password is done when modify account's password.
From Microsoft, there's 2 types of change password:
- CHANGE_PASSWORD : PSO policy is applied but in that case, the bind user must be the authenticated user
- RESET_PASSWORD: PSO is not applied, and this is my case actually...
Is there's a way to modify this to take care of AD Password policy?
Thanks for your time and your answers
Bruno
Reply all
Reply to author
Forward
0 new messages