How to configure password management in cas

[Vikash Chandra Ansh]

Hi All,

Can somebody suggest me, how to add feature of password management in CAS. I need to add security questions, need to validate it and hence user can change the password. I am using ldap for authentication. 

I have added dependency for pm

cas-server-support-pm-ldap. Moreover I have added properties for pm.

Kindly suggest what next to do.. How to set UI. 

I am new to cas so little tensed n unaware about functionalities.

Thanks & Regards

[Vikash Chandra Ansh]

Hello all,

Kindly help me for the above query. 

Thank you

[Andy Ng]

Hi Vikash,

Would be awesome if you can provide as much information (e.g. CAS version, which UI element want to chagne, etc...) as possible, so people in the community can try and figure out the problem. 

First of all: 

> Moreover I have added properties for pm:
Is the LDAP part is already all done and you can successfully use the password management features? If no, can you post your properties here so we can have a look? 

> Kindly suggest what next to do.. How to set UI.

So I think this statement implies you already got your password management working fine, just want to modify the UI, correct?

Which UI are you talking about, at least there are:
- The main login page
- The main where you change your password
- Logout
- The text appear on screen
- etc

Depending on which UI you want to edit, the solution differs.

If you can't describe which UI you want to modify, you can also post your image in this Google Groups, so people can pinpoint which actual element you want to change.

See if the above make sense...

Cheers!

- Andy

[Andy Ng]

For UI, you can always consult the official document: https://apereo.github.io/cas/6.0.x/ux/User-Interface-Customization-Views.html - Andy

[Vikash Chandra Ansh]

Hi Andy,

I have added below dependency in maven as I want pm through ldap.

<dependency>
    <groupId>org.apereo.cas</groupId>
    <artifactId>cas-server-support-pm-ldap</artifactId>
    <version>${cas.version}</version>
</dependency>

The properties i have added are:-

# cas.authn.pm.enabled=true

# Minimum 8 and Maximum 10 characters at least 1 Uppercase Alphabet, 1 Lowercase Alphabet, 1 Number and 1 Special Character
# cas.authn.pm.policyPattern=^(?=.*[a-z])(?=.*[A-Z])(?=.*\\d)(?=.*[$@$!%*?&])[A-Za-z\\d$@$!%*?&]{8,10}

# cas.authn.pm.reset.expirationMinutes=1
# cas.authn.pm.reset.securityQuestionsEnabled=true

# Automatically log in after successful password change
# cas.authn.pm.autoLogin=false

# cas.authn.pm.ldap.type=AD
# cas.authn.pm.ldap.usernameAttribute=sAMAccountName
# cas.authn.pm.ldap.searchFilterUsername=email={user}

# Attributes that should be fetched to indicate security questions and answers
# cas.authn.pm.ldap.securityQuestionsAttributes.attrQuestion1=attrAnswer1
# cas.authn.pm.ldap.securityQuestionsAttributes.attrQuestion2=attrAnswer2 

# cas.authn.pm.ldap.securityQuestionsAttributes.attrQuestion3=attrAnswer3

I have the UI having below fields:

Username

password

submit

Now i have to add option for Password management?  

the flow goes like this:-

1) User first set some security ques for himself/herself upon providng username and password.

2) We have two options like forgot password? and forgot username?

upon answering the security details, user will be able to manage his details.

Kindly tell me the how to design this.

With regards

On Thu, Jan 23, 2020 at 10:19 AM Andy Ng <lon...@gmail.com> wrote:

For UI, you can always consult the official document: https://apereo.github.io/cas/6.0.x/ux/User-Interface-Customization-Views.html - Andy

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/4dc06745-f88b-4ea5-a2c4-de0642436703%40apereo.org.

[Vikash Chandra Ansh]

I am using 5.2.2 cas version now

[Andy Ng]

Hi Vikash,

About the properties, not sure have you done it or not, but you need to make sure your properties are uncommented:

This won't work:

# cas.authn.pm.enabled=true

Need to do this:

cas.authn.pm.enabled=true

About the flow in general, please see this line in the official document (https://apereo.github.io/cas/5.1.x/installation/Password-Management.html):

The password management features of CAS are rather modest, and alternatively should the functionality provide inadequate for your policy, you may always redirect CAS to use a separate and standalone application that is fully in charge of managing the account password and associated flows.

What the above implies is that:

- CAS only provide very simple and basic password management, 

- and anything more complex then that, should probably handle outside of CAS.

From your previous comment, I found that your requirement are probably similar to what CAS natively provides, but just barely.

Let's us go through what CAS can provide, see if that fix you:

If you configured everything correctly, you should be able to see this:

There should be a reset your password button.

Clicking on it, will bring you to this page

Entering the proper username (in my case, casuser), you can get a email.

Click on the link, and user can get back to CAS and enter their defined question here:

And then user can change password:

Back to the original login page, and if you can click on the  Forgot your username? button, you can get back your username.

Also, I have some bug in the demo, I can actually finial the last step of resetting password and sending username.... However i can tell you that was done before, so probably some of my other feature broke my demo ._.

Let's compare that to your requirement:

1) User first set some security ques for himself/herself upon providng username and password. (That step seems to be done during the provision of account, not in CAS, but as you can see if you do have the question setup, it can be used for verification during password reset)

2) We have two options like forgot password? and forgot username? (As you can see in the above demo, both can be done)

As for my example, my demo above is built using CAS 6 and MySQL, so not sure if all will be totally compatible in CAS 5 and LDAP.

Nonetheless, here's my info:

cas.yml:

cas.authn.jdbc.query:

- user: root

password: ThisIsThePasswordForRoot

driverClass: com.mysql.cj.jdbc.Driver

url: jdbc:mysql://${PROTOCOL_PASSWORD_MANAGEMENT_JDBC}/${PROTOCOL_PASSWORD_MANAGEMENT_JDBC}

sql: SELECT * FROM pm_table_accounts WHERE userid=?

fieldPassword: password

#No password encoding

passwordEncoder.type: NONE

cas.authn.pm:

enabled: true

# Allow any password

policyPattern: ^.*

reset.securityQuestionsEnabled: true

autoLogin: true

reset.mail:

from: caste...@example.org

text: CAS Password Management JDBC Path is %s

subject: Testing Password Management JDBC

jdbc:

user: root

password: ThisIsThePasswordForRoot

driverClass: com.mysql.cj.jdbc.Driver

url: jdbc:mysql://${PROTOCOL_PASSWORD_MANAGEMENT_JDBC}/${PROTOCOL_PASSWORD_MANAGEMENT_JDBC}

sqlSecurityQuestions: SELECT question, answer FROM pm_table_questions WHERE userid=?

sqlFindEmail: SELECT email FROM pm_table_accounts WHERE userid=?

# Actually no phone setup, so set this to null

sqlFindPhone: SELECT NULL FROM pm_table_accounts WHERE userid=?

sqlFindUser: SELECT userid FROM pm_table_accounts WHERE email=?

sqlChangePassword: UPDATE pm_table_accounts SET password=? WHERE userid=?

autocommit: true

#No password encoding

passwordEncoder.type: NONE

The SQL for MySQL:

DROP TABLE IF EXISTS pm_table_accounts;

DROP TABLE IF EXISTS pm_table_questions;

CREATE TABLE pm_table_accounts (

id INT NOT NULL AUTO_INCREMENT ,

userid varchar(255) NOT NULL,

password varchar(255) NOT NULL,

email varchar(255) NOT NULL,

primary key (id)

);

CREATE TABLE pm_table_questions (

id INT NOT NULL AUTO_INCREMENT ,

userid VARCHAR(255) NOT NULL,

question VARCHAR(255) NOT NULL,

answer VARCHAR(255) NOT NULL,

primary key (id)

);

INSERT INTO pm_table_accounts (userid, password, email)

VALUES

('casuser', 'Mellon', 'jam7...@bcaoo.com'),

('password-management-jdbc', 'Mellon', 'jam7...@bcaoo.com');

INSERT INTO pm_table_questions (userid, question, answer)

VALUES

('casuser', 'What fruit is best fruit?', 'Mellon'),

('password-management-jdbc', 'Just type something', 'something');

My project repo (very messy!): https://github.com/NgSekLong/SelectUrCAS/tree/master/source/protocol/password-management-jdbc

See if the above help you...

Cheers!

- Andy

[Vikash Chandra Ansh]

Hi Andy,

Thanks for the response. Yup I hv uncommented the properties. 

I just wanna confirm that these security ques part will be done from dB side only. Because till the forgot password side I m able to reach now

Thanks and regards

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/524197fb-0124-40ec-8d01-54169a2af91f%40apereo.org.

[Vikash Chandra Ansh]

Hi all,

For the above mentioned.. If we are using database for storing security questions we need to use cas-server-support-pm-jdbc dependency.

Also suggest me if we use cas 6.1.2 do we have built in feature for pm using ldap completely.

Moreover suggest where we can add security ques for users

Thanks and Regards