log in error question

20 views
Skip to first unread message

Jennifer LaVoie

unread,
May 18, 2018, 1:02:54 PM5/18/18
to CAS Community
Hello Everyone

My managers are asking if CAS can return a better error to the end user besides "invalid credentials" based on the status of their account.

If there a way for CAS to know if the account is disabled or the password has expired and return that information to the end user?  I am integrated with Active Directory.

thanks
Jen

David Curry

unread,
May 18, 2018, 2:36:51 PM5/18/18
to cas-...@apereo.org
There is. You can enable LDAP Password Policy Enforcement (LPPE):


This is separate from Password Management (further down the page).

All I had to do was add

cas.authn.ldap[0].passwordPolicy.enabled:   true
cas.authn.ldap[0].passwordPolicy.type:      AD
cas.authn.ldap[0].passwordPolicy.strategy:  DEFAULT

to cas.properties.

If you've gotten as far as setting up the src/ hierarchy in your overlay to create a theme and/or modify the various page templates, you can style these pages (there's a separate one for each failure condition) and you can customize the messages displayed by editing custom_messages.properties.

It seems to work pretty well.

--Dave



--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728david...@newschool.edu

The New School


--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/87658e9a-bb8f-46bf-a4f8-e176818f26fd%40apereo.org.

Robert Bond

unread,
May 18, 2018, 4:09:56 PM5/18/18
to cas-...@apereo.org
Hi Jen,

From a security perspective doing this is perhaps not the best idea. By giving this information you aid attackers looking to verify if an account exists. 
It is best not to give any indication that an account is valid or has been locked. 


Bring these concerns up to management. I would heavily not recommend exposing yourself to account enumeration. 


Thanks,
Robert Bond.

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMZzGSVUEGbEjd-RWLq%2B%2BEnDHj7OGvRUMETa2e0iTL_ew%40mail.gmail.com.

Jennifer LaVoie

unread,
May 18, 2018, 8:50:08 PM5/18/18
to cas-...@apereo.org
Hi Robert-

I know what you say is true.  I have impressed this upon management.  I did disagree, however, in the end, it's not my call.

Jen

To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6pAusz-c-sXkxZjMZD2TxJj1fU-G%3DR0NSDgxRSxwzy0-Q%40mail.gmail.com.



--
"Confusion is a word we have invented for an order which is not understood."  ~Henry Miller
Reply all
Reply to author
Forward
0 new messages