CAS +LDAP +ppolicy_
63 views
Skip to first unread message
liu chenghai
Dec 6, 2016, 8:25:57 AM12/6/16
to CAS Community
Hi,
I use ppolicy overlay and enabled ppolicy_use_lockout to separate between invalid password and locked accounts on openldap.
I tried to lock a user account by entering a wrong password couple of times (pwdMaxFailure)
The user is being locked but when I try to login again I still get the same error:
Invalid credentials (49)
the slapo-ppolicy(5) main page states quite clearly that ppolicy_use_lockout only affects the ppolicy response control. CAS must Bind using the ppolicy request control in order to generate this result code.
Is cas binding this way?
I use ppolicy overlay and enabled ppolicy_use_lockout to separate between invalid password and locked accounts on openldap.
I tried to lock a user account by entering a wrong password couple of times (pwdMaxFailure)
The user is being locked but when I try to login again I still get the same error:
Invalid credentials (49)
the slapo-ppolicy(5) main page states quite clearly that ppolicy_use_lockout only affects the ppolicy response control. CAS must Bind using the ppolicy request control in order to generate this result code.
Is cas binding this way?
Ben Howell-Thomas
Dec 6, 2016, 9:23:57 AM12/6/16
to cas-...@apereo.org
Hi,
First post!
I don't think CAS has a say in how it binds.
However I remember seeing an option in openldap somewhere (sorry, just learning openldap myself, can't remember where) that said it would always return an invalid credentials message to avoid giving away that it's a real username.
Ben
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bbcbe0fa-058b-4ed3-b6ec-ff2649cef522%40apereo.org.
This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s).
If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully; (ii) contact Northgate Public Services immediately on +44(0)1908 264500 quoting the name of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted. You should scan attachments (if any) for viruses.
Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NN. Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.
liu chenghai
Dec 6, 2016, 8:48:15 PM12/6/16
to CAS Community
Hi,
thanks
i found
https://apereo.github.io/cas/4.2.x/installation/LDAP-Authentication.html#configuration-11 | <alias name="ldapPasswordPolicyConfiguration" alias="passwordPolicyConfiguration" /> |
The following settings are applicable:
1 2 3 | # password.policy.warnAll=false
# password.policy.warningDays=30
# password.policy.url=https://password.example.edu/change
|
Next, in your ldapAuthenticationHandler bean, configure the password policy configuration above:
1 2 3 4 5 | <bean id="ldapAuthenticationHandler" class="org.jasig.cas.authentication.LdapAuthenticationHandler" p:passwordPolicyConfiguration-ref="passwordPolicyConfiguration"> ... </bean> |
Next, make sure Authenticator is set to enable/use password policy:
1 2 3 4 5 | <ldaptive:bind-search-authenticator id="authenticator" ... usePasswordPolicy="${ldap.usePpolicy:true}" ... /> |
在 2016年12月6日星期二 UTC+8下午10:23:57,Ben Howell-Thomas写道:
Hi,First post!I don't think CAS has a say in how it binds.However I remember seeing an option in openldap somewhere (sorry, just learning openldap myself, can't remember where) that said it would always return an invalid credentials message to avoid giving away that it's a real username.Ben
On 6 December 2016 at 13:25, liu chenghai <ahai...@gmail.com> wrote:
Hi,
I use ppolicy overlay and enabled ppolicy_use_lockout to separate between invalid password and locked accounts on openldap.
I tried to lock a user account by entering a wrong password couple of times (pwdMaxFailure)
The user is being locked but when I try to login again I still get the same error:
Invalid credentials (49)
the slapo-ppolicy(5) main page states quite clearly that ppolicy_use_lockout only affects the ppolicy response control. CAS must Bind using the ppolicy request control in order to generate this result code.
Is cas binding this way?
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/bbcbe0fa-058b-4ed3-b6ec-ff2649cef522%40apereo.org.
Reply all
Reply to author
Forward
0 new messages