CAS 6.2 Password Policy

215 views
Skip to first unread message

Jeremiah Garmatter

unread,
Aug 4, 2020, 9:14:56 AM8/4/20
to CAS Community
Hello,

I am having trouble understanding the password policy documentation for CAS 6.2.x. I use openldap as the ldap source. I would like to set up a policy that warns users of a password change at 60 days, 30 days, and forces a password change at 2 days. This policy was enforced on a server running CAS 3.5 and I'm not sure how this system was set up (it was made by predecessors).

Could somebody explain what this line means?
"LPPE is also able to warn the user when the account is about to expire. The expiration policy is determined through pre-configured LDAP attributes with default values in place." (found here: https://apereo.github.io/cas/6.2.x/installation/Password-Policy-Enforcement.html)

From what I understand there is a predefined LDAP attribute that is checked against the warning-days property and if it is under the day-count then a warning message appears.
Is this true? Also, what LDAP attribute is it checking against? Can this attribute be changed?

King, Robert

unread,
Aug 4, 2020, 12:44:54 PM8/4/20
to cas-...@apereo.org

--
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/9de39171-2d46-479c-8738-9ca18c5890d8n%40apereo.org.

Jeremiah Garmatter

unread,
Aug 5, 2020, 8:59:48 AM8/5/20
to cas-...@apereo.org
Robert,

You are saying that password policy is defined within openldap itself and not within CAS?
I'd prefer not to change any ldap configuration if that can be avoided. Is there no way to change the attribute checked for password expiration within CAS properties?

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020


You received this message because you are subscribed to a topic in the Google Groups "CAS Community" group.
To unsubscribe from this topic, visit https://groups.google.com/a/apereo.org/d/topic/cas-user/9E2ZujSI5Ec/unsubscribe.
To unsubscribe from this group and all its topics, send an email to cas-user+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/b6aff3a436fc403c8590771343acfae0%40mun.ca.

King, Robert

unread,
Aug 5, 2020, 9:54:18 AM8/5/20
to cas-...@apereo.org

Yes, it is defined in OpenLDAP.  I would be surprised if this is not already setup on your existing directory.

 

Guessing as to what CAS is doing…

 

First search for user operational attributes pwdChangedTime and pwdPolicySubentry.  Then a second search on the DN from pwdPolicySubentry.  That should retrieve attribute pwdMaxAge.  Then CAS would determine if the account is expiring inside the CAS defined warning days window and pop up the interruption screen to notify users as they login.

Jeremiah Garmatter

unread,
Aug 19, 2020, 10:56:34 AM8/19/20
to CAS Community, ro...@mun.ca
Alright, I was able to track down a little more information on my organizations password policy. I'm now wondering if CAS 6.2 supports lppe configurations. On the old CAS server (3.5), there was an lppe-configuration.xml file allowing one to set the attributes lppe looked at to trigger password warnings. Is there an equivalent configuration file on 6.2?

For reference, here is an example from our 5.3 lppe-configuration.xml file:
        <bean id="ldapPasswordPolicyEnforcer" class="org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer">
          <property name="searchBase" value="${ldap.authentication.basedn}" />
          <property name="contextSource" ref="contextSource" />
          <property name="filter" value="${ldap.authentication.filter}" />
          <property name="ignorePartialResultException" value="${ldap.authentication.ignorePartialResultException}" />
          <property name="warnAll" value="${ldap.authentication.lppe.warnAll}" />
          <property name="dateFormat" value="${ldap.authentication.lppe.dateFormat}" />
          <property name="dateAttribute" value="${ldap.authentication.lppe.dateAttribute}" />
          <property name="warningDaysAttribute" value="${ldap.authentication.lppe.warningDaysAttribute}" />
          <property name="validDaysAttribute" value="${ldap.authentication.lppe.validDaysAttribute}" />
          <property name="warningDays" value="${ldap.authentication.lppe.warningDays}" />
          <property name="validDays" value="${ldap.authentication.lppe.validDays}" />
          <property name="noWarnAttribute" value="${ldap.authentication.lppe.noWarnAttribute}" />
          <property name="noWarnValues" value="${ldap.authentication.lppe.noWarnValues}" />
        </bean>

King, Robert

unread,
Aug 19, 2020, 12:28:39 PM8/19/20
to Jeremiah Garmatter, CAS Community

Jeremiah Garmatter

unread,
Aug 19, 2020, 3:16:17 PM8/19/20
to CAS Community, ro...@mun.ca, Jeremiah Garmatter
Robert,

That link does look like the properties I need, however it appears to be missing a few entries, such as the dateAttribute and dateFormat, which I believe are vital to the configuration. I tried this configuration, note my organziation runs 389 directory:
cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.enabled=true
cas.authn.ldap[0].passwordPolicy.warn-all=false
cas.authn.ldap[0].passwordPolicy.warning-days=30
cas.authn.ldap[0].passwordPolicy.warning-attribute-value=
cas.authn.ldap[0].passwordPolicy.warning-attribute-name=
cas.authn.ldap[0].passwordPolicy.display-warning-on-match=true
cas.authn.ldap[0].passwordPolicy.strategy=DEFAULT

I also tried with warn-all=true, and the account-state-handling-enabled=true which didn't make a difference as far as I could tell. I am using an account with password set to expire in 1 day, which our cas 3.5 server correctly recognizes and acts on. After setting the ldaptive logger to debug, I don't see anything related to the password policy. Is there another logger that may provide more information for me?

Perhaps I'll have to create a custom groovy script or some thymeleaf logic to compare the attributes with current date and time, then direct them to the service or our password reset application.

King, Robert

unread,
Aug 20, 2020, 10:48:39 AM8/20/20
to cas-...@apereo.org

Does that account that you are using have the appropriate privileges to read the LPPE policy?  I have no experience with 389 and how it implements LPPE, but it does help to check on the LDAP server side to see what query the CAS/LDAPTIVE is making to check the LPPE.

Jeremiah Garmatter

unread,
Aug 20, 2020, 11:04:26 AM8/20/20
to cas-...@apereo.org
Robert,

Thank you for the advice, the account I'm using does have privileges to read the policy. When I signed in this morning (the password expires today), I was brought to a screen stating my password expired in 0 day(s) with a password reset link and a continue button. LPPE is finding something, but only on the day the password expires. I'll check out what's happening on LDAPs side when I get some time later.

-Jeremiah Garmatter, Systems Administrator
-Ohio Northern University, Class of 2020

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f0f9fd9790e4b69b2c99da407bb315e%40mun.ca.
Reply all
Reply to author
Forward
0 new messages