CAS 5.1.0 Password Policy Setup

[pingminadmin]

I am working on CAS 5.1.0 with openLDAP 2.4. I get confused by Password Policy and Password Management. The documentation mixed these two sometimes.

Here is part of my cas.properties:

cas.authn.ldap[0].type=AUTHENTICATED

cas.authn.ldap[0].ldapUrl=ldaps://ldap.example.com

cas.authn.ldap[0].useSsl=true

cas.authn.ldap[0].useStartTls=false

cas.authn.ldap[0].connectTimeout=5000

cas.authn.ldap[0].baseDn=ou=people,dc=example,dc=com

cas.authn.ldap[0].userFilter=uid={user}

cas.authn.ldap[0].passwordPolicy.type=GENERIC

cas.authn.ldap[0].passwordPolicy.enabled=true

cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException

cas.authn.ldap[0].passwordPolicy.loginFailures=2

cas.authn.ldap[0].passwordPolicy.warningAttributeValue=

cas.authn.ldap[0].passwordPolicy.warningAttributeName=

cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=true

cas.authn.ldap[0].passwordPolicy.warnAll=true

cas.authn.ldap[0].passwordPolicy.warningDays=20

cas.authn.pm.enabled=true

cas.authn.pm.reset.text=https://example.com/reset-password

cas.authn.pm.reset.subject=Password Reset Request

cas.authn.pm.reset.from=

cas.authn.pm.reset.expirationMinutes=5

cas.authn.pm.reset.emailAttribute=mail

cas.authn.pm.ldap.type=GENERIC

cas.authn.pm.ldap.ldapUrl=ldaps://ldap.example.com

cas.authn.pm.ldap.connectionStrategy=

cas.authn.pm.ldap.useSsl=true

cas.authn.pm.ldap.useStartTls=false

cas.authn.pm.ldap.connectTimeout=5000

cas.authn.pm.ldap.baseDn=ou=people,dc=example,dc=com

cas.authn.pm.ldap.userFilter=cn={user}

And my situation and questions are:

1) cas.authn.ldap[0].passwordPolicy.loginFailures and cas.authn.ldap[0].passwordPolicy.warningDays don't seems working. I setup pwdMaxFailure for 3 times and pwdExpireWarning for 30 days in openLDAP. So it always locked me out after 3 failures and show warning for 29 days. Even I tried 2 times and 20 days in cas.properties, it won't change anything. Did I miss something?

2) The warning message for change password showing 29days and the link is {1}. That's in messages.properties. But where should I set the link to pass in as {1}. I thought it is cas.authn.pm.reset.text but it doesn't work.

3) After password expired, login still shows "Invalid credentials". How do I get account has been locked message?

4) I set pwdGraceAuthNLimit to 1 in openLDAP. After password expired, login page still shows "Invalid credentials". But I see openLDPA has one success grace bind. I hope to login and the password has to be changed page.

Any help will be appreciated.

Thanks,

Min

[Ben Howell-Thomas]

RE #2 It's probably showing {1} because you need to pass a parameter when getting the bundle text.  See casPostResponseView.html for an example (search for th:text).

--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscribe@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f4317dd-b865-4a4d-9522-d8dee1337ecb%40apereo.org.

This email is sent on behalf of Northgate Public Services (UK) Limited and its associated companies including Rave Technologies (India) Pvt Limited (together "Northgate Public Services") and is strictly confidential and intended solely for the addressee(s). 

If you are not the intended recipient of this email you must: (i) not disclose, copy or distribute its contents to any other person nor use its contents in any way or you may be acting unlawfully;  (ii) contact Northgate Public Services immediately on +44(0)1908 264500 quoting the name of the sender and the addressee then delete it from your system.

Northgate Public Services has taken reasonable precautions to ensure that no viruses are contained in this email, but does not accept any responsibility once this email has been transmitted.  You should scan attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales under number 00968498 with a registered address of Peoplebuilding 2, Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 4NN.  Rave Technologies (India) Pvt Limited, registered in India under number 117068 with a registered address of 2nd Floor, Ballard House, Adi Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001.