[cas-user] Some issues with CAS LPPE
308 views
Skip to first unread message
Philippe MARASSE
Aug 21, 2012, 11:47:06 AM8/21/12
to cas-...@lists.jasig.org
Hello,
I'm testing the new implementation of LPPE provided with CAS 3.5.0. I've followed LPPE
Wiki page but I ran into a few issues :
- 2 messages are missing from all messages_xx.properties : screen.accountlocked.heading
& screen.accountlocked.message referenced in
/WEB-INF/view/jsp/default/ui/casAccountLockedView.jsp (should I open a JIRA for that ?)
- I always get "WARN [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - No
entry was found for user testpm. Verify your LPPE settings. If you are not using LPPE, set
the 'enabled' property to false. Password policy enforcement is currently turned on but
not configured."
Although the very same query is done by authentication handler successfully ??
from lppe-configuration.xml :
<bean id="ldapPasswordPolicyEnforcer"
class="org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer">
<property name="searchBase" value="${ldap.baseDn}" />
<property name="contextSource" ref="searchContextSource" />
<property name="filter" value="${ldap.filter}" />
<property name="ignorePartialResultException" value="yes" />
<property name="warnAll" value="${ldap.authentication.lppe.warnAll}" />
<property name="dateFormat" value="${ldap.authentication.lppe.dateFormat}" />
<property name="dateAttribute" value="${ldap.authentication.lppe.dateAttribute}" />
<!-- <property name="warningDaysAttribute"
value="${ldap.authentication.lppe.warningDaysAttribute}" />
<property name="validDaysAttribute"
value="${ldap.authentication.lppe.validDaysAttribute}" /> -->
<property name="warningDays" value="${ldap.authentication.lppe.warningDays}" />
<property name="validDays" value="${ldap.authentication.lppe.validDays}" />
<property name="noWarnAttribute" value="${ldap.authentication.lppe.noWarnAttribute}" />
<property name="noWarnValues" value="${ldap.authentication.lppe.noWarnValues}" />
</bean>
<bean id="lppeEnabledLdapAuthenticationHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="${ldap.filter}"
p:searchBase="${ldap.baseDn}"
p:contextSource-ref="authContextSource"
p:searchContextSource-ref="searchContextSource"
p:ignorePartialResultException="yes">
my old ldap authentication handler was :
<bean id="ldapHandler" class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:searchContextSource-ref="searchContextSource"
p:contextSource-ref="authContextSource"
p:filter="${ldap.filter}"
p:searchBase="${ldap.baseDn}"
p:ignorePartialResultException="yes" />
The only attribute I can rely upon is pwdLastSet, as with active directory, in the user
record, there is no attribute like warningDaysAttribute nor validDaysAttribute.
The target installation will be :
- 2xCAS servers on Tomcat 7.0 with HA & EhCache Ticket Registries
- Active Directory 2008R2 as authentication source (kerberos + ldap) and attributes source
- Actual "temporary" authentication schemes :
- internal clients : X509 / SPNEGO / Login/Password
- external clients : X509 / Login/Password
Can anyone help me to solve this issue ?
Thanks.
--
Philippe MARASSE
Service Informatique - Centre Hospitalier Henri Laborit
BP 587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
I'm testing the new implementation of LPPE provided with CAS 3.5.0. I've followed LPPE
Wiki page but I ran into a few issues :
- 2 messages are missing from all messages_xx.properties : screen.accountlocked.heading
& screen.accountlocked.message referenced in
/WEB-INF/view/jsp/default/ui/casAccountLockedView.jsp (should I open a JIRA for that ?)
- I always get "WARN [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - No
entry was found for user testpm. Verify your LPPE settings. If you are not using LPPE, set
the 'enabled' property to false. Password policy enforcement is currently turned on but
not configured."
Although the very same query is done by authentication handler successfully ??
from lppe-configuration.xml :
<bean id="ldapPasswordPolicyEnforcer"
class="org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer">
<property name="searchBase" value="${ldap.baseDn}" />
<property name="contextSource" ref="searchContextSource" />
<property name="filter" value="${ldap.filter}" />
<property name="ignorePartialResultException" value="yes" />
<property name="warnAll" value="${ldap.authentication.lppe.warnAll}" />
<property name="dateFormat" value="${ldap.authentication.lppe.dateFormat}" />
<property name="dateAttribute" value="${ldap.authentication.lppe.dateAttribute}" />
<!-- <property name="warningDaysAttribute"
value="${ldap.authentication.lppe.warningDaysAttribute}" />
<property name="validDaysAttribute"
value="${ldap.authentication.lppe.validDaysAttribute}" /> -->
<property name="warningDays" value="${ldap.authentication.lppe.warningDays}" />
<property name="validDays" value="${ldap.authentication.lppe.validDays}" />
<property name="noWarnAttribute" value="${ldap.authentication.lppe.noWarnAttribute}" />
<property name="noWarnValues" value="${ldap.authentication.lppe.noWarnValues}" />
</bean>
<bean id="lppeEnabledLdapAuthenticationHandler"
class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:filter="${ldap.filter}"
p:searchBase="${ldap.baseDn}"
p:contextSource-ref="authContextSource"
p:searchContextSource-ref="searchContextSource"
p:ignorePartialResultException="yes">
my old ldap authentication handler was :
<bean id="ldapHandler" class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler"
p:searchContextSource-ref="searchContextSource"
p:contextSource-ref="authContextSource"
p:filter="${ldap.filter}"
p:searchBase="${ldap.baseDn}"
p:ignorePartialResultException="yes" />
The only attribute I can rely upon is pwdLastSet, as with active directory, in the user
record, there is no attribute like warningDaysAttribute nor validDaysAttribute.
The target installation will be :
- 2xCAS servers on Tomcat 7.0 with HA & EhCache Ticket Registries
- Active Directory 2008R2 as authentication source (kerberos + ldap) and attributes source
- Actual "temporary" authentication schemes :
- internal clients : X509 / SPNEGO / Login/Password
- external clients : X509 / Login/Password
Can anyone help me to solve this issue ?
Thanks.
--
Philippe MARASSE
Service Informatique - Centre Hospitalier Henri Laborit
BP 587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
Misagh Moayyed
Aug 21, 2012, 12:29:22 PM8/21/12
to cas-...@lists.jasig.org
- 2 messages are missing from all messages_xx.properties :
screen.accountlocked.heading & screen.accountlocked.message
Please see https://issues.jasig.org/browse/CAS-1126
screen.accountlocked.heading & screen.accountlocked.message
- I always get "WARN"
[org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer]
incorrect. (There is no 'enabled' property). The issue you describe though
has to with the fact that the userid cannot be located in the ldap
instance. My initial suspicion is that your context source maybe different
for the LPPE bean that what it is for the authN bean.
> record, there is no attribute like warningDaysAttribute nor
validDaysAttribute.
available. See "warningDays" and "validDays".
A sample configuration of LPPE:
https://github.com/Jasig/cas/blob/master/cas-server-webapp/src/main/webapp
/WEB-INF/unused-spring-configuration/lppe-configuration.xml
Planned LPPE improvements:
https://issues.jasig.org/browse/CAS-1121
Regards,
-Misagh
You are currently subscribed to cas-...@lists.jasig.org as: jasig-cas-user...@googlegroups.com
To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
Philippe MARASSE
Aug 22, 2012, 4:36:44 AM8/22/12
to cas-...@lists.jasig.org
Le 21/08/2012 18:29, Misagh Moayyed a écrit :
> - 2 messages are missing from all messages_xx.properties :
> screen.accountlocked.heading & screen.accountlocked.message
>
> Please see https://issues.jasig.org/browse/CAS-1126
Oops, I searched in the list but not in JIRA, sorry :-)
> - 2 messages are missing from all messages_xx.properties :
> screen.accountlocked.heading & screen.accountlocked.message
>
> Please see https://issues.jasig.org/browse/CAS-1126
>
> - I always get "WARN"
> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer]
>
> I do agree that the error message you receive is confusing and in fact
> incorrect. (There is no 'enabled' property). The issue you describe though
> has to with the fact that the userid cannot be located in the ldap
> instance. My initial suspicion is that your context source maybe different
> for the LPPE bean that what it is for the authN bean.
The exception raised is a java.lang.NullPointerException at
> - I always get "WARN"
> [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer]
>
> I do agree that the error message you receive is confusing and in fact
> incorrect. (There is no 'enabled' property). The issue you describe though
> has to with the fact that the userid cannot be located in the ldap
> instance. My initial suspicion is that your context source maybe different
> for the LPPE bean that what it is for the authN bean.
javax.naming.directory.BasicAttributes.get(BasicAttributes.java:144), indicating that the
user has not been found although my context source is my searchContextSource also used by
the AuthN bean (AuthN bean also use another context source).
This morning, I've uncommented these two lines from bean ldapPasswordPolicyEnforcer :
<property name="warningDaysAttribute" value="${ldap.authentication.lppe.warningDaysAttribute}" />
<property name="validDaysAttribute" value="${ldap.authentication.lppe.validDaysAttribute}" />
With these 2 lines commented, I get :
DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Checking account status
for password...
DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Retrieving number of days
to password expiration date for user testpm
DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Starting search with
searchFilter: (sAMAccountName=testpm)
DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Returning attributes
pwdlastset:
ERROR [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] -
java.lang.NullPointerException
...
WARN [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - No entry was found for
user testpm. Verify your LPPE settings. If you are not using LPPE, set the 'enabled'
property to false. Password policy enforcement is currently turned on but not configured.
DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Skipping all password
user testpm. Verify your LPPE settings. If you are not using LPPE, set the 'enabled'
property to false. Password policy enforcement is currently turned on but not configured.
policy checks...
...
And when they're uncommented, I get :
DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Checking account status
for password...
DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Retrieving number of days
to password expiration date for user testpm
DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Starting search with
searchFilter: (sAMAccountName=testpm)
DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Returning attributes
pwdlastset:passwordwarningdays:maxPwdAge:
DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - No warning days value is
found for testpm. Using system default of 30
DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - No maximum password valid
days found for testpm. Using system default of 90 days
INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Recalculated AD pwdlastset
attribute to 2012-08-21T13:14:19.000Z
DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Retrieved date value
2012-08-21T
13:14:19.000Z for date attribute pwdlastset and added 90 days. The final expiration date
is 2012-11-19T13:14:19.000Z
DEBUG [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Calculating number of
days left to the expiration date for user testpm
INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Current date is
2012-08-22T07:17:12.621Z
INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Expiration date is
2012-11-19T13:14:19.000Z
INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Warning period begins on
2012-10-20T13:14:19.000Z
INFO [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Password is not expiring.
89 days left to the warning
DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Password for testpm is
not expiring
DEBUG [org.jasig.cas.web.flow.PasswordPolicyEnforcementAction] - Switching to flow event
id success for user testpm
So it's the expected behavior :-)
Regards.
Reply all
Reply to author
Forward
0 new messages