[cas-dev] Change request for org.apereo.cas.util.LdapUtils

Pablo Vidaurri

unread,

Jan 7, 2022, 11:30:45 PM1/7/22

to CAS Developer

For this method in LdapUtils, can a property be wrapped around the setAuthenticationControls call? I do not have permission to query for the OID "1.3.6.1.4.1.42.2.27.8.5.1" object that ldaptive request during user credential validation. I had to comment out that line for my deployment but I do not want to have to maintain this file.

private static SimpleBindAuthenticationHandler getBindAuthenticationHandler(final ConnectionFactory factory) {

val handler = new SimpleBindAuthenticationHandler(factory);
// wrap this line around a config property
handler.setAuthenticationControls(new PasswordPolicyControl());

return handler;

}

Thanks.

-psv

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/539d9932-d56c-48d4-92b0-8f518304ee8fn%40apereo.org.

Pablo Vidaurri

unread,

Jan 8, 2022, 5:16:33 PM1/8/22

to CAS Developer, Pablo Vidaurri

To follow up, the error returned by oracle ldap is:

authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resultCode=INSUFFICIENT_ACCESS_RIGHTS, matchedDN=, diagnosticMessage=The request control with Object Identifier (OID) "1.3.6.1.4.1.42.2.27.8.5.1" cannot be used due to insufficient access rights, referralURLs=[], messageID=3, controls=[]]

and all logins fail.

-psv

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/185afe8a-0f6f-4d7e-b40a-f1c7ebbd3f10n%40apereo.org.

Daniel Fisher

unread,

Jan 9, 2022, 10:56:23 AM1/9/22

to CAS Developer, Pablo Vidaurri

On Fri, Jan 7, 2022 at 11:30 PM Pablo Vidaurri <psvid...@gmail.com> wrote:

For this method in LdapUtils, can a property be wrapped around the setAuthenticationControls call? I do not have permission to query for the OID "1.3.6.1.4.1.42.2.27.8.5.1" object that ldaptive request during user credential validation. I had to comment out that line for my deployment but I do not want to have to maintain this file.

I submitted a PR for this: https://github.com/apereo/cas/pull/5338

--Daniel Fisher

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAFC6YwR4JisXFbrrQoD9BiW8yMyh3QyRhnBUv7fEiX-Z-Bc3kA%40mail.gmail.com.

Pablo Vidaurri

unread,

Jun 20, 2023, 12:34:24 PM6/20/23

to CAS Developer, dfisher, Pablo Vidaurri

It looks like this issue has returned with version 6.6.8. I was on 6.3.7 when I reporting the issue, it was resolved shortly after that but I never upgraded. Now upgrading to 6.6.8 and I see issue again.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/0f156bc2-576d-4fb1-814c-58b2b7452d8bn%40apereo.org.

Pablo Vidaurri

unread,

Jun 22, 2023, 10:35:55 AM6/22/23

to CAS Developer, Pablo Vidaurri, dfisher

It looks like handler.setAuthenticationControls(new PasswordPolicyControl());

is now being called from pac4j-config LdaptiveAuthenticatorBuilder class:

private static SimpleBindAuthenticationHandler getPooledBindAuthenticationHandler(final LdapAuthenticationProperties l) {
final var handler = new SimpleBindAuthenticationHandler(newPooledConnectionFactory(l));
handler.setAuthenticationControls(new PasswordPolicyControl());
return handler;
}

Does not look like any option to not set the controls even via ldap.type value.

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/c58c43b6-4626-4e2a-9a59-449c1e05b39cn%40apereo.org.