[cas-dev] Change request for org.apereo.cas.util.LdapUtils

3 views
Skip to first unread message

Pablo Vidaurri

unread,
Jan 7, 2022, 11:30:45 PM1/7/22
to CAS Developer
For this method in LdapUtils, can a property be wrapped around the  setAuthenticationControls call? I do not have permission to query for the OID "1.3.6.1.4.1.42.2.27.8.5.1" object that ldaptive request during user credential validation. I had to comment out that line for my deployment but I do not want to have to maintain this file.



private static SimpleBindAuthenticationHandler getBindAuthenticationHandler(final ConnectionFactory factory) {


val handler = new SimpleBindAuthenticationHandler(factory);

// wrap this line around a config property
handler.setAuthenticationControls(new PasswordPolicyControl());


return handler;


}



Thanks.
-psv


--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/539d9932-d56c-48d4-92b0-8f518304ee8fn%40apereo.org.

Pablo Vidaurri

unread,
Jan 8, 2022, 5:16:33 PM1/8/22
to CAS Developer, Pablo Vidaurri
To follow up, the error returned by oracle ldap is:

authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, resultCode=INSUFFICIENT_ACCESS_RIGHTS, matchedDN=, diagnosticMessage=The request control with Object Identifier (OID) "1.3.6.1.4.1.42.2.27.8.5.1" cannot be used due to insufficient access rights, referralURLs=[], messageID=3, controls=[]]

and all logins fail. 

-psv
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/185afe8a-0f6f-4d7e-b40a-f1c7ebbd3f10n%40apereo.org.

Daniel Fisher

unread,
Jan 9, 2022, 10:56:23 AM1/9/22
to CAS Developer, Pablo Vidaurri
On Fri, Jan 7, 2022 at 11:30 PM Pablo Vidaurri <psvid...@gmail.com> wrote:
For this method in LdapUtils, can a property be wrapped around the  setAuthenticationControls call? I do not have permission to query for the OID "1.3.6.1.4.1.42.2.27.8.5.1" object that ldaptive request during user credential validation. I had to comment out that line for my deployment but I do not want to have to maintain this file.


I submitted a PR for this: https://github.com/apereo/cas/pull/5338

--Daniel Fisher
 

--
You received this message because you are subscribed to the Google Groups "CAS Developer" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-dev+u...@apereo.org.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAFC6YwR4JisXFbrrQoD9BiW8yMyh3QyRhnBUv7fEiX-Z-Bc3kA%40mail.gmail.com.

Pablo Vidaurri

unread,
Jun 20, 2023, 12:34:24 PM6/20/23
to CAS Developer, dfisher, Pablo Vidaurri
It looks like this issue has returned with version 6.6.8. I was on 6.3.7 when I reporting the issue, it was resolved shortly after that but I never upgraded. Now upgrading to 6.6.8 and I see issue again.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/0f156bc2-576d-4fb1-814c-58b2b7452d8bn%40apereo.org.

Pablo Vidaurri

unread,
Jun 22, 2023, 10:35:55 AM6/22/23
to CAS Developer, Pablo Vidaurri, dfisher
It looks like  handler.setAuthenticationControls(new PasswordPolicyControl());
is now being called from pac4j-config LdaptiveAuthenticatorBuilder class:

    private static SimpleBindAuthenticationHandler getPooledBindAuthenticationHandler(final LdapAuthenticationProperties l) {
        final var handler = new SimpleBindAuthenticationHandler(newPooledConnectionFactory(l));
        handler.setAuthenticationControls(new PasswordPolicyControl());
        return handler;
    }

Does not look like any option to not set the controls even via ldap.type value.
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/c58c43b6-4626-4e2a-9a59-449c1e05b39cn%40apereo.org.

Daniel Fisher

unread,
Jun 22, 2023, 11:34:40 PM6/22/23
to Pablo Vidaurri, CAS Developer
I’ll get a PR together for pac4j, but it won’t happen until next week.

—Daniel Fisher

On Thu, Jun 22, 2023 at 10:59 PM Pablo Vidaurri <psvid...@gmail.com> wrote:
I ended up commenting out setControls method from ldaptive's AuthenticationRequest.java source via overlay
To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/CAFC6YwTgzSATei8Q9KPOgQL-4X1Om1weGLU%2Bzo2%3DuO8a6p3LwA%40mail.gmail.com.

Pablo Vidaurri

unread,
Jun 22, 2023, 11:34:48 PM6/22/23
to CAS Developer, Pablo Vidaurri, dfisher
I ended up commenting out setControls method from ldaptive's AuthenticationRequest.java source via overlay

To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-dev/d1f52bd4-aa68-4e83-b70b-9b7184cd1785n%40apereo.org.
Reply all
Reply to author
Forward
0 new messages