LPPE: Incorrect handling of "password never expires" active directory flag

Description

Before setting my CAS server in production, I've tested LPPE with an account hich have "Password never expires" : access is refused ! From my server log :

1 2 3 4 2012-08-24 15:07:57,903 ERROR [org.jasig.cas.adaptors.ldap.LdapPasswordPolicyEnforcer] - Authentication failed because account password has expired with -831 to expiration date. Verify the value of the pwdlastset attribute and make sure it's not before the current date, which is 2012-08-24T13:07:57.890Z :Authentication failed because account password has expired with -831 to expiration date. Verify the value of the pwdlastset attribute and make sure it's not before the current date, which is 2012-08-24T13:07:57.890Z

Actually an attribute can be compared to 2^63-1 but according to this technet article [1], we only need to fetch userAccessControl AD attribute and check if the never expire bit is set (2^16).

[1] http://technet.microsoft.com/en-us/library/ee198831.aspx

Environment

Tomcat 7.0.29 / Java 1.6.0_34 on debian squeeze 32 bits

Status

Assignee

Misagh Moayyed

Reporter

Philippe Marasse

Labels

None

Estimated End Date

None

Audience

None

Components

Fix versions

Affects versions

3.5.0

Priority

Minor