Uploaded image for project: 'CAS Server'
  1. CAS-1392

Support standardized Password Policy Control

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 3.5.2, 4.0 RC1, 4.0 RC2
    • Fix Version/s: 4.0
    • Component/s: LDAP, LPPE
    • Labels:
      None
    • Environment:
      IBM i V7R1

      Description

      CAS LPPE currently examines OpenLDAP or AD attributes to determine when the password expires.

      Unfortunately, the IBM Tivoli Directory Server I'm using doesn't support these attributes.
      It does however support the proposed LDAP Password Policy standard, see:
      http://tools.ietf.org/html/draft-behera-ldap-password-policy-10

      I propose creating an LdapPasswordPolicyExaminer (for CAS 4) that examines the passwordPolicyRequest control response to determine account state.

      Support for this control type is already in the spring-security-ldap library.

      The ContextSource and/or LdapPasswordPolicyAwareAuthenticationHandler will need to be modified too to send the control request and to store the control response so the examiner can access it.

      AFAIK both OpenLDAP and AD support this method too, so I would even recommend making this the default LPPE implementation.

        Attachments

          Activity

            People

            • Assignee:
              mmoayyed Misagh Moayyed
              Reporter:
              condor70 Menno Avegaart
            • Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: