Versions Compared

Version Old Version 7 New Version 8
Changes made by

Misagh Moayyed

Misagh Moayyed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This document serves to highlight and explain the architectural changes that are proposed for upcoming CAS 4 release. In additional to various bug and security fixes, the following goals and improvements are planned: 

Change in Package Structure

All LPPE functionally is proposed to be contained inside the new package: org/jasig/cas/adaptors/ldap/lppe as much as possible. There may be overlap in some areas, but the effort is concentrated on keeping the changeset in one subpack of the ldap integration module.

Support for Retrieval of Custom Ldap Authentication Attributes

TODO

Support for Non-Expiring ActiveDirectory Accounts

...

Code Block
<property name="ldapErrorDefinitions">
    <list>
       <bean class="org.jasig.cas.adaptors.ldap.lppe.AccountDisabledLdapErrorDefinition" />
       <bean class="org.jasig.cas.adaptors.ldap.lppe.AccountLockedLdapErrorDefinition" />
       <bean class="org.jasig.cas.adaptors.ldap.lppe.InvalidLoginHoursLdapErrorDefinition" />
       <bean class="org.jasig.cas.adaptors.ldap.lppe.InvalidLoginWorkstationLdapErrorDefinition" />
       <bean class="org.jasig.cas.adaptors.ldap.lppe.AccountMustChangePasswordLdapErrorDefinition" />
       <bean class="org.jasig.cas.adaptors.ldap.lppe.AccountPasswordExpiredLdapErrorDefinition" />
    </list>
</property>

Ldap error definitions are optional. If none is found, authentication is prevented and the appropriate exception is thrown back. As such, deployers may choose to only pick definitions that are relevant to their environment and configuration. 

Note

It's important to note that these error codes may prevent authentication. Examination of a successfully-authenticated ldap account for state, password expiration and other conditions needs to occur AFTER the authentication once the credential is established and constructed. 

The above approach is completely extensible and exposes hooks for other implementations of the LdapErrorDefinition, should a use case arise. The changeset is provided and facilitated by having support for retrieval of custom attributes. 

Support for Account Examiners Post-Authentication

...

To detect and calculate the account expiration warning, the account state needs to be examined after a successful authentication. Based on LPPE configuration, the account state through retrieval of custom attributes is examined and appropriate prompts and alterations in the flow may occur. 

This changeset proposes an extensiable API for examining account state post authentication. By default the implementation exposes an instance of LdapPasswordExpirationPolicyExaminer that calculates password expiration warning.  Other implementation that need to evaluate the account from other aspects may also be provided.

Code Block
<property name="ldapPasswordPolicyExaminers">
	<list>
		<bean class="org.jasig.cas.adaptors.ldap.lppe.LdapPasswordExpirationPolicyExaminer">
			<property name="ignorePasswordExpirationWarningFlags" value="${ldap.authentication.lppe.noWarnValues}" />
			<property name="alwaysDisplayPasswordExpirationWarning" value="${ldap.authentication.lppe.warnAll}" />
			<property name="ldapDateConverter">
				<bean class="org.jasig.cas.adaptors.ldap.lppe.ActiveDirectoryLdapDateConverter" />
			</property> 
		</bean>
	</list>
</property>

The above approach is completely extensible and exposes hooks for other implementations of the LdapPasswordPolicyExaminer, should a use case arise. The changeset is provided and facilitated by having support for retrieval of custom attributes. 

Component Diagram

TODO

Flow Diagram

...