Versions Compared

Version Old Version 11 New Version 12
Changes made by

Misagh Moayyed

Misagh Moayyed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

All LPPE functionally is proposed to be contained inside the new package: org/jasig/cas/adaptors/ldap/lppe as much as possible. There may be overlap in some areas, but the effort is concentrated on keeping the changeset in one subpack of the ldap integration module.

Support for

...

TODO

Support for Non-Expiring ActiveDirectory Accounts

...

Code Block
    private enum ActiveDirectoryUserAccountControlFlags {
        UAC_FLAG_ACCOUNT_DISABLED(2),
        UAC_FLAG_LOCKOUT(16),
        UAC_FLAG_PASSWD_NOTREQD(32),
        UAC_FLAG_DONT_EXPIRE_PASSWD(65536),
        UAC_FLAG_PASSWORD_EXPIRED(8388608);
        
        private int value;
        
        ActiveDirectoryUserAccountControlFlags(final int id) { 
            this.value = id; 
        }
        
        public final int getValue() { 
            return this.value; 
        }
    }

Support for Custom WebFlow States

TODO

Internalization of Ldap Error Codes Pre-Authentication

...

  • ActiveDirectoryLdapDateConverter used specifically with ActiveDirectory ldap instances, feature the ability to convert a special AD date value into its equivalent java.util.Date object.

  • SimpleDateFormatLdapDateConverter expects the received date value form LDAP to be consistent with a given DateTimeFormatter's pattern.
  • TimeUnitLdapDateConverter expects the received ldap date value to be defined in milliseconds. It will convert the value to the time unit specified. The final date is initialized from a given date (or epoch).

Reduce Ldap Query Overhead with LdapPasswordPolicyAwareAuthenticationHandler

The current implementation of LPPE is forced to execute a second ldap query to retrieve account state post authentication. In addition to the query overhead, duplicate configuration may need to be applied for both the ldap authN handler and LPPE as well. 

This changeset proposes a specific LdapPasswordPolicyAwareAuthenticationHandler that wraps itself around a given implementation of the AbstractLdapUsernamePasswordAuthenticationHandler class.

The wrap allows LPPE to:

  • Let the inner ldap authN handler to its job which is to execute the authentication query. This will execute one query only as part of which the LPPE authN handler should be able to instruct the inner ldap handler to retrieve additional (custom) attributes necessary for LPPE processing.
  • Allows for a semi-comprehensive construction of a given PasswordPolicyConfiguration which is constructed based on account state and retrieved attributes. 
  • Exposes better control for detecting ldap error definitions before/during authentication as well as examining the account state post authentication, using the constructed PasswordPolicyConfiguration.
Code Block
	<bean id="lppeEnabledLdapAuthenticationHandler" class="org.jasig.cas.adaptors.ldap.lppe.LdapPasswordPolicyAwareAuthenticationHandler"> 
		<property name="ldapAuthenticationHandler" ref="bindLdapAuthenticationHandler" />
		
		...
	</bean>

Support for Retrieval of Custom Ldap Authentication Attributes

The LPPE authentication handler relies on the inner ldap authN handler for retrieval of attributes that are needed for LPPE. Support and hooks must be exposes so that LPPE instructs the inner handler, which attributes to retrieve. Such attributes may be:

Code Block
	<bean id="lppeEnabledLdapAuthenticationHandler" class="org.jasig.cas.adaptors.ldap.lppe.LdapPasswordPolicyAwareAuthenticationHandler"> 
		...

    	<property name="accountDisabledAttributeName" value="${ldap.authentication.lppe.accountDisabledAttribute}" />
    	<property name="accountLockedAttributeName" value="${ldap.authentication.lppe.accountLockedAttribute}" />
    	<property name="accountPasswordMustChangeAttributeName" value="${ldap.authentication.lppe.accountPasswordMustChangeAttribute}" />
    	
		<property name="passwordExpirationDateAttributeName" value="${ldap.authentication.lppe.dateAttribute}" />
		<property name="passwordWarningNumberOfDaysAttributeName" value="${ldap.authentication.lppe.warningDaysAttribute}" />
		<property name="validPasswordNumberOfDaysAttributeName" value="${ldap.authentication.lppe.validDaysAttribute}" />
		
		<property name="defaultValidPasswordNumberOfDays" value="${ldap.authentication.lppe.validDays}" />
		<property name="defaultPasswordWarningNumberOfDays" value="${ldap.authentication.lppe.warningDays}" />
		<property name="ignorePasswordExpirationWarningAttributeName" value="${ldap.authentication.lppe.noWarnAttribute}" />
		<property name="passwordPolicyUrl" value="${ldap.authentication.lppe.password.url}" />   
	</bean>

Retrieval of custom attributes allows LPPE to detect certain ldap error codes and condition that do not prevent ldap authentication. For instance, in working with OpenLdap a given account may be able to successfully log in even through a flag is set to indicate the account is locked. Defining custom attributes and their evaluation prior to authentication can support this use case. 

Support for Custom WebFlow States

TODO

Component Diagram

TODO

...