...
- Let the inner ldap authN handler to its job which is to execute the authentication query. This will execute one query only as part of which the LPPE authN handler should be able to instruct the inner ldap handler to retrieve additional (custom) attributes necessary for LPPE processing.
- Allows for a semi-comprehensive construction of a given PasswordPolicyConfiguration which is constructed based on account state and retrieved attributes.
- Exposes better control for detecting ldap error definitions before/during authentication as well as examining the account state post authentication, using the constructed PasswordPolicyConfiguration.
| Code Block |
|---|
<bean id="lppeEnabledLdapAuthenticationHandler" class="org.jasig.cas.adaptors.ldap.lppe.LdapPasswordPolicyAwareAuthenticationHandler"> <property name="ldapAuthenticationHandler" ref="bindLdapAuthenticationHandler" /> ... </bean> |
Support for Retrieval of Custom Ldap Authentication Attributes
The LPPE authentication handler relies on the inner ldap authN handler for retrieval of attributes that are needed for LPPE. Support and hooks must be exposes so that LPPE instructs the inner handler, which attributes to retrieve. Such attributes may be:
| Code Block |
|---|
<bean id="lppeEnabledLdapAuthenticationHandler" class="org.jasig.cas.adaptors.ldap.lppe.LdapPasswordPolicyAwareAuthenticationHandler"> ... <property name="accountDisabledAttributeName" value="${ldap.authentication.lppe.accountDisabledAttribute}" /> <property name="accountLockedAttributeName" value="${ldap.authentication.lppe.accountLockedAttribute}" /> <property name="accountPasswordMustChangeAttributeName" value="${ldap.authentication.lppe.accountPasswordMustChangeAttribute}" /> <property name="passwordExpirationDateAttributeName" value="${ldap.authentication.lppe.dateAttribute}" /> <property name="passwordWarningNumberOfDaysAttributeName" value="${ldap.authentication.lppe.warningDaysAttribute}" /> <property name="validPasswordNumberOfDaysAttributeName" value="${ldap.authentication.lppe.validDaysAttribute}" /> <property name="defaultValidPasswordNumberOfDays" value="${ldap.authentication.lppe.validDays}" /> <property name="defaultPasswordWarningNumberOfDays" value="${ldap.authentication.lppe.warningDays}" /> <property name="ignorePasswordExpirationWarningAttributeName" value="${ldap.authentication.lppe.noWarnAttribute}" /> <property name="passwordPolicyUrl" value="${ldap.authentication.lppe.password.url}" /> </bean> |
Retrieval of custom attributes allows LPPE to detect certain ldap error codes and condition that do not prevent ldap authentication. For instance, in working with OpenLdap a given account may be able to successfully log in even through a flag is set to indicate the account is locked. Defining custom attributes and their evaluation prior to authentication can support this use case.
...