Versions Compared

Version Old Version 30 New Version Current
Changes made by

Misagh Moayyed

Misagh Moayyed

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3
Warning
titleWork in progress

This document is a work-in-progress and may not accurately reflect the full set of changes that implemented in the CAS 4 release. Tread lightly! Upon the CAS 4 release, this page should be updated to reflect the correct LPPE settings

 

Table of Contents

The purpose of the LPPE module is to detect a number scenarios that would otherwise prevent user authentication, specifically using an Ldap instance as the primary source of user accounts. To understand the general overview and intent of the LPPE functionality, please review this page

Info
titleLdaptive & CAS 4

Coming up in CAS 4, the ldap integration in CAS that is provided by Spring is being reworked and replaced by that of ldaptive. Some of the design ideas and efforts throughout this document will be provided by the new framework and as such, may not be need explicit implementation and support directly in CAS.

 

This document serves to highlight and explain the architectural changes that are proposed for upcoming CAS 4 release. In additional to various bug and security fixes, the following goals and improvements are planned: 

...

Code Block
<property name="ldapErrorDefinitions">
    <list>
       <bean class="org.jasig.cas.adaptors.ldap.lppe.AccountDisabledLdapErrorDefinitionActiveDirectoryAccountDisabledLdapErrorDefinition" />
       <bean class="org.jasig.cas.adaptors.ldap.lppe.AccountLockedLdapErrorDefinitionActiveDirectoryAccountLockedLdapErrorDefinition" />
       <bean class="org.jasig.cas.adaptors.ldap.lppe.InvalidLoginHoursLdapErrorDefinitionActiveDirectoryInvalidLoginHoursLdapErrorDefinition" />
       <bean class="org.jasig.cas.adaptors.ldap.lppe.InvalidLoginWorkstationLdapErrorDefinitionActiveDirectoryInvalidLoginWorkstationLdapErrorDefinition" />
       <bean class="org.jasig.cas.adaptors.ldap.lppe.AccountMustChangePasswordLdapErrorDefinitionActiveDirectoryAccountMustChangePasswordLdapErrorDefinition" />
       <bean class="org.jasig.cas.adaptors.ldap.lppe.AccountPasswordExpiredLdapErrorDefinitionActiveDirectoryAccountPasswordExpiredLdapErrorDefinition" />
    </list>
</property>

Ldap error definitions are optional. If none is found, authentication is prevented and the appropriate exception is thrown back. As such, deployers may choose to only pick definitions that are relevant to their environment and configuration. 

...

Code Block
languagehtml/xml
	<bean id="lppeEnabledLdapAuthenticationHandler" class="org.jasig.cas.adaptors.ldap.lppe.LdapPasswordPolicyAwareAuthenticationHandler"> 
		<property name="ldapAuthenticationHandler" ref="bindLdapAuthenticationHandler" />
		
		<property name="ldapErrorDefinitions">
		    		<list>
  		   	  	  	<bean class="org.jasig.cas.adaptors.ldap.lppe.AccountDisabledLdapErrorDefinitionActiveDirectoryAccountDisabledLdapErrorDefinition" />
	 	       	<bean class="org.jasig.cas.adaptors.ldap.lppe.AccountLockedLdapErrorDefinitionActiveDirectoryAccountLockedLdapErrorDefinition" />
		    		   	<bean class="org.jasig.cas.adaptors.ldap.lppe.InvalidLoginHoursLdapErrorDefinitionActiveDirectoryInvalidLoginHoursLdapErrorDefinition" />
		     	  		<bean class="org.jasig.cas.adaptors.ldap.lppe.InvalidLoginWorkstationLdapErrorDefinitionActiveDirectoryInvalidLoginWorkstationLdapErrorDefinition" />
		       			<bean class="org.jasig.cas.adaptors.ldap.lppe.AccountMustChangePasswordLdapErrorDefinitionActiveDirectoryAccountMustChangePasswordLdapErrorDefinition" />
		      	 		<bean class="org.jasig.cas.adaptors.ldap.lppe.AccountPasswordExpiredLdapErrorDefinitionActiveDirectoryAccountPasswordExpiredLdapErrorDefinition" />
		  	  </list>
		</property>
		
		<property name="ldapPasswordPolicyExaminers">
			<list>
				<bean class="org.jasig.cas.adaptors.ldap.lppe.LdapPasswordExpirationPolicyExaminer">
					<property name="ignorePasswordExpirationWarningFlags" value="${ldap.authentication.lppe.noWarnValues}" />
					<property name="alwaysDisplayPasswordExpirationWarning" value="${ldap.authentication.lppe.warnAll}" />
					<property name="ldapDateConverter">
						<bean class="org.jasig.cas.adaptors.ldap.lppe.ActiveDirectoryLdapDateConverter" />
					</property> 
				</bean>
			</list>
		</property>
    	<property name="accountDisabledAttributeName" value="${ldap.authentication.lppe.accountDisabledAttribute}" />
    	<property name="accountLockedAttributeName" value="${ldap.authentication.lppe.accountLockedAttribute}" />
    	<property name="accountPasswordMustChangeAttributeName" value="${ldap.authentication.lppe.accountPasswordMustChangeAttribute}" />
    	
		<property name="passwordExpirationDateAttributeName" value="${ldap.authentication.lppe.dateAttribute}" />
		<property name="passwordWarningNumberOfDaysAttributeName" value="${ldap.authentication.lppe.warningDaysAttribute}" />
		<property name="validPasswordNumberOfDaysAttributeName" value="${ldap.authentication.lppe.validDaysAttribute}" />
		
		<property name="defaultValidPasswordNumberOfDays" value="${ldap.authentication.lppe.validDays}" />
		<property name="defaultPasswordWarningNumberOfDays" value="${ldap.authentication.lppe.warningDays}" />
		<property name="ignorePasswordExpirationWarningAttributeName" value="${ldap.authentication.lppe.noWarnAttribute}" />
		<property name="passwordPolicyUrl" value="${ldap.authentication.lppe.password.url}" />   
</bean>
 
<bean id="authenticationViaFormAction" class="org.jasig.cas.adaptors.ldap.lppe.web.flow.LdapPasswordPolicyAwareAuthenticationViaFormAction"
        p:centralAuthenticationService-ref="centralAuthenticationService"
        p:warnCookieGenerator-ref="warnCookieGenerator"
        p:ldapPasswordPolicyAuthenticationHandler-ref="lppeEnabledLdapAuthenticationHandler" />

...