The purpose of the LPPE module is to detect a number scenarios that would otherwise prevent user authentication, specifically using an Ldap instance as the primary source of user accounts. To understand the general overview and intent of the LPPE functionality, please review this page.
This document serves to highlight and explain the architectural changes that are proposed for upcoming CAS 4 release. In additional to various bug and security fixes, the following goals and improvements are planned:
Support for Custom Attributes
TODO
Support for Non-Expiring ActiveDirectory Accounts
Current version of LPPE in CAS 3.5.x contains a bug in calculating the expiration date for AD accounts that are flagged to never expire. The correct approach would be to look up the bitwise value in the userAccountControl attribute of the AD container to detect account state. This fix can be accommodated through support for retrieval of custom attributes as descrfibed above.
The bitwise flags are define as such:
private enum ActiveDirectoryUserAccountControlFlags {
UAC_FLAG_ACCOUNT_DISABLED(2),
UAC_FLAG_LOCKOUT(16),
UAC_FLAG_PASSWD_NOTREQD(32),
UAC_FLAG_DONT_EXPIRE_PASSWD(65536),
UAC_FLAG_PASSWORD_EXPIRED(8388608);
private int value;
ActiveDirectoryUserAccountControlFlags(final int id) {
this.value = id;
}
public final int getValue() {
return this.value;
}
}
Reduce Ldap Query Overhead
TODO
Support for Custom Date Formatters
TODO
Support for Custom WebFlow States
TODO
Internalization of Ldap Error Codes Pre-Authentication
Support for Account Examiners Post-Authentication
TODO
Component Diagram
TODO
Flow Diagram
TODO