Skip to end of metadata
Go to start of metadata
Table of Contents

Password Management

Icon

 LPPE is not about password management. If you are looking for that sort of capability integrating with CAS, you might be interested in this project instead.

Background

The purpose of the LPPE module is to detect a number of scenarios that would otherwise prevent user authentication, specifically using an Ldap instance as the primary source of user accounts.

These scenarios are currently supported by the module:

Ldap Error CodeLdap Error DescriptionCAS Authentication Behavior
530Invalid login timeDisplays a message upon authentication that the user cannot login at the current time
533Account is disabledDisplays a message upon authentication that the account has been disabled and user would need to contact an administrator.
773Must change passwordDisplays a message upon authentication that the account password must be changed and provides a link to a self-service password management application.
775Account is lockedDisplays a message upon authentication that the account has been disabled and user would need to contact an administrator.
531Invalid workstationDisplays a message upon authentication that the user cannot login from the current workstation
701 OR 532Password has expired

Displays a message upon authentication that the account password has expired and provides a link to a self-service password management application.

Without LPPE in place, the above scenarios would be considered as errors that will prevent authentication in a very generic way through the normal CAS login flow. LPPE intercepts the authentication flow,
detecting the above standard error codes (that are returned as part of the Ldap response payload) . Error codes are then translated into proper messages in the CAS login flow and would allow the user
to take proper action, fully explaining the nature of the problem. 
In addition, LPPE is also able to warn the user when the account is about to expire. The expiration policy is determined through pre-configured Ldap attributes with default values in place.
The "Configuration" section below provides additional options in better detail. 

 

ActiveDirectory vs. OpenLdap

Icon

Though the above table lists standard ldap error codes, LPPE has only been extensively tested against Active Directory. The functionality has yet to be tested and validated against an Open Ldap instance.

 

Source

The LPPE module ships with CAS by default as of CAS v3.5. The code is mostly a part of the Ldap module with additional configuration merged inside the CAS webapps module.

Configuration

LPPE is turned off by default. In order to configure the module with your account policy, please follow the below steps:

Maven Overlay

Icon

The instructions below assume you're using the Maven Overlay approach to build CAS.

 

  • In your POM.xml file, add the following dependencies:

 

With this:

 

  • Download the correct lppe-configuration.xml file for the CAS version you're building and place it in the src/main/webapp/WEB-INF/spring-configuration directory of your maven overlay.
  • In the lppe-configuration.xml file, modify the "ldapErrorDefinitions" property to comment out the cases you are not interested in.

 

  • Merge cas.properties.example from the LDAP module with the your maven overlay's cas.properties file and adjust the Ldap authentication settings. Specifically, configure your Ldap connection settings for the authentication handler through the properties below:

 

  • Specify your policy around password expiration behavior through the properties below, in the same file:

 

With:

You may also want to do the same for the 'warn' state.

Test

To exercise the LPPE features, attempt to login to CAS using an account with an expired password, or one whose password is about to expire based on your policy settings. The login flow should switch you to a proper state indicating the nature of the problem. 

JIRA Issues

Loading

Outstanding LPPE JIRA issues  (7 issues)

T Key Summary Assignee Reporter P Status Resolution Created Updated Due
Sub-task CAS-1194 LPPE: Password warning redirect to service expires ST ticket Misagh Moayyed Misagh Moayyed Minor Open Unresolved Oct 03, 2012 Dec 31, 2013
Bug CAS-1368 LPPE does not support SAML services (GoogleApps) Misagh Moayyed Eric Pierce Major In Progress Unresolved Oct 10, 2013 Apr 04, 2014
Improvement CAS-1392 Support standardized Password Policy Control Bill Thompson MH Avegaart Major Open Unresolved Dec 02, 2013 Dec 02, 2013
Improvement CAS-1442 Add support for CHANGE_AFTER_RESET flag Misagh Moayyed Misagh Moayyed Major In Progress Unresolved Apr 15, 2014 Apr 15, 2014
Task CAS-1125 Complete localized properties files Marvin S. Addison Jérôme Leleu Major Open Unresolved May 15, 2012 May 16, 2012
Bug CAS-1130 Rethrow AuthenticationException instead of BadCredentialsAuthenticationException.ERROR Marvin S. Addison Pavlos Drandakis Minor Open Unresolved May 29, 2012 May 29, 2012
Improvement CAS-1323 spanish translation Unassigned Juan Paulo Soto Major Open Unresolved Jul 09, 2013 Jul 09, 2013

  • No labels