The purpose of the LPPE module is to detect a number of scenarios that would otherwise prevent user authentication, specifically using an Ldap instance as the primary source of user accounts.
These scenarios are currently supported by the module:
Without LPPE in place, the above scenarios would be considered as errors that will prevent authentication in a very generic way through the normal CAS login flow. LPPE intercepts the authentication flow,
detecting the above standard error codes (that are returned as part of the Ldap response payload) . Error codes are then translated into proper messages in the CAS login flow and would allow the user
to take proper action, fully explaining the nature of the problem.
In addition, LPPE is also able to warn the user when the account is about to expire. The expiration policy is determined through pre-configured Ldap attributes with default values in place.
The "Configuration" section below provides additional options in better detail.
The LPPE module ships with CAS by default as of CAS v3.5. The code is mostly a part of the Ldap module with additional configuration merged inside the CAS webapps module.
LPPE is turned off by default. In order to configure the module with your account policy, please follow the below steps:
You may also want to do the same for the 'warn' state.
To exercise the LPPE features, attempt to login to CAS using an account with an expired password, or one whose password is about to expire based on your policy settings. The login flow should switch you to a proper state indicating the nature of the problem.
Outstanding LPPE JIRA issues (0 issues)