Skip to end of metadata
Go to start of metadata
Table of Contents

New CAS documentation site

Icon

CAS documentation has moved over to jasig.github.io/cas, starting with CAS version 4.x. The wiki will no longer be maintained. For the most recent version of the documentation, please refer to the aforementioned link.

Password Management

Icon

 LPPE is not about password management and self-service account maintenance. If you are looking for that sort of capability integrating with CAS, you might be interested in this project instead.

Background

The purpose of the LPPE module is to detect a number of scenarios that would otherwise prevent user authentication, specifically using an Ldap instance as the primary source of user accounts.

These scenarios are currently supported by the module:

Ldap Error CodeLdap Error DescriptionCAS Authentication Behavior
530Invalid login timeDisplays a message upon authentication that the user cannot login at the current time
533Account is disabledDisplays a message upon authentication that the account has been disabled and user would need to contact an administrator.
773Must change passwordDisplays a message upon authentication that the account password must be changed and provides a link to a self-service password management application.
775Account is lockedDisplays a message upon authentication that the account has been disabled and user would need to contact an administrator.
531Invalid workstationDisplays a message upon authentication that the user cannot login from the current workstation
701 OR 532Password has expired

Displays a message upon authentication that the account password has expired and provides a link to a self-service password management application.

Without LPPE in place, the above scenarios would be considered as errors that will prevent authentication in a very generic way through the normal CAS login flow. LPPE intercepts the authentication flow,
detecting the above standard error codes (that are returned as part of the Ldap response payload) . Error codes are then translated into proper messages in the CAS login flow and would allow the user
to take proper action, fully explaining the nature of the problem. 
In addition, LPPE is also able to warn the user when the account is about to expire. The expiration policy is determined through pre-configured Ldap attributes with default values in place.
The "Configuration" section below provides additional options in better detail. 

 

ActiveDirectory vs. OpenLdap

Icon

Though the above table lists standard ldap error codes, LPPE has only been extensively tested against Active Directory. The functionality has yet to be tested and validated against an Open Ldap instance.

 

Source

The LPPE module ships with CAS by default as of CAS v3.5. The code is mostly a part of the Ldap module with additional configuration merged inside the CAS webapps module.

Configuration

LPPE is turned off by default. In order to configure the module with your account policy, please follow the below steps:

Maven Overlay

Icon

The instructions below assume you're using the Maven Overlay approach to build CAS.

 

  • In your POM.xml file, add the following dependencies:

 

With this:

 

  • Download the correct lppe-configuration.xml file for the CAS version you're building and place it in the src/main/webapp/WEB-INF/spring-configuration directory of your maven overlay.
  • In the lppe-configuration.xml file, modify the "ldapErrorDefinitions" property to comment out the cases you are not interested in.

 

  • Merge cas.properties.example from the LDAP module with the your maven overlay's cas.properties file and adjust the Ldap authentication settings. Specifically, configure your Ldap connection settings for the authentication handler through the properties below:

 

  • Specify your policy around password expiration behavior through the properties below, in the same file:

 

With:

You may also want to do the same for the 'warn' state.

Test

To exercise the LPPE features, attempt to login to CAS using an account with an expired password, or one whose password is about to expire based on your policy settings. The login flow should switch you to a proper state indicating the nature of the problem. 

JIRA Issues

Loading

Outstanding LPPE JIRA issues  (0 issues)

T Key Summary Assignee Reporter P Status Resolution Created Updated Due

  • No labels