Hi Ben, Thanks for your suggestion, but I have already tried it (and tried it once again, now). The problem still exists. This property, IIUC, only enables in-place password management and has nothing to do with the missing message/view/flow.
In CAS v5.0.x the "same" configuration with the same OpenLDAP backend worked as expected... handleAuthenticationFailure, as you said, should handle CredentialExpiredException and render the VIEW_ID_EXPIRED_PASSWORD (casExpireedPassView) but I don't see that happening. Perhaps, when reaching that point, CredentialExpiredException is "lost" and a generic AuthenticationException is thrown... Pavlos > Have a look at : > > cas.authn.pm.enabled=true > > > which I think you need to set. > > Also login-webflow.xml has a handleAuthenticationFailure step which > handles > all the different exceptions, including CredentialExpiredException. > > > On 7 June 2017 at 13:54, Pavlos Drandakis <[email protected]> wrote: > >> Hello all, >> >> I am trying to setup CAS 5.1 (using the maven overlay method) to >> authenticate users against an OpenLDAP server. If user's password is not >> expired, everything works as expected. But, when user's password >> expires, >> all I get is the "Invalid credentials" error in login page instead of >> the >> password expired view. >> >> This is what I have in cas.properties: >> cas.authn.ldap[0].type=AUTHENTICATED >> cas.authn.ldap[0].ldapUrl=ldap://ldap.example.com >> cas.authn.ldap[0].useSsl=false >> cas.authn.ldap[0].useStartTls=false >> cas.authn.ldap[0].baseDn=dc=example,dc=com >> cas.authn.ldap[0].userFilter=uid={user} >> cas.authn.ldap[0].bindDn=cn=admin,dc=example,dc=com >> cas.authn.ldap[0].bindCredential=secretpass >> >> cas.authn.ldap[0].passwordPolicy.type=GENERIC >> cas.authn.ldap[0].passwordPolicy.enabled=true >> >> Am I missing something? >> Thanks, in advance >> Pavlos >> >> P.S.: Relevant log entries: >> 2017-06-07 15:20:22,463 DEBUG >> [org.apereo.cas.authentication.LdapAuthenticationHandler] - <Applying >> password policy to >> [[org.ldaptive.auth.AuthenticationResponse@1608121171:: >> authenticationResultCode=AUTHENTICATION_HANDLER_FAILURE, >> resolvedDn=uid=auser,ou=People,dc=example,dc=com, >> ldapEntry=[dn=uid=auser,ou=People,dc=example,dc=com[]], >> accountState=[org.ldaptive.auth.ext.PasswordPolicyAccountState@ >> 1354577001::accountWarnings=null, >> accountErrors=[PASSWORD_EXPIRED]], result=false, >> resultCode=INVALID_CREDENTIALS, >> message=javax.naming.AuthenticationException: [LDAP: error code 49 - >> Invalid Credentials], >> controls=[[org.ldaptive.control.PasswordPolicyControl@ >> 655105816::criticality=false, >> timeBeforeExpiration=0, graceAuthNsRemaining=0, >> error=PASSWORD_EXPIRED]]]]> >> 2017-06-07 15:20:22,464 DEBUG >> [org.apereo.cas.authentication.support.DefaultAccountStateHandler] - >> <Handling error [PASSWORD_EXPIRED]> >> 2017-06-07 15:20:22,465 INFO >> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >> <[LdapAuthenticationHandler] failed authenticating [auser]> >> 2017-06-07 15:20:22,465 DEBUG >> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >> <[LdapAuthenticationHandler] exception details: [null]> >> 2017-06-07 15:20:22,468 WARN >> [org.apereo.cas.authentication.PolicyBasedAuthenticationManager] - >> <Authentication has failed. Credentials may be incorrect or CAS cannot >> find authentication handler that supports [auser] of type >> [UsernamePasswordCredential], which suggests a configuration problem.> >> >> -- >> - CAS gitter chatroom: https://gitter.im/apereo/cas >> - CAS mailing list guidelines: https://apereo.github.io/cas/ >> Mailing-Lists.html >> - CAS documentation website: https://apereo.github.io/cas >> - CAS project website: https://github.com/apereo/cas >> --- >> You received this message because you are subscribed to the Google >> Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send >> an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ >> apereo.org/d/msgid/cas-user/d41c5617c375b7ada108bf29380118 >> d6.squirrel%40webmail01.edunet.gr. >> > > -- > This email is sent on behalf of Northgate Public Services (UK) Limited and > its associated companies including Rave Technologies (India) Pvt Limited > (together "Northgate Public Services") and is strictly confidential and > intended solely for the addressee(s). > If you are not the intended recipient of this email you must: (i) not > disclose, copy or distribute its contents to any other person nor use its > contents in any way or you may be acting unlawfully; (ii) contact > Northgate Public Services immediately on +44(0)1908 264500 quoting the > name > of the sender and the addressee then delete it from your system. > Northgate Public Services has taken reasonable precautions to ensure that > no viruses are contained in this email, but does not accept any > responsibility once this email has been transmitted. You should scan > attachments (if any) for viruses. > > Northgate Public Services (UK) Limited, registered in England and Wales > under number 00968498 with a registered address of Peoplebuilding 2, > Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, > HP2 > 4NN. Rave Technologies (India) Pvt Limited, registered in India under > number 117068 with a registered address of 2nd Floor, Ballard House, Adi > Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 400001. > > -- > - CAS gitter chatroom: https://gitter.im/apereo/cas > - CAS mailing list guidelines: > https://apereo.github.io/cas/Mailing-Lists.html > - CAS documentation website: https://apereo.github.io/cas > - CAS project website: https://github.com/apereo/cas > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAD0p8pvJ6UDtkeEzwryQbr%3DnDmT1Ca78vEq3b6qX1Uq5B%2BD8Gg%40mail.gmail.com. > -- --------------------------------------------- If it ain't cyrusmaster, it ain't nothing !!! --------------------------------------------- -- - CAS gitter chatroom: https://gitter.im/apereo/cas - CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html - CAS documentation website: https://apereo.github.io/cas - CAS project website: https://github.com/apereo/cas --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/0054ab587e26c9a8aa42d13db13755d1.squirrel%40webmail01.edunet.gr.
