I am working on CAS 5.1.0 with openLDAP 2.4. I get confused by Password
Policy and Password Management. The documentation mixed these two sometimes.
Here is part of my cas.properties:
cas.authn.ldap[0].type=AUTHENTICATED
cas.authn.ldap[0].ldapUrl=ldaps://ldap.example.com
cas.authn.ldap[0].useSsl=true
cas.authn.ldap[0].useStartTls=false
cas.authn.ldap[0].connectTimeout=5000
cas.authn.ldap[0].baseDn=ou=people,dc=example,dc=com
cas.authn.ldap[0].userFilter=uid={user}
cas.authn.ldap[0].passwordPolicy.type=GENERIC
cas.authn.ldap[0].passwordPolicy.enabled=true
cas.authn.ldap[0].passwordPolicy.policyAttributes.accountLocked=javax.security.auth.login.AccountLockedException
cas.authn.ldap[0].passwordPolicy.loginFailures=2
cas.authn.ldap[0].passwordPolicy.warningAttributeValue=
cas.authn.ldap[0].passwordPolicy.warningAttributeName=
cas.authn.ldap[0].passwordPolicy.displayWarningOnMatch=true
cas.authn.ldap[0].passwordPolicy.warnAll=true
cas.authn.ldap[0].passwordPolicy.warningDays=20
cas.authn.pm.enabled=true
cas.authn.pm.reset.text=https://example.com/reset-password
cas.authn.pm.reset.subject=Password Reset Request
cas.authn.pm.reset.from=
cas.authn.pm.reset.expirationMinutes=5
cas.authn.pm.reset.emailAttribute=mail
cas.authn.pm.ldap.type=GENERIC
cas.authn.pm.ldap.ldapUrl=ldaps://ldap.example.com
cas.authn.pm.ldap.connectionStrategy=
cas.authn.pm.ldap.useSsl=true
cas.authn.pm.ldap.useStartTls=false
cas.authn.pm.ldap.connectTimeout=5000
cas.authn.pm.ldap.baseDn=ou=people,dc=example,dc=com
cas.authn.pm.ldap.userFilter=cn={user}
And my situation and questions are:
1) cas.authn.ldap[0].passwordPolicy.loginFailures and
cas.authn.ldap[0].passwordPolicy.warningDays
don't seems working. I setup pwdMaxFailure for 3 times and pwdExpireWarning
for 30 days in openLDAP. So it always locked me out after 3 failures and
show warning for 29 days. Even I tried 2 times and 20 days in
cas.properties, it won't change anything. Did I miss something?
2) The warning message for change password showing 29days and the link is
{1}. That's in messages.properties. But where should I set the link to pass
in as {1}. I thought it is cas.authn.pm.reset.text but it doesn't work.
3) After password expired, login still shows "Invalid credentials". How do
I get account has been locked message?
4) I set pwdGraceAuthNLimit to 1 in openLDAP. After password expired, login
page still shows "Invalid credentials". But I see openLDPA has one success
grace bind. I hope to login and the password has to be changed page.
Any help will be appreciated.
Thanks,
Min
--
- CAS gitter chatroom: https://gitter.im/apereo/cas
- CAS mailing list guidelines: https://apereo.github.io/cas/Mailing-Lists.html
- CAS documentation website: https://apereo.github.io/cas
- CAS project website: https://github.com/apereo/cas
---
You received this message because you are subscribed to the Google Groups "CAS
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/apereo.org/d/msgid/cas-user/2f4317dd-b865-4a4d-9522-d8dee1337ecb%40apereo.org.
