Hi Jen, >From a security perspective doing this is perhaps not the best idea. By giving this information you aid attackers looking to verify if an account exists. It is best not to give any indication that an account is valid or has been locked.
https://security.stackexchange.com/questions/40694/disclose-to-user-if-account-exists https://silentbreaksecurity.com/username-discovery/ https://www.owasp.org/index.php/Testing_for_User_Enumeration_and_Guessable_User_Account_(OWASP-AT-002) https://www.netsparker.com/blog/web-security/information-disclosure-issues-attacks/ Bring these concerns up to management. I would heavily not recommend exposing yourself to account enumeration. Thanks, Robert Bond. On Fri, May 18, 2018 at 1:36 PM David Curry <[email protected]> wrote: > There is. You can enable LDAP Password Policy Enforcement (LPPE): > > > https://apereo.github.io/cas/development/installation/Password-Policy-Enforcement.html > > This is separate from Password Management (further down the page). > > All I had to do was add > > cas.authn.ldap[0].passwordPolicy.enabled: true > cas.authn.ldap[0].passwordPolicy.type: AD > cas.authn.ldap[0].passwordPolicy.strategy: DEFAULT > > to cas.properties. > > If you've gotten as far as setting up the src/ hierarchy in your overlay > to create a theme and/or modify the various page templates, you can style > these pages (there's a separate one for each failure condition) and you can > customize the messages displayed by editing custom_messages.properties. > > It seems to work pretty well. > > --Dave > > > > -- > > DAVID A. CURRY, CISSP > *DIRECTOR OF INFORMATION SECURITY* > INFORMATION TECHNOLOGY > > 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 > <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> > +1 212 229-5300 x4728 <(212)%20229-5300> • [email protected] > > [image: The New School] > > On Fri, May 18, 2018 at 1:02 PM, Jennifer LaVoie <[email protected]> > wrote: > >> Hello Everyone >> >> My managers are asking if CAS can return a better error to the end user >> besides "invalid credentials" based on the status of their account. >> >> If there a way for CAS to know if the account is disabled or the password >> has expired and return that information to the end user? I am integrated >> with Active Directory. >> >> thanks >> Jen >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/a/apereo.org/d/msgid/cas-user/87658e9a-bb8f-46bf-a4f8-e176818f26fd%40apereo.org >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/87658e9a-bb8f-46bf-a4f8-e176818f26fd%40apereo.org?utm_medium=email&utm_source=footer> >> . >> > > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMZzGSVUEGbEjd-RWLq%2B%2BEnDHj7OGvRUMETa2e0iTL_ew%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMZzGSVUEGbEjd-RWLq%2B%2BEnDHj7OGvRUMETa2e0iTL_ew%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6pAusz-c-sXkxZjMZD2TxJj1fU-G%3DR0NSDgxRSxwzy0-Q%40mail.gmail.com.
