Hi Robert- I know what you say is true. I have impressed this upon management. I did disagree, however, in the end, it's not my call.
Jen On Fri, May 18, 2018 at 4:09 PM, 'Robert Bond' via CAS Community < [email protected]> wrote: > Hi Jen, > > From a security perspective doing this is perhaps not the best idea. By > giving this information you aid attackers looking to verify if an account > exists. > It is best not to give any indication that an account is valid or has been > locked. > > https://security.stackexchange.com/questions/40694/disclose-to-user-if- > account-exists > https://silentbreaksecurity.com/username-discovery/ > https://www.owasp.org/index.php/Testing_for_User_ > Enumeration_and_Guessable_User_Account_(OWASP-AT-002) > https://www.netsparker.com/blog/web-security/information- > disclosure-issues-attacks/ > > Bring these concerns up to management. I would heavily not recommend > exposing yourself to account enumeration. > > > Thanks, > Robert Bond. > > On Fri, May 18, 2018 at 1:36 PM David Curry <[email protected]> > wrote: > >> There is. You can enable LDAP Password Policy Enforcement (LPPE): >> >> https://apereo.github.io/cas/development/installation/ >> Password-Policy-Enforcement.html >> >> This is separate from Password Management (further down the page). >> >> All I had to do was add >> >> cas.authn.ldap[0].passwordPolicy.enabled: true >> cas.authn.ldap[0].passwordPolicy.type: AD >> cas.authn.ldap[0].passwordPolicy.strategy: DEFAULT >> >> to cas.properties. >> >> If you've gotten as far as setting up the src/ hierarchy in your overlay >> to create a theme and/or modify the various page templates, you can style >> these pages (there's a separate one for each failure condition) and you can >> customize the messages displayed by editing custom_messages.properties. >> >> It seems to work pretty well. >> >> --Dave >> >> >> >> -- >> >> DAVID A. CURRY, CISSP >> *DIRECTOR OF INFORMATION SECURITY* >> INFORMATION TECHNOLOGY >> >> 71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003 >> <https://maps.google.com/?q=71+FIFTH+AVE.,+9TH+FL.,+NEW+YORK,+NY+10003&entry=gmail&source=g> >> +1 212 229-5300 x4728 <(212)%20229-5300> • [email protected] >> >> [image: The New School] >> >> On Fri, May 18, 2018 at 1:02 PM, Jennifer LaVoie <[email protected]> >> wrote: >> >>> Hello Everyone >>> >>> My managers are asking if CAS can return a better error to the end user >>> besides "invalid credentials" based on the status of their account. >>> >>> If there a way for CAS to know if the account is disabled or the >>> password has expired and return that information to the end user? I am >>> integrated with Active Directory. >>> >>> thanks >>> Jen >>> >>> -- >>> - Website: https://apereo.github.io/cas >>> - Gitter Chatroom: https://gitter.im/apereo/cas >>> - List Guidelines: https://goo.gl/1VRrw7 >>> - Contributions: https://goo.gl/mh7qDG >>> --- >>> You received this message because you are subscribed to the Google >>> Groups "CAS Community" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion on the web visit https://groups.google.com/a/ >>> apereo.org/d/msgid/cas-user/87658e9a-bb8f-46bf-a4f8- >>> e176818f26fd%40apereo.org >>> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/87658e9a-bb8f-46bf-a4f8-e176818f26fd%40apereo.org?utm_medium=email&utm_source=footer> >>> . >>> >> >> -- >> - Website: https://apereo.github.io/cas >> - Gitter Chatroom: https://gitter.im/apereo/cas >> - List Guidelines: https://goo.gl/1VRrw7 >> - Contributions: https://goo.gl/mh7qDG >> --- >> You received this message because you are subscribed to the Google Groups >> "CAS Community" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit https://groups.google.com/a/ >> apereo.org/d/msgid/cas-user/CA%2Bd9XAMZzGSVUEGbEjd-RWLq% >> 2B%2BEnDHj7OGvRUMETa2e0iTL_ew%40mail.gmail.com >> <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bd9XAMZzGSVUEGbEjd-RWLq%2B%2BEnDHj7OGvRUMETa2e0iTL_ew%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- > - Website: https://apereo.github.io/cas > - Gitter Chatroom: https://gitter.im/apereo/cas > - List Guidelines: https://goo.gl/1VRrw7 > - Contributions: https://goo.gl/mh7qDG > --- > You received this message because you are subscribed to the Google Groups > "CAS Community" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/a/ > apereo.org/d/msgid/cas-user/CAOA9z6pAusz-c-sXkxZjMZD2TxJj1fU-G% > 3DR0NSDgxRSxwzy0-Q%40mail.gmail.com > <https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOA9z6pAusz-c-sXkxZjMZD2TxJj1fU-G%3DR0NSDgxRSxwzy0-Q%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- "Confusion is a word we have invented for an order which is not understood." ~Henry Miller -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CA%2Bwv1vEyC2F4L7azBqLq5NhE5Rwq_3YEmZH%3DHPsSzqhQa-KUew%40mail.gmail.com.
