CAS and Active Directory Password Expiration
Arnaud Lesueur
arnaud.lesueur at gmail.com
Thu Jul 26 11:36:17 EDT 2007
Hi,
A few remarks, an LDAP bind with an expired password on AD will failed with
an LDAP Error code 49. In this failure, there is also a code to precise that
the password was expired.
http://forum.java.sun.com/thread.jspa?messageID=4227692
To handle expired password against AD and Sun Directory Server, you can look
for the string 'expired' in the
javax.naming.AuthenticationExceptionstackstrace and throw a custom
exception.
My 2 cents,
Arnaud
On 7/26/07, Watkins, Jayme <jwatkins at mtmercy.edu> wrote:
>
> From the tests that I have done, when a person logs into Active Directory
> through LDAP and their password has expired, the system returns the error of
> "Invalid Credentials" and doesn't give any indication that the password has
> expired. I was also told by someone on a Microsoft newsgroup that LDAP
> cannot handle the password expiration situation which has been proven in my
> tests with .NET. I suppose it is possible to check the "Password Last Set"
> attribute, but if LDAP won't let the person login even with their good
> password anymore, what good is it to check it since I can't validate their
> password?
>
>
>
> If Kerberos returns the 'password expired' error I will see if we can use
> that.
>
>
>
> JW
>
>
>
> *From:* cas-bounces at tp.its.yale.edu [mailto:cas-bounces at tp.its.yale.edu] *On
> Behalf Of *Scott Battaglia
> *Sent:* Wednesday, July 25, 2007 2:03 PM
> *To:* Yale CAS mailing list
> *Subject:* Re: CAS and Active Directory Password Expiration
>
>
>
> I'm not familiar with AD's password expiration settings. What's supposed
> to happen if the password is expired?
>
> -Scott
>
> On 7/24/07, *Watkins, Jayme *<jwatkins at mtmercy.edu> wrote:
>
> Hi, I have been learning the CAS system for the past couple of weeks from
> source code and the wiki and like the way the system is setup. We would
> like to use the system at our college with our Active Directory system and
> would also like to implement a way to check if the student's password has
> expired. I have successfully made it work with the Active Directory, but
> now I am stuck with getting it to understand the "password expiration"
> setting. I am not sure where to start but I have been reading the source
> code documentation to get an understanding of the system.
>
>
>
> Has anyone been able to get this working for their system? Is so, could
> you please point me in the direction I should take to implement it? Any
> help would be greatly appreciated.
>
>
>
> Thanks,
>
> JW
>
>
>
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>
>
> --
> -Scott Battaglia
>
> LinkedIn: http://www.linkedin.com/in/scottbattaglia
>
> _______________________________________________
> Yale CAS mailing list
> cas at tp.its.yale.edu
> http://tp.its.yale.edu/mailman/listinfo/cas
>
>
--
Arnaud Lesueur
LinkedIn: http://www.linkedin.com/in/lesueur
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://tp.its.yale.edu/pipermail/cas/attachments/20070726/3029b3c1/attachment.html
More information about the cas
mailing list