AD account gets locked up using CAS.
Unai Rodriguez
me at u-journal.org
Tue Jul 1 02:39:25 EDT 2008
Dear All,
Using tcpdump I was able to see that the CAS server is actually sending the
request 5 times, which causes the Active Directory account to get locked
up.
My CAS configuration (deployerConfigContext.xml) looks like this (it may be
found here as well: http://pastebin.ca/1059708):
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler" >
<property name="filter" value="sAMAccountName=%u" />
<property name="searchBase" value="OU=A,DC=B,DC=C,DC=D" />
<property name="contextSource" ref="contextSource" />
<property name="ignorePartialResultException" value="yes" />
</bean>
[...]
<bean id="contextSource"
class="org.jasig.cas.adaptors.ldap.util.AuthenticatedLdapContextSource">
<property name="authenticatedReadOnly" value="true" />
<property name="userName" value="xxxxxxxxx" />
<property name="password" value="yyyyyyyyy" />
<property name="urls">
<list>
<value>ldap://10.123.8.47:389</value>
<value>ldap://10.123.8.46:389</value>
<value>ldap://10.130.0.45:389</value>
<value>ldap://10.100.0.45:389</value>
<value>ldap://10.190.0.45:389</value>
</list>
</property>
<property name="baseEnvironmentProperties">
<map>
<entry>
<key><value>java.naming.security.authentication</value></key>
<value>simple</value>
</entry>
</map>
</property>
</bean>
I have tried setting "ignorePartialResultException" to "no", with the same
results (i.e. CAS sends 5 consecutive invalid requests which causes the AD
account to get locked up).
Is there any setting to control this?
thanks,
unai
> Dear All,
>
> I have set up CAS with an Active Directory backend. The CAS server
details
> are:
>
> - CAS version 3.0.5
> - OS: Debian Linux 3.1 (Sarge)
> - Tomcat version 5.5.23
>
> The Active Directory has some rules set (which are meant to be kept)
which
> lock up accounts that attempt to login providing the wrong password 5
> consecutive times.
>
> The issue is that if I provide the wrong password through CAS login page,
> my AD account will be locked (ie with only one failed attempt).
>
> 1) Is this behavior expected/normal?
> 2) How can I tweak/change this?
>
> Thank you so much,
> unai
More information about the cas
mailing list