Password Policy Enforcement

Password policy enforcement attempts to:

  • Detect a number of scenarios that would otherwise prevent user authentication based on user account status.
  • Warn users whose account status is near a configurable expiration date and redirect the flow to an external identity management system.

LDAP

The below scenarios are by default considered errors preventing authentication in a generic manner through the normal CAS login flow. LPPE intercepts the authentication flow, detecting the above standard error codes. Error codes are then translated into proper messages in the CAS login flow and would allow the user to take proper action, fully explaining the nature of the problem.

  • ACCOUNT_LOCKED
  • ACCOUNT_DISABLED
  • ACCOUNT_EXPIRED
  • INVALID_LOGON_HOURS
  • INVALID_WORKSTATION
  • PASSWORD_MUST_CHANGE
  • PASSWORD_EXPIRED

The translation of LDAP errors into CAS workflow is all handled by ldaptive.

The following settings and properties are available from the CAS configuration catalog:

The configuration settings listed below are tagged as Required in the CAS configuration metadata. This flag indicates that the presence of the setting may be needed to activate or affect the behavior of the CAS feature and generally should be reviewed, possibly owned and adjusted. If the setting is assigned a default value, you do not need to strictly put the setting in your copy of the configuration, but should review it nonetheless to make sure it matches your deployment expectations.

  • cas.authn.ldap[0].password-policy.groovy.location=

    • Handle password policy via Groovy script. The location of the resource. Resources can be URLs, or files found either on the classpath or outside somewhere in the file system.

    In the event the configured resource is a Groovy script, specially if the script set to reload on changes, you may need to adjust the total number of inotify instances. On Linux, you may need to add the following line to /etc/sysctl.conf: fs.inotify.max_user_instances = 256.

    You can check the current value via cat /proc/sys/fs/inotify/max_user_instances.

    org.apereo.cas.configuration.model.SpringResourceProperties.
    The configuration settings listed below are tagged as Optional in the CAS configuration metadata. This flag indicates that the presence of the setting is not immediately necessary in the end-user CAS configuration, because a default value is assigned or the activation of the feature is not conditionally controlled by the setting value. In other words, you should only include this field in your configuration if you need to modify the default value or if you need to turn on the feature controlled by the setting.

  • cas.authn.ldap[0].password-policy.account-state-handling-enabled=true

    • Indicates whether account state handling should be enabled to process warnings or errors reported back from the authentication response, produced by the source.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.custom-policy-class=

    • An implementation of a policy class that knows how to handle LDAP responses. The class must be an implementation of org.ldaptive.auth.AuthenticationResponseHandler.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.display-warning-on-match=true

    • Indicates if warning should be displayed, when the ldap attribute value matches the #warningAttributeValue.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.enabled=true

    • Whether password policy should be enabled.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.login-failures=5

    • When dealing with FreeIPA, indicates the number of allows login failures.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.policy-attributes=

    • Key-value structure (Map) that indicates a list of boolean attributes as keys. If either attribute value is true, indicating an account state is flagged, the corresponding error can be thrown. Example accountLocked=javax.security.auth.login.AccountLockedException

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.strategy=DEFAULT

    • Decide how authentication should handle password policy changes. Available values are as follows:

    • DEFAULT: Default option to handle policy changes.
    • GROOVY: Handle account password policies via Groovy.
    • REJECT_RESULT_CODE: Strategy to only activate password policy if the authentication response code is not blocked.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.type=GENERIC

    • LDAP type.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.warn-all=

    • Always display the password expiration warning regardless.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.warning-attribute-name=

    • Used by an account state handling policy that only calculates account warnings in case the entry carries this attribute.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.warning-attribute-value=

    • Used by an account state handling policy that only calculates account warnings in case the entry carries an attribute #warningAttributeName whose value matches this field.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.
  • cas.authn.ldap[0].password-policy.warning-days=30

    • This is used to calculate a warning period to see if account expiry is within the calculated window.

    org.apereo.cas.configuration.model.support.ldap.LdapPasswordPolicyProperties.