IDP v3 - OpenLDAP password policy - locked account [SOLVED]

Emilio Penna emilio.penna at seciu.edu.uy
Tue May 19 17:43:45 EDT 2015 

Thanks Scott, it's working now!

As you suggested, I edited password-authn-config.xml

and added an entry to

<util:map id="shibboleth.authn.Password.ClassifiedMessageMap">

the added entry:

        <entry key="AccountLocked">
            <list>
                <value>ACCOUNT_LOCKED</value>
            </list>
        </entry>


Now, when I try to login with a locked account, I get the message "Your
account is locked."

As I said previously, expired and expiring account messages are also
working after configuring ldap-authn-config.xml.

The comments at the bottom of  ldap-authn-config.xml were very useful,
but, as you said, not so clear to configure, they forced me to learn a
bit about spring config... not so bad in the end... :)

thanks
Emilio




El 19/05/2015 a las 02:40 p.m., Cantor, Scott escribió:
> On 5/19/15, 12:50 PM, "Emilio Penna" <emilio.penna at seciu.edu.uy> wrote:
>>
>> I saw some messages in idp source, referred to locked accounts
>> (authn-messages.properties), so I think that it could be possible to
>> inform the user of locked accounts.
> 
> Daniel put some comments in the bottom of the ldap-authn-config file that are a little difficult to parse but it describes how to add beans to add the password policy features from ldaptive into the wiring.
> 
> When that stuff is wired in, the LDAP validator will pass the results it gets into the message clasification rules in password-authn-config to classify different messages as specific events. If something is mapped to AccountLocked, then it will run the empty user flow authn/conditions/account-locked and then pass control back to the form. By default nothing maps to that and it will never do that.
> 
> Fundamentally it has nothing to do with LDAP, the machinery that maps error or exception text to events works in all the login flows, but the LDAP one specifically has features for pulling supplemental material from the LDAP response.
> 
> The user flows in flows/authn/conditions are undocumented right now, they're empty "just return" subflows that can be customized to do work in response to authentication events like an expiring password, without having to customize any of the system-delivered flows.
> 
> -- Scott
>

More information about the users mailing list