IDP v3 - OpenLDAP password policy - locked account [SOLVED]
emilio.penna at seciu.edu.uy
Tue May 19 17:43:45 EDT 2015
Thanks Scott, it's working now!
As you suggested, I edited password-authn-config.xml
and added an entry to
the added entry:
Now, when I try to login with a locked account, I get the message "Your
account is locked."
As I said previously, expired and expiring account messages are also
working after configuring ldap-authn-config.xml.
The comments at the bottom of ldap-authn-config.xml were very useful,
but, as you said, not so clear to configure, they forced me to learn a
bit about spring config... not so bad in the end... :)
El 19/05/2015 a las 02:40 p.m., Cantor, Scott escribió:
> On 5/19/15, 12:50 PM, "Emilio Penna" <emilio.penna at seciu.edu.uy> wrote:
>> I saw some messages in idp source, referred to locked accounts
>> (authn-messages.properties), so I think that it could be possible to
>> inform the user of locked accounts.
> Daniel put some comments in the bottom of the ldap-authn-config file that are a little difficult to parse but it describes how to add beans to add the password policy features from ldaptive into the wiring.
> When that stuff is wired in, the LDAP validator will pass the results it gets into the message clasification rules in password-authn-config to classify different messages as specific events. If something is mapped to AccountLocked, then it will run the empty user flow authn/conditions/account-locked and then pass control back to the form. By default nothing maps to that and it will never do that.
> Fundamentally it has nothing to do with LDAP, the machinery that maps error or exception text to events works in all the login flows, but the LDAP one specifically has features for pulling supplemental material from the LDAP response.
> The user flows in flows/authn/conditions are undocumented right now, they're empty "just return" subflows that can be customized to do work in response to authentication events like an expiring password, without having to customize any of the system-delivered flows.
> -- Scott
More information about the users