bypassing some authN fails?

Daniel Fisher dfisher at
Fri May 26 12:57:00 EDT 2017

On Thu, May 25, 2017 at 5:16 PM, db at <dabantz at> wrote:

> Preferable to just ignore that specific account expired state; that
> results in desired effect without having to craft a tool for a service IAM
> doesn't run then asking user to do something. Also has less impact on the
> services run by others that "use" expired flag for their access control.

The authentication response result in the library is immutable, so you'll
have to create a wrapper class.
Here's a gist of what I think that class would look like:
Compile your class, add it to the IDP war, then
update ldap-authn-config.xml to use the wrapper class.
Now do some serious testing, you're off the beaten path and there may be
some side effects that I'm not thinking of.
In particular, you may need to also change the ResultCode to SUCCESS to
complete the lie for any flows that rely on account state.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list