Handling expired/expiring users after upgrading from Shib 3 to Shib 4

Jeff Chapin jeff.chapin at uni.edu
Wed Jun 28 18:40:08 UTC 2023

So I think I found three pieces of information that are relevant:
1) I misspoke, we are not on 4.3, we are on 4.2
2) I had not enabled the ExpiringPasswords module
3) When we had expirations working, we were using an external authenticator
(we were authing Shib off an existing CAS install), but where it is not
working, we are using the Password authenticator with an ldap server.

After some poking around, it looks like the ExpiringPasswordIntercept is
not firing when we use ldap authentication -- I have an install that is
still using CAS authentication, and if I run the command to enable the
ExpiringPassword intercept, and restart, it is catching the expired
password as expected.

Is there some way to get the ldap login flow to use the passwordExpiring
IDP Attribute? Or preferably to get the ExpiringPasswordIntercept to work
with Password auth?

Thanks for your time!

On Wed, Jun 21, 2023 at 11:11 AM Cantor, Scott <cantor.2 at osu.edu> wrote:

> Another point I guess...4.3 adds an explicit DateTimeAttributeDefinition,
> which "isolates" the whole mess of converting inside the resolver and is
> perhaps a bit easier to play/debug with (e.g. aacli and reloading). That
> gets you a standard Instant out that the relevant predicate(s) will operate
> against without having to do the conversion there.
> I haven't done that switch myself but I added that so it's an option.
> -- Scott


Jeff Chapin,

Panther eSports Adviser
Systems/Applications Administrator
ITS-IS, University of Northern Iowa
Phone: 319-273-3162 Email: Jeff.Chapin at uni.edu
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20230628/ae89e0f6/attachment.htm>

More information about the users mailing list