External Authentication (EAS) returned messages
Thu, 2005-03-03 20:45 — AlaskaJohn
Has anyone successfully implimented External Authentication (EAS) against an LDAP directory??
I have it working, however I'm concerned about the potential problems associated with LDAP authentication messages that aren't passed through Luminis to the user attempting to log in.
For example, if a user's password has aged out and simply needs changed (this potentially happens once a semester) it may cause confusion because the message is a generic "login failed".
Has this been an issue for anyone? Sollutions?
Hack Your Knowledge
Recent blog posts
- Updated to 4.1.22 - Complications
- Time Estimate for Luminis Platform IV Upgrade
- Luminis IV Memory Configuration
- CPIP Novice Looking for HELP!
- Targeted Announcement Permissions and Grants
- Associated Press OSTN Video News Portlet/Channel
- EAS credentials not the same as luminis credentials
- Lumiins start up issues
- Messaging Server Configuration
- User Attributes from Banner
Developer Links
Poll
If there were a Luminis Developers Conference, would you prefer it in -
early spring
14%
late spring
15%
early summer
29%
late summer
8%
early fall
9%
late fall
14%
early winter
8%
late winter
3%
Total votes: 185
Syndicate
EAS via Microsoft AD
We have implemented EAS to authenticate our users against our Active Directory using the standard LDAP configuration. You are 100% correct about the generic message being displayed regardless of the LDAP result (i.e. expired password, user account expired/disabled, user trying to login during a disallowed time period, etc.).
Right now we are testing a perl script I have written that (ideally) will be placed within a channel on the "Home" tab for all users. The user's username is passed to the perl script by way of generic CPIP (but we are also testing using iPerson attributes).
The script then reads the AD's account policies via LDAP and then checks the current age of the user's password against the AD's "maxPwdAge" attribute. Once the script has that information it displays to the user how many more days there are before the user's password will expire.
There are other bells and whistles added (and still others I would like to add) but I think you get the idea. Anyway, the point is to let the user know how old her password is getting and then give that user a way to change her password before it expires.
I would LOVE to hear what others have done/are going to do because I do not feel like our "solution" is ideal.
Yale CAS, anybody?
I posted on the camppipetech list, but got no response. Anyway, anybody here doing CAS[1] with III.2? We haven't gotten much into III.2 yet, but do hope to do CAS at some point.
1. http://jasigch.princeton.edu:9000/display/CAS/Home
CAS
I have CAS on my development box, and intend on putting my first CAS'ified feature in place early next week after I install CAS on my production box Sunday.
Maybe post followup of details? :-)
Afterwards, perhaps you could post a followup, perhaps even an entry under the Documents section? I'm sure an increasingly number of folks will find this worth while....
Similar solution
I'm working on a similar solution using the iPerson stuff.
Thanks for letting me know I'm not crazy. Still curious to know if anyone out there has a better solution.
Thanks, John
John Pile Jr, University of Alaska
Possible Solution
We are not currently expiring passwords, but I'd like to start. Since I've been thinking about it, here is how I was going to attempt a solution. Currently we only allow password changes from one single web form, and an application used at the help desk.
Whenever either of these apps changes the password, update the date in the pdsAccountCredentialChanged field in the Luminis LDAP. I assume (maybe incorrectly?) that it is this field that Luminis is checking when a user logs in to see if the password is expired. Then override the error page for expired password to redirect to my password change web form.
Thoughts?
Just found a method and thought I'd share.
We were in the same situation here, using Active Directory as the EAS server and failed logins always return "Unknown Username/Password Pair."
I was able to write a web page that could determine if a given account in AD was disabled, locked out, or had an expired password. The only question was redirecting users to it.
I asked Luminis support if it was possible to redirect the failed login page, and their answer was no - not without paying for it.
However, rather than try to replace the failed login page, I was able to replace the login page and check the account *before* it is passed to the Luminis login. You need to open up login.html, and replace everything with an <IFRAME> which points to an external page. (Make sure to backup the original first!) On the external page, you duplicate what was in login.html. You'll need two <form>s. One which posts back to the external server, and where you check if the account is disabled, or password expired and redirect to an appropriate page, and then the second which is from login.html which posts to the portal. With a bit of programming and scripting, you can check the account for an expired password, and if not found, pass it along to the Luminis login no problem!
Still work?
Nmdange,
I know this thread is over a year old but we are interested in your method and I wanted to know if it still works with current versions of Luminis. Currently we are at 3.3.1 and are going to be moving our test environment to 3.3.3 in about 2 weeks. If it does still work would you be willing to share how you did this in detail?
Code Request
Can you share the code with us?