ldaptive: Add support for password expiration warnings in Active Directory

SukitZhang / vt-middleware

Automatically exported from code.google.com/p/vt-middleware

0 stars 0 forks source link

ldaptive: Add support for password expiration warnings in Active Directory #205

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

Active Directory contains two attributes that could be leveraged to support 
password expiration warnings in the account state machinery:

1. pwdLastSet 
(http://msdn.microsoft.com/en-us/library/windows/desktop/ms679430(v=vs.85).aspx)
2. maxPwdAge 
(http://msdn.microsoft.com/en-us/library/windows/desktop/ms676863(v=vs.85).aspx)

The pwdLastSet attribute exists on the user entry, while maxPwdAge exists on 
the following entry:

CN=Builtin,DC=example,DC=org

Note the arcane date/time format of pwdLastSet, 
http://msdn.microsoft.com/en-us/library/windows/desktop/ms724290(v=vs.85).aspx.

Original issue reported on code.google.com by marvin.addison@gmail.com on 29 Jan 2014 at 7:55

GoogleCodeExporter commented 8 years ago

The entry containing the default domain policy is the root domain entry, 
DC=exmaple,DC=org for the domain exmaple.org. That should suffice for AD prior 
to Windows Server 2008 since only a single domain-wide password policy is 
available.

The picture is substantially more complicated with the advent of Server 2008, 
which supports a feature called Fine-Grained Password Policy. The follow 
document describes some of the implementation details, including directory 
storage components:

http://technet.microsoft.com/en-us/library/cc770394(v=ws.10).aspx

It may be possible to determine the effective policy that applies to a user, 
but it may involve following quite a trail of crumbs. I will do some further 
investigation and report any findings.

Original comment by marvin.addison@gmail.com on 30 Jan 2014 at 3:06

GoogleCodeExporter commented 8 years ago

Reviewing the following CAS component may facilitate implementation for the 
simple case.

https://github.com/serac/cas/blob/b4d71a28b5b3d00c4bb3c381e22593097fc250cc/cas-s
erver-support-ldap/src/main/java/org/jasig/cas/authentication/support/ActiveDire
ctoryAccountStateHandler.java

Note the non-standard date/time formats.

Original comment by marvin.addison@gmail.com on 30 Jan 2014 at 3:21

GoogleCodeExporter commented 8 years ago

Test vectors for date conversion:

FILETIME 130354196677110863, 2014-01-28T21:54:27.711Z
Delta time -25920000000000, 2592000000ms

Original comment by marvin.addison@gmail.com on 30 Jan 2014 at 4:10

GoogleCodeExporter commented 8 years ago

Update the response handler to accept a password age parameter.
Retrieval of the password age is still a problem left for the deployer.
See r2880.

Original comment by dfis...@gmail.com on 31 Jan 2014 at 7:37

GoogleCodeExporter commented 8 years ago

Looks like you need a version bump in the core pom. It's 1.0.2-SNAPSHOT at 
present.

Original comment by marvin.addison@gmail.com on 5 Feb 2014 at 2:21

GoogleCodeExporter commented 8 years ago

Yep, I screwed up the version.
It's fixed now.

Original comment by dfis...@gmail.com on 5 Feb 2014 at 3:15

GoogleCodeExporter commented 8 years ago

I've tested this and looks good. We may need to revisit simply setting 
maxPasswordAge on the ldaptive component in light of Fine-Grained Password 
Policy. Presumably some concrete use cases will clarify what changes we'll need 
to make, if any, down the road.

Original comment by marvin.addison@gmail.com on 5 Feb 2014 at 9:02

GoogleCodeExporter commented 8 years ago

Can this be resolved?

Original comment by dfis...@gmail.com on 10 Mar 2014 at 6:44

GoogleCodeExporter commented 8 years ago

Original comment by marvin.addison@gmail.com on 10 Mar 2014 at 6:55

Changed state: Fixed