Shibboleth Developers

[Daniel Fisher <>]

I'm a little confused by your example because the user won't get any messages until the account is locked. Are you trying to tell the user when their account expires/logins left even though the user successfully authenticated? I believe that needs to be done in an out-of-band process, not during authentication. See more below.

On Tue, Apr 26, 2011 at 3:57 PM, Khanna, Sumit (khannast) <> wrote:

 

The Handler looks very basic. Even looking at the AbstractHandler, I don’t entirely understand how the username/password is passed to the JAAS provider, but it seems I was looking in the wrong place to do this type of expired password check anyway. I’d want to do it during the point where the bind actually occurs so I can read LDAP attributes and throw custom exceptions. So next I looked at the VT middleware JAAS provider:

 

http://code.google.com/p/vt-middleware/source/browse/vt-ldap/trunk/src/main/java/edu/vt/middleware/ldap/jaas/LdapLoginModule.java

FYI, you're looking at trunk. Latest IDP is using version 3.3.2.

I'll echo Brent's concerns about putting this logic in the authentication layer, but one way to do it is to implement your own AuthenticationHandler:

public class GraceAuthenticationHandler extends BindAuthenticationHandler

{

  public GraceAuthenticationHandler() {}

  public GraceAuthenticationHandler(final AuthenticatorConfig ac) 

  {

    this.setAuthenticatorConfig(ac);

  }

  public void authenticate(

    final ConnectionHandler ch, 

    final AuthenticationCriteria ac) 

    throws NamingException

  {

    try {

      super.authenticate(ch, ac);

    } catch (AuthenticationException e) {

      Ldap ldap = null;

      try {

        ldap = new Ldap(this.config);

        Attributes a = ldap.getAttributes(

          ac.getDn(),

          new String[]{"passwordExpirationTime", "loginGraceRemaining"});

        String pet = a.get("passwordExpirationTime") != null ?

          (String) a.get("passwordExpirationTime").get() : ""; 

        String lgr = a.get("loginGraceRemaining") != null ?

          (String) a.get("loginGraceRemaining").get() : ""; 

        throw new AuthenticationException(

          String.format(

            "Password Expiration Time: %s. Login Grace Remaining: %s.", pet, lgr));

      } finally {

        if (ldap != null) {

          ldap.close();

        }   

      }   

    }   

  }

  public GraceAuthenticationHandler newInstance()

  {

    return new GraceAuthenticationHandler(this.config);

  }

}

Edit your login.config and add the option: authenticationHandler="edu.uc.mypackage.GraceAuthenticationHandler"

Now you can handle the exception in the JSP and give the user the message.

 

 

This actually confused me even more, because I remember when I was originally setting up and configuring Shibboleth, that I had trouble with the login.config and it looked like, in the log file, that the items in the login.conf were actually calling get() and set() methods within the LdapLoginModule class (similar to how properties are set using Spring). However in the LdapLoginModule, I don’t see those getters or setters for things like host, base, bindDn, etc, nor do I see them in the base class.

They are set via reflection on the Authenticator class, the login module doesn't contain those properties..

 

--Daniel Fisher