[Deploying Sakai] Configuring CAS for auth, and Kerberos for WebDAV
Martin B. Smith
smithmb at ufl.edu
Wed May 4 06:54:09 PDT 2011
On 05/04/2011 09:51 AM, Seth Theriault wrote:
>
> By setting requireLocalAccount to false, you have put the stock provider
> into "directory" mode.
Ah -- that makes sense. We're working off code based from [1], where it
says the following:
171 public boolean userExists(String userId)
172 {
173 if (m_requirelocalaccount) return false;
174
175 boolean knownKerb = userKnownToKerberos(userId);
176 m_logger.info(this + ".userExists: " + userId + " Kerberos: " +
knownKerb);
177 return knownKerb;
178 } // userExists
That causes a kinit with a dummy password. That causes a bad password
attempt even while the method returns true (the user _is_ valid). The
bad password attempt is what bit us, as some users will eventually hit
our lockout policy.
--
Martin B. Smith
smithmb at ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5129 bytes
Desc: S/MIME Cryptographic Signature
Url : http://collab.sakaiproject.org/pipermail/production/attachments/20110504/6209f0cd/attachment.bin
More information about the production
mailing list