[Deploying Sakai] Configuring CAS for auth, and Kerberos for WebDAV

Martin B. Smith smithmb at ufl.edu
Wed May 4 06:54:09 PDT 2011

On 05/04/2011 09:51 AM, Seth Theriault wrote:
> By setting requireLocalAccount to false, you have put the stock provider
> into "directory" mode.

Ah -- that makes sense. We're working off code based from [1], where it 
says the following:

171 	public boolean userExists(String userId)
172 	{
173 	if (m_requirelocalaccount) return false;
175 	boolean knownKerb = userKnownToKerberos(userId);
176 	m_logger.info(this + ".userExists: " + userId + " Kerberos: " + 
177 	return knownKerb;
178 	} // userExists

That causes a kinit with a dummy password. That causes a bad password 
attempt even while the method returns true (the user _is_ valid). The 
bad password attempt is what bit us, as some users will eventually hit 
our lockout policy.

Martin B. Smith
smithmb at ufl.edu - (352) 273-1374
CNS/Open Systems Group
University of Florida

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5129 bytes
Desc: S/MIME Cryptographic Signature
Url : http://collab.sakaiproject.org/pipermail/production/attachments/20110504/6209f0cd/attachment.bin 

More information about the production mailing list