Problems connecting from IdP to LDAP service

Mark Cairney Mark.Cairney at ed.ac.uk
Tue Sep 20 15:14:07 BST 2011 

Hi,

Today our Shibboleth IdP stopped speaking to our OpenLDAP server. 
Upgrading to the latest release of Shib (2.3.3) appeared to have fixed 
it but we're now starting to see Connection timeouts on the LDAP side 
and attributes not being returned on the Shibboleth side.

On the OpenLDAP side we're seeing:

Sep 20 14:54:33 alder slapd[28855]: conn=1430 fd=32 ACCEPT from 
IP=xxxxxxxx:59084 (IP=xxxxxxxx:636)
Sep 20 14:54:33 alder slapd[28855]: conn=1430 fd=32 TLS established 
tls_ssf=128 ssf=128
Sep 20 14:54:33 alder slapd[28855]: conn=1430 op=0 BIND dn="" method=128
Sep 20 14:54:33 alder slapd[28855]: conn=1430 op=0 RESULT tag=97 err=0 
text=
Sep 20 14:54:33 alder slapd[28855]: conn=1430 op=1 SRCH 
base="ou=people,ou=central,dc=authorise,dc=ed,dc=ac,dc=uk" scope=2 
deref=3 filter="(uid=******)"
Sep 20 14:54:33 alder slapd[28855]: conn=1430 op=1 SRCH attr=uid 
eduPersonAffiliation eduPersonEntitlement eduniIdmsID mail givenName sn
Sep 20 14:54:38 alder slapd[28855]: conn=1430 op=1 SEARCH RESULT tag=101 
err=3 nentries=0 text=
Sep 20 14:54:38 alder slapd[28855]: conn=1430 op=2 UNBIND
Sep 20 14:54:38 alder slapd[28855]: conn=1430 fd=32 closed

This is intermittent but it seems to be getting more and more frequent. 
Has anyone ever seen this behaviour? We're running Terracotta 3.1.1 and 
Java  JRE 1.6.18 if that makes any difference.

The relevant piece from attribute-resolver.xml is:

<resolver:DataConnector id="AuthLDAP" xsi:type="LDAPDirectory" 
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
         ldapURL="ldaps://server.ed" 
baseDN="ou=people,ou=central,dc=ourservice">
<FilterTemplate>
<![CDATA[
                 (uid=$requestContext.principalName)
             ]]>
</FilterTemplate>
<ReturnAttributes>uid eduPersonAffiliation eduPersonEntitlement 
eduniIdmsID mail givenName sn</ReturnAttributes>
</resolver:DataConnector>
<!-- Computed targeted ID connector -->
<resolver:DataConnector xsi:type="ComputedId" 
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
                             id="computedID"
                             generatedAttributeID="computedID"
                             sourceAttributeID="eduniIdmsID"
                             salt='"32134f7e661f8d8065b646972ab0e553"'>
<resolver:Dependency ref="AuthLDAP" />
</resolver:DataConnector>

Cheers,

Mark


-- 
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.

More information about the users mailing list