FW: help, having problems authenticating user with LDAP
Leonard Kroll
Leonard.Kroll at umb.edu
Tue Sep 20 16:15:23 BST 2011
Thank you, adding the missing semi colon fixed the problem and now I get
an error 32.(no data). I would like to lookup the user using "email"
address, but it does not find the user.
ShibUserPassAuth {
// Example LDAP authentication
// See:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldaps://xxxxdc1.yyyyyyy.net
ldaps://xxxxxxxdc2.tyyyyyyy.net"
baseDN="dc=xxxxxx,dc=net"
bindDn="xxxxxxx.yyyyyyy at zzzzz.edu"
bindCredential="password"
userFilter="email={0}"
subtreeSearch="true";
// Example Kerberos authentication, requires Sun's JVM
// See:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
/*
com.sun.security.auth.module.Krb5LoginModule required
useKeyTab="true"
keyTab="/path/to/idp/keytab/file";
*/
};
The idp-process.log file:
10:37:27.423 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:202]
- Processing incoming request
10:37:27.423 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:233]
- Beginning user authentication process.
10:37:27.424 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:279]
- Filtering configured LoginHandlers:
{urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession=edu.internet2.mi
ddleware.shibboleth.idp.authn.provider.PreviousSessionLoginHandler at 7ee46
a,
urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middlew
are.shibboleth.idp.authn.provider.RemoteUserLoginHandler at c62c07,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.in
ternet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHa
ndler at 749ebc}
10:37:27.424 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:328]
- Filtering out previous session login handler because there is no
existing IdP session
10:37:27.424 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:460]
- Selecting appropriate login handler from filtered set
{urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified=edu.internet2.middle
ware.shibboleth.idp.authn.provider.RemoteUserLoginHandler at c62c07,
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport=edu.in
ternet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginHa
ndler at 749ebc}
10:37:27.424 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.AuthenticationEngine:493]
- Authenticating user with login handler of type
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordL
oginHandler
10:37:27.424 - DEBUG
[edu.internet2.middleware.shibboleth.idp.util.HttpServletHelper:169] -
Storing LoginContext to StorageService partition loginContexts, key
0bc3e7e8-4985-46e9-ae63-2f3abb3559c0
10:37:27.425 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePassword
LoginHandler:66] - Redirecting to
https://xxxxxxxxx.xxxxxx.net:443/idp/Authn/UserPassword
10:37:27.515 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePassword
LoginServlet:134] - Redirecting to login page /login.jsp
10:37:39.119 - DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePassword
LoginServlet:154] - Attempting to authenticate user yyyyyyy.xxxxx
10:37:39.140 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:144] -
Begin initialize
10:37:39.140 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180] -
useFirstPass = false
10:37:39.140 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:181] -
tryFirstPass = false
10:37:39.140 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:182] -
storePass = false
10:37:39.144 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:183] -
clearPass = false
10:37:39.144 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:184] -
setLdapPrincipal = true
10:37:39.144 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:185] -
setLdapDnPrincipal = false
10:37:39.144 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:186] -
setLdapCredential = true
10:37:39.144 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:187] -
defaultRole = []
10:37:39.145 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188] -
principalGroupName = null
10:37:39.145 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189] -
roleGroupName = null
10:37:39.145 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77] -
userRoleAttribute = []
10:37:39.150 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: ONELEVEL
10:37:39.152 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1770] - setting
property baseDN: dc=mmmmmmmm,dc=yyy
10:37:39.152 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:427] - setting
subtreeSearch: true
10:37:39.152 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: SUBTREE
10:37:39.153 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168] - setting
ldapUrl: ldaps://xxxxxxxdc1.yyyyyyyy.net ldaps://xxxxxxdc2.yyyyyyy.net
10:37:39.154 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1276] - setting bindDn:
yyyyyyyyyy.xxxxxxx at xxx.edu
10:37:39.154 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:290] - setting
userFilter: email={0}
10:37:39.154 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1309] - setting
bindCredential: <suppressed>
10:37:39.155 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83] -
Created authenticator:
edu.vt.middleware.ldap.auth.AuthenticatorConfig at 5651650::env={java.namin
g.provider.url=ldaps://xxxxxxxdc1.xxxxxx.net
ldaps://xxxxxxxdc2.xxxxxxx.net,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
baseDN=dc=xxxxxxx,dc=net}
10:37:39.156 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:412] -
Begin getCredentials
10:37:39.156 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:413] -
useFistPass = false
10:37:39.156 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:414] -
tryFistPass = false
10:37:39.156 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:415] -
useCallback = false
10:37:39.157 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:416] -
callbackhandler class =
javax.security.auth.login.LoginContext$SecureCallbackHandler
10:37:39.157 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:419] -
name callback class = javax.security.auth.callback.NameCallback
10:37:39.157 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:421] -
password callback class = javax.security.auth.callback.PasswordCallback
10:37:39.158 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:102]
- Looking up DN using userFilter
10:37:39.158 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:193]
- Search with the following parameters:
10:37:39.159 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:194]
- dn =
10:37:39.159 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:195]
- filter = email={0}
10:37:39.159 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:196]
- filterArgs = [xxxxxxx.yyyyyyy]
10:37:39.159 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:197]
- searchControls = javax.naming.directory.SearchControls at 14a1ab7
10:37:39.159 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:198]
- handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler at 200d0c]
10:37:39.159 - TRACE [edu.vt.middleware.ldap.auth.SearchDnResolver:200]
- config = {java.naming.provider.url=ldaps://xxxxxxx.yyyyyyy.net
ldaps://xxxxxxx.yyyyyyy.net,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
baseDN=dc=fffffff,dc=net}
10:37:39.160 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
connectionStrategy: DEFAULT
10:37:39.160 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] - setting
connectionRetryExceptions: [class javax.naming.NamingException]
10:37:39.160 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {0}
Attempting connection to ldaps://xxxxxxx.yyyyyyy.net
ldaps://xxxxxxx.yyyyyyy.net for strategy DEFAULT
10:37:39.160 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind with
the following parameters:
10:37:39.160 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
authtype = simple
10:37:39.161 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
yyyyyyy.mmmmmmm at umb.edu
10:37:39.161 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
credential = <suppressed>
10:37:39.161 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.provider.url=ldaps://xxxxxxx.yyyyyyy.net
ldaps://xxxxxxx.yyyyyyy.net, baseDN=dc=fffffff,dc=net}
10:37:39.382 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:164] -
Error occured attempting authentication
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D:
NameErr: DSID-031001E5, problem 2001 (NO_OBJECT), data 0, best match of:
''
Leonard Kroll
UNIX / GIS Administrator
Univ. Massachusetts Boston
Leonard(dot)Kroll(at)umb.edu
Phone: 617-287-5048
fax: 617-287-5224
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net]
On Behalf Of Manuel Haim
Sent: Monday, September 19, 2011 10:02 AM
To: Shib Users
Subject: Re: FW: help, having problems authenticating user with LDAP
Hi,
your login.config looks quite strange - it must contain a JAAS config
like described here:
http://code.google.com/p/vt-middleware/wiki/vtldapJAAS
Remember that JAAS config looks different from that XML in
attribute-resolver.xml
Here is an example config (the {0} will be replaced by your
principalName when executed):
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://xxxxxxdc1.yyyyy.net ldap://xxxxxxdc2.yyyyyyy.net"
baseDn="dc=umassb,dc=net"
bindDn="uid=yourProxyUser,ou=proxy,dc=umassb,dc=net"
bindCredential="yourPassword"
userFilter="uid={0}"
subtreeSearch="true"
}
-Manuel
--
To unsubscribe from this list send an email to
users-unsubscribe at shibboleth.net
More information about the users
mailing list