Multiple Logon Credentials

[Miller, Greg]

Hello,

I am attempting to offer our users the ability to logon to the Shibboleth IdP with either their "cn" or "mail" attribute in LDAP. This would give users the option of logging in with their NetID or their @richmond.edu email address.

I have login.config set up as follows:

edu.vt.middleware.ldap.jaas.LdapLoginModule required
      host="ldap://ldap.richmond.edu:389"
      base="ou=people,dc=richmond,dc=edu"
      tls="true"
      userField="cn,mail"
      serviceUser="cn=XXXXX,dc=richmond,dc=edu"
      serviceCredential="XXXXX"
   ;

This appears to be working. However, attribute resolution is failing when I logon with the "mail" attribute instead of the "cn" attribute.

Here is an excerpt from attribute-resolver:

<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
        ldapURL="ldaps://ldap.richmond.edu" baseDN="ou=people,dc=richmond,dc=edu" principal="cn=XXXX,dc=richmond,dc=edu"
        principalCredential="XXXX">
        <FilterTemplate>
            <![CDATA[
                (cn=$requestContext.principalName)
            ]]>
        </FilterTemplate>

    </resolver:DataConnector>

I suspect that I need to modify the "FilterTemplate" directive, but I am not sure how to do so. I have reviewed the list archives and the relevant documentation, but am still not sure how to configure this correctly.

Any help would be appreciated.

Greg Miller
University of Richmond
gmiller at richmond.edu<mailto:gmiller at richmond.edu>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20110921/ded23f24/attachment.html