Trying to figure what the LDAP problem is:
Douglas E. Engert
deengert at anl.gov
Mon Sep 26 16:36:26 BST 2011
On 9/26/2011 10:01 AM, Leonard Kroll wrote:
> Hi, I got the DN to work when Binding a user to perform the LDAP lookup.
>
> I am using MS LDAP if that makes any difference.
>
> But I get the email and DN error that follows. Any Ideas?
>
> I would like to authenticate against either the email address or the sAMAddressName in the ldap.
AD does not have attributes of email or sAMAddressName.
Your filter needs to use the attribute names as found in AD.
Did you mean mail or sAMAccountName?
Mail is not unique and there might be multiple accounts with the same mail address
unless you enforce by policy.
With AD may want to consider using the com.sun.security.auth.module.Krb5LoginModule
as The Kerberos principal is either sAMAccountName at domain or the UserPrincipalName
>
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="email" sourceAttributeID="mail">
>
> <resolver:Dependency ref="myLDAP" />
>
> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" />
>
> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" />
>
> </resolver:AttributeDefinition>
>
> 10:47:22.385 - INFO [edu.vt.middleware.ldap.auth.SearchDnResolver:161] - Search for user: Aaaaaaa.bbbbbbb at umb.edu fail
>
> edusing filter: email={0}
>
> 10:47:22.386 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:136] - Authentication failed javax.naming.AuthenticationException: Cannot authenticate dn, invalid dn
>
> 10:47:22.375 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83] - Created authenticator:
> edu.vt.middleware.ldap.auth.AuthenticatorConfig at 26192386::env={java.naming.provider.url=ldap://xxx.xxx.xxx.xxx3 ldap://xxx.xxx.xxx.xxx4, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
>
> 10:47:22.375 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:412] - Begin getCredentials
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:413] -useFistPass = false
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:414] -tryFistPass = false
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:415] -useCallback = false
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:416] -callbackhandler class = javax.security.auth.login.LoginContext$SecureCallbackHandler
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:419] -name callback class = javax.security.auth.callback.NameCallback
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:421] -password callback class = javax.security.auth.callback.PasswordCallback
>
> 10:47:22.377 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN using userFilter
>
> 10:47:22.377 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the following parameters:
>
> :
>
> 10:47:22.372 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188] - principalGroupName = null
>
> 10:47:22.372 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189] - roleGroupName = null
>
> 10:47:22.372 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77] - userRoleAttribute = []
>
> 10:47:22.373 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting searchScope: ONELEVEL
>
> 10:47:22.374 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:427] - setting subtreeSearch: true
>
> 10:47:22.374 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting searchScope: SUBTREE
>
> 10:47:22.374 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1370] - setting baseDn: OU=sssss,DC=dddddd,DC=net
>
> 10:47:22.374 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168] - setting ldapUrl: ldap://xxx.xxx.xxx.xxx3 ldap://xxx.xxx.xxx.xxx4
>
> 10:47:22.375 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1276] - setting bindDn: CN=aaaaaaa bbbbbb,OU=sssss,DC=dddddd,DC=net
>
> 10:47:22.375 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:290] - setting userFilter: email={0}
>
> 10:47:22.375 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1309] - setting bindCredential: <suppressed>
>
> 10:47:22.375 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83] - Created authenticator:
> edu.vt.middleware.ldap.auth.AuthenticatorConfig at 26192386::env={java.naming.provider.url=ldap://xxx.xxx.xxx.xxx3 ldap://xxx.xxx.xxx.xxx4, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
>
> 10:47:22.375 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:412] - Begin getCredentials
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:413] -useFistPass = false
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:414] -tryFistPass = false
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:415] -useCallback = false
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:416] -callbackhandler class = javax.security.auth.login.LoginContext$SecureCallbackHandler
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:419] -name callback class = javax.security.auth.callback.NameCallback
>
> 10:47:22.376 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:421] -password callback class = javax.security.auth.callback.PasswordCallback
>
> 10:47:22.377 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN using userFilter
>
> 10:47:22.377 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the following parameters:
>
> 10:47:22.377 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:194] -dn = OU=sssss,DC=dddddd,DC=net
>
> 10:47:22.377 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:195] -filter = email={0}
>
> 10:47:22.377 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:196] -filterArgs = [Aaaaaaa.bbbbbbb at umb.edu]
>
> 10:47:22.378 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:197] -searchControls = javax.naming.directory.
>
> SearchControls at e26d2e
>
> 10:47:22.378 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:198] -handler = [edu.vt.middleware.ldap.handle
>
> r.FqdnSearchResultHandler at 16e1ccd]
>
> 10:47:22.378 - TRACE [edu.vt.middleware.ldap.auth.SearchDnResolver:200] -config = {java.naming.provider.url=ldap:
>
> //xxx.xxx.xxx.xxx3 ldap://xxx.xxx.xxx.xxx4, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
>
> 10:47:22.378 - TRACE [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting connectionStrategy: DEFA
>
> ULT
>
> 10:47:22.378 - TRACE [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] - setting connectionRetryExceptio
>
> ns: [class javax.naming.NamingException]
>
> 10:47:22.378 - TRACE [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {0} Attempting connection to ldap://xxx.xxx.xxx.xxx3 ldap://xxx.xxx.xxx.xxx4 for strategy DEFAULT
>
> 10:47:22.379 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind with the following paramete
>
> rs:
>
> 10:47:22.379 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -authtype = simple
>
> 10:47:22.379 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -dn = CN=Aaaaaaa bbbbb,OU=sssss
>
> ,DC=umassb,DC=net
>
> 10:47:22.379 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -credential = <suppressed>
>
> 10:47:22.379 - TRACE [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] -env = {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.provider.url=ldap://xxx.xxx.xxx.xxx3
> ldap://xxx.xxx.xxx.xxx4}
>
> 10:47:22.385 - INFO [edu.vt.middleware.ldap.auth.SearchDnResolver:161] - Search for user: Aaaaaaa.bbbbbbb at umb.edu fail
>
> edusing filter: email={0}
>
> 10:47:22.386 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:136] - Authentication failed
>
> javax.naming.AuthenticationException: Cannot authenticate dn, invalid dn
>
> at edu.vt.middleware.ldap.auth.AbstractAuthenticator.authenticateAndAuthorize(AbstractAuthenticator.java:160
>
> ) ~[vt-ldap-3.3.4.jar:na]
>
> at edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74) ~[vt-ldap-3.3.4.jar
>
> :na]
>
> at edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320) ~[vt-ldap-3.3.4.jar:na]
>
> at edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277) ~[vt-ldap-3.3.4.jar:na]
>
> at edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60) ~[vt-ldap-3.3.4.jar
>
> :na]
>
> //Leonard Kroll///
> //UNIX / GIS Administrator//
> //Univ. Massachusetts Boston//
> ///Leonard(dot)Kroll(at)umb.edu// <mailto:at at umb.edu>
> //Phone: 617-287-5048///
> //fax: 617-287-5224///////
>
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
> *From:*users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] *On Behalf Of *Daniel Fisher
> *Sent:* Friday, September 23, 2011 4:39 PM
> *To:* Shib Users
> *Subject:* Re: Trying to figure where the problem is:
>
> On Fri, Sep 23, 2011 at 4:09 PM, Leonard Kroll <Leonard.Kroll at umb.edu <mailto:Leonard.Kroll at umb.edu>> wrote:
>
> I am new to the LDAP world.
> Ok, I am now using the full DN in the bindDN field, I get an error 32, which means no data found.
>
> Ldapsearch reads the LDAP fine using the same DN.
>
> CN=aaaa bbbb, OU=sssssss,dc=umassb, dc=net.
>
> Any Ideas how to get around this problem.
>
> 16:00:24.348 - TRACE [edu.vt.middleware.ldap.auth.SearchDnResolver:200] - config = {java.naming.provider.url=ldap://xxx.xxx.xxx.xxx ldap://xxx.xxx.xxx.xxx,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, baseDN=dc=umassb,dc=net}
>
> Looks like you're setting 'baseDN', that should be 'baseDn'. Not sure if that's your only problem, but fix that and report back.
>
> --Daniel Fisher
>
>
>
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the users
mailing list