Externalizing parameters in attribute-resolver.xml to a properties file
Christopher Bongaarts
cab at umn.edu
Mon Aug 27 12:13:25 EDT 2012
On 8/27/2012 10:51 AM, Smith, Matthew J. wrote:
> I'd like to store Shib IdP configs in our git VCS, but do not want to
> check in files with sensitive information. Is it possible to
> externalize parameters, such as the principalCredential of the LDAP
> DataConnector, to an external properties file which can be referenced
> by attribute-resolver.xml? I have search the wiki to no avail, but
> if documentation for this already does exist, please feel free to
> just hit me over the head with it.
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPConfigResource
As an example, our services.xml:
<srv:Service id="shibboleth.AttributeResolver"
xsi:type="attribute-resolver:ShibbolethAttributeResolver"
configurationResourcePollingFrequency="PT3M"
configurationResourcePollingRetryAttempts="5">
<srv:ConfigurationResource
file="/.../idp/conf/attribute-resolver.xml"
xsi:type="resource:FilesystemResource">
<ResourceFilter xsi:type="PropertyReplacement"
xmlns="urn:mace:shibboleth:2.0:resource"
propertyFile="/.../idp/conf/attribute-resolver.xml.properties"/>
</srv:ConfigurationResource>
</srv:Service>
Then in attribute-resolver.xml:
<resolver:DataConnector id="umnLDAP" xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="${ldap.url}"
baseDN="o=university of minnesota,c=us"
principal="cn=Shibboleth Manager,ou=Application
Services,o=University of Minnesota,c=US"
principalCredential="${ldap.password}">
Then in attribute-resolver.xml.properties:
ldap.url = ldap://ldap1.umn.edu ldap://ldap2.umn.edu ldap://ldap3.umn.edu
ldap.password = yeah_you_wish
--
%% Christopher A. Bongaarts %% cab at umn.edu %%
%% OIT - Identity Management %% http://umn.edu/~cab %%
%% University of Minnesota %% +1 (612) 625-1809 %%
More information about the users
mailing list