Simple ldap authentication not working ?

Robert Roll Robert.Roll at utah.edu
Tue Jan 31 15:58:27 GMT 2012


I'm having trouble configuring a simple ldap authentication..
I'm wondering if someone has any clues what might be wrong..
Below are my ShibUserPassAuth config, the shib ldap debug output and
logs from the ldap server seeming to indicate  a dn="" was used to attempt the lookup ?

I believe it is the case I have a privileged DN configured:

   bindDN="cn=Directory Manager"

I believe from the log entry below that seems to be the case ?

16:44:19.062 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83] - Created authenticator: edu.vt.middleware.ldap.auth.AuthenticatorConfig at 860265065::env={java.naming.provider.url=ldaps://wa2.cc.utah.edu, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, bindDN=cn=Directory Manager, java.naming.security.protocol=ssl}


Any idea what I'm doing wrong ? I thought the documentation was a little bit terse on the config ?

What I really want to happen is for the authentication to be done by trying to bind to the directory
as the user in question. I assume that the lookup via the priv dn should return the dn of the user
in question and then a bind attempt against the directory should be done? 

Thanks,

Robert


###################   ShibUserPassAuth

ShibUserPassAuth {

// Example LDAP authentication
// See: https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass

   edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="ldaps://wa2.cc.utah.edu"
      baseDn="ou=people,o=utah.edu,o=ATS"
      ssl="true"
	bindDN="cn=Directory Manager"
	bindCredential="XXXXXXXXX"
      userFilter="unid={0}";


#####################  Shib ldap debug output ##############################



16:43:28.128 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] - shibboleth.HandlerManager service loaded new configuration
16:44:03.893 - INFO [Shibboleth-Access:74] - 20120130T234403Z|128.110.165.208|incommon1.sso.utah.edu:443|/profile/SAML2/Redirect/SSO|
16:44:19.029 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180] - useFirstPass = false
16:44:19.030 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:181] - tryFirstPass = false
16:44:19.031 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:182] - storePass = false
16:44:19.031 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:183] - clearPass = false
16:44:19.031 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:184] - setLdapPrincipal = true
16:44:19.031 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:185] - setLdapDnPrincipal = false
16:44:19.032 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:186] - setLdapCredential = true
16:44:19.032 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:187] - defaultRole = []
16:44:19.032 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188] - principalGroupName = null
16:44:19.032 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189] - roleGroupName = null
16:44:19.033 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77] - userRoleAttribute = []
16:44:19.062 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83] - Created authenticator: edu.vt.middleware.ldap.auth.AuthenticatorConfig at 860265065::env={java.naming.provider.url=ldaps://wa2.cc.utah.edu, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, bindDN=cn=Directory Manager, java.naming.security.protocol=ssl}
16:44:19.072 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN using userFilter
16:44:19.073 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the following parameters:
16:44:19.073 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:194] -   dn = ou=people,o=utah.edu,o=ATS
16:44:19.073 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:195] -   filter = unid={0}
16:44:19.079 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:196] -   filterArgs = [u0105078]
16:44:19.079 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:197] -   searchControls = javax.naming.directory.SearchControls at 66de04cd
16:44:19.080 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:198] -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler at 7a0d637d]
16:44:19.080 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind with the following parameters:
16:44:19.080 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -   authtype = simple
16:44:19.081 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   dn = null
16:44:19.081 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -   credential = <suppressed>
16:44:19.234 - INFO [edu.vt.middleware.ldap.auth.SearchDnResolver:161] - Search for user: u0105078 failed using filter: unid={0}
16:44:19.258 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:136] - Authentication failed
javax.naming.AuthenticationException: Cannot authenticate dn, invalid dn
				      at edu.vt.middleware.ldap.auth.AbstractAuthenticator.authenticateAndAuthorize(AbstractAuthenticator.java:160) ~[vt-ldap-3.3.4.jar:na]
				      at edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74) ~[vt-ldap-3.3.4.jar:na]
				      at edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320) ~[vt-ldap-3.3.4.jar:na]
				      at edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277) ~[vt-ldap-3.3.4.jar:na]




################## Output from the LDAP server that seems to indicate a lookup using an dn=""

[30/Jan/2012:16:45:34 -0700] conn=301811 op=-1 msgId=-1 - fd=26 slot=26 LDAPS connection from 155.97.165.135 to 155.97.157.156
[30/Jan/2012:16:45:34 -0700] conn=301811 op=-1 msgId=-1 - SSL 128-bit RC4
[30/Jan/2012:16:45:34 -0700] conn=301811 op=0 msgId=1 - BIND dn="" method=128 version=3
[30/Jan/2012:16:45:34 -0700] conn=301811 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn=""
[30/Jan/2012:16:45:34 -0700] conn=301811 op=1 msgId=2 - SRCH base="ou=people,o=utah.edu,o=ats" scope=1 filter="(unid=u0105078)" attrs="1.1"
[30/Jan/2012:16:45:34 -0700] conn=301811 op=1 msgId=2 - RESULT err=0 tag=101 nentries=0 etime=0
[30/Jan/2012:16:45:34 -0700] conn=301811 op=2 msgId=3 - UNBIND
[30/Jan/2012:16:45:34 -0700] conn=301811 op=2 msgId=-1 - closing - U1
[30/Jan/2012:16:45:34 -0700] conn=301811 op=-1 msgId=-1 - closed.



More information about the users mailing list