Help with LDAP authentication
Rod Widdowson
rdw at steadingsoftware.com
Fri Nov 16 12:16:53 EST 2012
So scratch that idea. I have run just fine against AD with java 6.
What I usually do in this situation is poke at the AD LDAP from a java based LDAP browser (use a java based one then you are at
least comparing similar beasts)
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Wynne, David
Sent: 16 November 2012 16:47
To: Shib Users
Subject: RE: Help with LDAP authentication
I am running Shib idp on an OpenSuSe 12. 1 64 bit box. The actual version of java is;
java-1_6_0-openjdk-1.6.0.0_b24.1.11.1-3.1.x86_64
so 1.6.0 is the short answer.
idp is implemented as a java servlet ( ? ) under apache-tomcat-6.0.36.
Dave
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Rod Widdowson
Sent: 16 November 2012 16:39
To: 'Shib Users'
Subject: RE: Help with LDAP authentication
Which version of Java (and which version windows) ? There was a rumour a few months back that this was java version dependant. I
have not been able to reproduce this but I mention it.
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Wynne, David
Sent: 16 November 2012 15:24
To: users at shibboleth.net
Subject: Help with LDAP authentication
I've beenn trying for about a week to get this working.
I'm trying to authenticate with our Microsoft Active Directory service, so the following configs are relevant:
login-config
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://bydc1.jmu.ac.uk"
baseDn="ou=people, dc=jmu, dc=ac, dc=uk"
ssl="false"
// 16/11/2012 D.Wynne Have to BIND with correct user credentials
bindDn`"cn=XXXXXXXX at jmu.ac.uk"
bindCredential="XXXXXXXX"
With our AD you have to have a valid account in this file as it doesn't allow anonymous binding. If I leave this out I get a java
exception error in idp-process.log. Took me a while to figure that out.
Now I'e uploaded the XML file to testshib & I can access our login page ( login.jsp ). No matter what I type in the Username /
Password field I always get
Credentials not recognised.
I've had a self signed certificate for our Apache server for years but it's different from the IDP build. How do I make the idp one
the same ? Could this be the cause ?
Thanks in advance. Any help appreciated.
There aren't any errors the idp-process.log & I have DEBUG logging for the LDAP connection:
14:38:20.989 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service
shibboleth.AttributeResolver
14:38:21.027 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing
configuration for PrincipalConnector plugin with ID: shibTransient
14:38:21.027 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing
configuration for PrincipalConnector plugin with ID: saml1Unspec
14:38:21.027 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing
configuration for PrincipalConnector plugin with ID: saml2Transient
14:38:21.034 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing
configuration for DataConnector plugin with ID: myLDAP
14:38:21.043 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing
configuration for AttributeDefinition plugin with ID: email
14:38:21.050 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing
configuration for AttributeDefinition plugin with ID: transientId
14:38:21.092 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
14:38:21.092 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - authtype = simple
14:38:21.093 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = XXXXXXXX at jmu.ac.uk
14:38:21.093 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] - credential = <suppressed>
14:38:21.385 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
14:38:21.386 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - authtype = simple
14:38:21.386 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = XXXXXXXX at jmu.ac.uk
14:38:21.386 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] - credential = <suppressed>
14:38:21.390 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] - shibboleth.AttributeResolver service
loaded new configuration
14:38:21.401 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service
shibboleth.AttributeFilterEngine
14:38:21.422 - INFO
[edu.internet2.middleware.shibboleth.common.config.attribute.filtering.AttributeFilterPolicyBeanDefinitionParser:72] - Parsing
configuration for attribute filter policy releaseTransientIdToAnyone
14:38:21.446 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] - shibboleth.AttributeFilterEngine service
loaded new configuration
14:38:21.452 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service
shibboleth.SAML1AttributeAuthority
14:38:21.458 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service
shibboleth.SAML2AttributeAuthority
14:38:21.465 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service
shibboleth.RelyingPartyConfigurationManager
14:38:21.541 - INFO
[edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:73] - Parsing
configuration for relying party with id: anonymous
14:38:21.541 - INFO
[edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:73] - Parsing
configuration for relying party with id: default
14:38:21.564 - INFO [edu.internet2.middleware.shibboleth.common.config.security.AbstractX509CredentialBeanDefinitionParser:63] -
Parsing configuration for X509Filesystem credential with id: IdPCredential
14:38:21.784 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ChainingSignatureTrustEngineBeanDefinitionParser:59]
- Parsing configuration for SignatureChaining trust engine with id: shibboleth.SignatureTrustEngine
14:38:21.785 - INFO
[edu.internet2.middleware.shibboleth.common.config.security.MetadataExplicitKeySignatureTrustEngineBeanDefinitionParser:50] -
Parsing configuration for MetadataExplicitKeySignature trust engine with id: shibboleth.SignatureMetadataExplicitKeyTrustEngine
14:38:21.786 - INFO
[edu.internet2.middleware.shibboleth.common.config.security.MetadataPKIXSignatureTrustEngineBeanDefinitionParser:52] - Parsing
configuration for MetadataPKIXSignature trust engine with id: shibboleth.SignatureMetadataPKIXTrustEngine
14:38:21.787 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ChainingTrustEngineBeanDefinitionParser:59] -
Parsing configuration for Chaining trust engine with id: shibboleth.CredentialTrustEngine
14:38:21.787 - INFO
[edu.internet2.middleware.shibboleth.common.config.security.MetadataExplicitKeyTrustEngineBeanDefinitionParser:48] - Parsing
configuration for MetadataExplicitKey trust engine with id: shibboleth.CredentialMetadataExplictKeyTrustEngine
14:38:21.788 - INFO
[edu.internet2.middleware.shibboleth.common.config.security.MetadataPKIXX509CredentialTrustEngineBeanDefinitionParser:52] - Parsing
configuration for MetadataPKIXX509Credential trust engine with id: shibboleth.CredentialMetadataPKIXTrustEngine
14:38:21.789 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] -
Parsing configuration for SecurityPolicyType security policy with id: shibboleth.ShibbolethSSOSecurityPolicy
14:38:21.794 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] -
Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML1AttributeQuerySecurityPolicy
14:38:21.798 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] -
Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML1ArtifactResolutionSecurityPolicy
14:38:21.800 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] -
Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML2SSOSecurityPolicy
14:38:21.803 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] -
Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML2AttributeQuerySecurityPolicy
14:38:21.804 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] -
Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML2ArtifactResolutionSecurityPolicy
14:38:21.806 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] -
Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML2SLOSecurityPolicy
14:38:22.429 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] -
shibboleth.RelyingPartyConfigurationManager service loaded new configuration
14:38:22.435 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service
shibboleth.HandlerManager
14:38:22.448 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.JSPErrorHandlerBeanDefinitionParser:46] - Parsing
configuration for JSP error handler.
14:38:22.449 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: Status
14:38:22.450 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: SAMLMetadata
14:38:22.453 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: ShibbolethSSO
14:38:22.454 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: SAML1AttributeQuery
14:38:22.455 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: SAML1ArtifactResolution
14:38:22.457 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: SAML2SSO
14:38:22.458 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: SAML2SSO
14:38:22.458 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: SAML2SSO
14:38:22.458 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: SAML2SSO
14:38:22.459 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: SAML2ECP
14:38:22.460 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: SAML2AttributeQuery
14:38:22.461 - INFO
[edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing
configuration for profile handler: SAML2ArtifactResolution
14:38:22.602 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] - shibboleth.HandlerManager service loaded
new configuration
14:38:40.654 - INFO [Shibboleth-Access:74] - 20121116T143840Z|150.204.48.5|java.cms.livjm.ac.uk:443|/profile/SAML2/Redirect/SSO|
Dave Wynne
Senior Technical Officer
School Of Computing & Maths
James Parsons Building
Liverpool John Moores University
Byrom Street
Liverpool L3 3AF
_____
Important Notice: the information in this email and any attachments is for the sole use of the intended recipient(s). If you are not
an intended recipient, or a person responsible for delivering it to an intended recipient, you should delete it from your system
immediately without disclosing its contents elsewhere and advise the sender by returning the email or by telephoning a number
contained in the body of the email. No responsibility is accepted for loss or damage arising from viruses or changes made to this
message after it was sent. The views contained in this email are those of the author and not necessarily those of Liverpool John
Moores University.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121116/da6f3d39/attachment-0001.html
More information about the users
mailing list