Help with LDAP authentication
Yeargan, Yancey
Yancey.Yeargan at untsystem.edu
Fri Nov 16 12:22:11 EST 2012
When using the Active Directory User Principal Name (UPN) as LDAP login credentials, you do not use "cn=" at all. The user name would simply be "user at jmc.ac.uk<mailto:user at jmc.ac.uk>". Active Directory accepts either a proper LDAP distinguished name or a UPN. Use the value of the "userPrincipalName" attribute from the user object in AD.
Yancey Yeargan
IT Manager
University of North Texas System
On Nov 16, 2012, at 10:57 AM, "Wynne, David" <D.Wynne at ljmu.ac.uk<mailto:D.Wynne at ljmu.ac.uk>> wrote:
I think the BindDn is OK. It’s a new form called UPN I think.
Besides I’m running the LDAP authentication in DEBUG mode an when I was getting it wrong the logs showed that, but now they are clear of such errors.
Dave
From: users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> [mailto:users-bounces at shibboleth.net<mailto:bounces at shibboleth.net>] On Behalf Of Etan Weintraub
Sent: 16 November 2012 16:46
To: 'Shib Users'
Subject: RE: Help with LDAP authentication
The format for the BindDN also looks a bit off to me.
I think it should be something along the lines of “cn=XXXXX,ou=people,dc=jmc,dc=ac,dc=uk”. I don’t think “cn=XXXXX at jmc.ac.uk<mailto:cn=XXXXX at jmc.ac.uk>” is a valid format for a DN.
-Etan E. Weintraub
Sr. Systems Engineer
Directory Architecture
IT at Johns Hopkins
Johns Hopkins at Mt. Washington
5801 Smith Ave.
Suite 3110B
Baltimore, MD 21209
Phone: 410-735-7945
E-mail: eweintra at jhmi.edu<mailto:eweintra at jhmi.edu>
From: users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> [mailto:users-bounces at shibboleth.net<mailto:bounces at shibboleth.net>] On Behalf Of Rod Widdowson
Sent: Friday, November 16, 2012 11:39 AM
To: 'Shib Users'
Subject: RE: Help with LDAP authentication
Which version of Java (and which version windows) ? There was a rumour a few months back that this was java version dependant. I have not been able to reproduce this but I mention it.
From: users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> [mailto:users-bounces at shibboleth.net] On Behalf Of Wynne, David
Sent: 16 November 2012 15:24
To: users at shibboleth.net<mailto:users at shibboleth.net>
Subject: Help with LDAP authentication
I've beenn trying for about a week to get this working.
I'm trying to authenticate with our Microsoft Active Directory service, so the following configs are relevant:
login-config
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://bydc1.jmu.ac.uk"
baseDn="ou=people, dc=jmu, dc=ac, dc=uk"
ssl="false"
// 16/11/2012 D.Wynne Have to BIND with correct user credentials
bindDn`"cn=XXXXXXXX at jmu.ac.uk<mailto:cn=XXXXXXXX at jmu.ac.uk>"
bindCredential="XXXXXXXX"
With our AD you have to have a valid account in this file as it doesn't allow anonymous binding. If I leave this out I get a java exception error in idp-process.log. Took me a while to figure that out.
Now I'e uploaded the XML file to testshib & I can access our login page ( login.jsp ). No matter what I type in the Username / Password field I always get
Credentials not recognised.
I've had a self signed certificate for our Apache server for years but it's different from the IDP build. How do I make the idp one the same ? Could this be the cause ?
Thanks in advance. Any help appreciated.
There aren't any errors the idp-process.log & I have DEBUG logging for the LDAP connection:
14:38:20.989 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service shibboleth.AttributeResolver
14:38:21.027 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing configuration for PrincipalConnector plugin with ID: shibTransient
14:38:21.027 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing configuration for PrincipalConnector plugin with ID: saml1Unspec
14:38:21.027 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing configuration for PrincipalConnector plugin with ID: saml2Transient
14:38:21.034 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing configuration for DataConnector plugin with ID: myLDAP
14:38:21.043 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing configuration for AttributeDefinition plugin with ID: email
14:38:21.050 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:55] - Parsing configuration for AttributeDefinition plugin with ID: transientId
14:38:21.092 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
14:38:21.092 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - authtype = simple
14:38:21.093 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = XXXXXXXX at jmu.ac.uk<mailto:XXXXXXXX at jmu.ac.uk>
14:38:21.093 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] - credential = <suppressed>
14:38:21.385 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
14:38:21.386 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - authtype = simple
14:38:21.386 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = XXXXXXXX at jmu.ac.uk<mailto:XXXXXXXX at jmu.ac.uk>
14:38:21.386 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] - credential = <suppressed>
14:38:21.390 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] - shibboleth.AttributeResolver service loaded new configuration
14:38:21.401 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service shibboleth.AttributeFilterEngine
14:38:21.422 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.filtering.AttributeFilterPolicyBeanDefinitionParser:72] - Parsing configuration for attribute filter policy releaseTransientIdToAnyone
14:38:21.446 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] - shibboleth.AttributeFilterEngine service loaded new configuration
14:38:21.452 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service shibboleth.SAML1AttributeAuthority
14:38:21.458 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service shibboleth.SAML2AttributeAuthority
14:38:21.465 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service shibboleth.RelyingPartyConfigurationManager
14:38:21.541 - INFO [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:73] - Parsing configuration for relying party with id: anonymous
14:38:21.541 - INFO [edu.internet2.middleware.shibboleth.common.config.relyingparty.RelyingPartyConfigurationBeanDefinitionParser:73] - Parsing configuration for relying party with id: default
14:38:21.564 - INFO [edu.internet2.middleware.shibboleth.common.config.security.AbstractX509CredentialBeanDefinitionParser:63] - Parsing configuration for X509Filesystem credential with id: IdPCredential
14:38:21.784 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ChainingSignatureTrustEngineBeanDefinitionParser:59] - Parsing configuration for SignatureChaining trust engine with id: shibboleth.SignatureTrustEngine
14:38:21.785 - INFO [edu.internet2.middleware.shibboleth.common.config.security.MetadataExplicitKeySignatureTrustEngineBeanDefinitionParser:50] - Parsing configuration for MetadataExplicitKeySignature trust engine with id: shibboleth.SignatureMetadataExplicitKeyTrustEngine
14:38:21.786 - INFO [edu.internet2.middleware.shibboleth.common.config.security.MetadataPKIXSignatureTrustEngineBeanDefinitionParser:52] - Parsing configuration for MetadataPKIXSignature trust engine with id: shibboleth.SignatureMetadataPKIXTrustEngine
14:38:21.787 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ChainingTrustEngineBeanDefinitionParser:59] - Parsing configuration for Chaining trust engine with id: shibboleth.CredentialTrustEngine
14:38:21.787 - INFO [edu.internet2.middleware.shibboleth.common.config.security.MetadataExplicitKeyTrustEngineBeanDefinitionParser:48] - Parsing configuration for MetadataExplicitKey trust engine with id: shibboleth.CredentialMetadataExplictKeyTrustEngine
14:38:21.788 - INFO [edu.internet2.middleware.shibboleth.common.config.security.MetadataPKIXX509CredentialTrustEngineBeanDefinitionParser:52] - Parsing configuration for MetadataPKIXX509Credential trust engine with id: shibboleth.CredentialMetadataPKIXTrustEngine
14:38:21.789 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] - Parsing configuration for SecurityPolicyType security policy with id: shibboleth.ShibbolethSSOSecurityPolicy
14:38:21.794 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] - Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML1AttributeQuerySecurityPolicy
14:38:21.798 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] - Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML1ArtifactResolutionSecurityPolicy
14:38:21.800 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] - Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML2SSOSecurityPolicy
14:38:21.803 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] - Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML2AttributeQuerySecurityPolicy
14:38:21.804 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] - Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML2ArtifactResolutionSecurityPolicy
14:38:21.806 - INFO [edu.internet2.middleware.shibboleth.common.config.security.ShibbolethSecurityPolicyBeanDefinitionParser:59] - Parsing configuration for SecurityPolicyType security policy with id: shibboleth.SAML2SLOSecurityPolicy
14:38:22.429 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] - shibboleth.RelyingPartyConfigurationManager service loaded new configuration
14:38:22.435 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - Loading new configuration for service shibboleth.HandlerManager
14:38:22.448 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.JSPErrorHandlerBeanDefinitionParser:46] - Parsing configuration for JSP error handler.
14:38:22.449 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: Status
14:38:22.450 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAMLMetadata
14:38:22.453 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: ShibbolethSSO
14:38:22.454 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML1AttributeQuery
14:38:22.455 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML1ArtifactResolution
14:38:22.457 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML2SSO
14:38:22.458 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML2SSO
14:38:22.458 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML2SSO
14:38:22.458 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML2SSO
14:38:22.459 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML2ECP
14:38:22.460 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML2AttributeQuery
14:38:22.461 - INFO [edu.internet2.middleware.shibboleth.common.config.profile.AbstractRequestURIMappedProfileHandlerBeanDefinitionParser:43] - Parsing configuration for profile handler: SAML2ArtifactResolution
14:38:22.602 - INFO [edu.internet2.middleware.shibboleth.common.config.BaseService:180] - shibboleth.HandlerManager service loaded new configuration
14:38:40.654 - INFO [Shibboleth-Access:74] - 20121116T143840Z|150.204.48.5|java.cms.livjm.ac.uk:443|/profile/SAML2/Redirect/SSO|
Dave Wynne
Senior Technical Officer
School Of Computing & Maths
James Parsons Building
Liverpool John Moores University
Byrom Street
Liverpool L3 3AF
________________________________
Important Notice: the information in this email and any attachments is for the sole use of the intended recipient(s). If you are not an intended recipient, or a person responsible for delivering it to an intended recipient, you should delete it from your system immediately without disclosing its contents elsewhere and advise the sender by returning the email or by telephoning a number contained in the body of the email. No responsibility is accepted for loss or damage arising from viruses or changes made to this message after it was sent. The views contained in this email are those of the author and not necessarily those of Liverpool John Moores University.
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121116/519501fd/attachment-0001.html
More information about the users
mailing list