trouble locating the ldap auth error in Shib IdP
Oleg Chaikovsky
oleg.chaikovsky at aegisidentity.com
Sun Jul 14 23:14:15 EDT 2013
Shibboleth IdP 2.4
Windows
Connecting to AD using LDAPS - and here is the error - and the login.config file. I have searched other logs (except the ldap log) and found nothing to help discover the problem. When I use ldp.exe tool on Windows from the IdP server to connect to the AD server, using the same principal and credential, and baseDn, I can search just fine for any user. When I attempt to authenticate using testshib as a base - I get an authentication failed - but the error is simply
19:44:00.227 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:194] - User authentication for USERID failed
javax.security.auth.login.LoginException: java.lang.NullPointerException
I have searched on the userlist archives - and only found the fact that folks have fixed their issue - but not where the fix was applied. I have tried both a baseDn of ou=GROUP, dc=domain, dc=edu and simply the two dc's (at the recommendation of the ldap admin). I simply can't determine for myself where the error may lie.
Thanks
Oleg
--------------------------
Login.config file portion
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapURL="ldaps://server.domain.edu"
port="636"
ssl="true"
baseDn="dc=domain,dc=edu"
bindDn="USERID at domain.edu"
bindCredential="somepassword"
subtreeSearch="true"
userFilter="samAccountName={0}";
-----------------------------------
Idp-process.log
19:44:00.149 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:170] - Attempting to authenticate user USERID
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180] - useFirstPass = false
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:181] - tryFirstPass = false
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:182] - storePass = false
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:183] - clearPass = false
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:184] - setLdapPrincipal = true
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:185] - setLdapDnPrincipal = false
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:186] - setLdapCredential = true
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:187] - defaultRole = []
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188] - principalGroupName = null
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189] - roleGroupName = null
19:44:00.180 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77] - userRoleAttribute = []
19:44:00.211 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83] - Created authenticator: edu.vt.middleware.ldap.auth.AuthenticatorConfig at 15013136::env={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, ldapURL=ldaps://server.domain.edu, java.naming.security.protocol=ssl}
19:44:00.211 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN using userFilter
19:44:00.211 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the following parameters:
19:44:00.211 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:194] - dn = dc=domain,dc=edu
19:44:00.211 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:195] - filter = samAccountName={0}
19:44:00.211 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:196] - filterArgs = [USERID]
19:44:00.211 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:197] - searchControls = javax.naming.directory.SearchControls at 1f6c439
19:44:00.211 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:198] - handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler at 1cc7f4b]
19:44:00.227 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:194] - User authentication for USERID failed
javax.security.auth.login.LoginException: java.lang.NullPointerException
at java.util.Hashtable.put(Unknown Source)
at edu.vt.middleware.ldap.handler.AbstractConnectionHandler.connect(AbstractConnectionHandler.java:149)
at edu.vt.middleware.ldap.AbstractLdap.connect(AbstractLdap.java:1006)
at edu.vt.middleware.ldap.AbstractLdap.getContext(AbstractLdap.java:1058)
at edu.vt.middleware.ldap.AbstractLdap.search(AbstractLdap.java:214)
at edu.vt.middleware.ldap.auth.SearchDnResolver.resolve(SearchDnResolver.java:139)
at edu.vt.middleware.ldap.auth.Authenticator.getDn(Authenticator.java:106)
at edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74)
at edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320)
at edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277)
at edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60)
at edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source)
at javax.security.auth.login.LoginContext.access$000(Unknown Source)
at javax.security.auth.login.LoginContext$4.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source)
at javax.security.auth.login.LoginContext.login(Unknown Source)
at edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:177)
at edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:123)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
at java.lang.Thread.run(Unknown Source)
at javax.security.auth.login.LoginContext.invoke(Unknown Source) ~[na:1.6.0_30]
at javax.security.auth.login.LoginContext.access$000(Unknown Source) ~[na:1.6.0_30]
at javax.security.auth.login.LoginContext$4.run(Unknown Source) ~[na:1.6.0_30]
at java.security.AccessController.doPrivileged(Native Method) ~[na:1.6.0_30]
at javax.security.auth.login.LoginContext.invokePriv(Unknown Source) ~[na:1.6.0_30]
at javax.security.auth.login.LoginContext.login(Unknown Source) ~[na:1.6.0_30]
at edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:177) [shibboleth-identityprovider-2.4.0.jar:na]
at edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:123) [shibboleth-identityprovider-2.4.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) [catalina.jar:6.0.35]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.35]
at edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:50) [shibboleth-identityprovider-2.4.0.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.35]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.35]
at edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:87) [shibboleth-identityprovider-2.4.0.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.35]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.35]
at edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:52) [shibboleth-common-1.4.0.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) [catalina.jar:6.0.35]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) [catalina.jar:6.0.35]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) [catalina.jar:6.0.35]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) [catalina.jar:6.0.35]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) [catalina.jar:6.0.35]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) [catalina.jar:6.0.35]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) [catalina.jar:6.0.35]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293) [catalina.jar:6.0.35]
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859) [tomcat-coyote.jar:6.0.35]
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:602) [tomcat-coyote.jar:6.0.35]
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489) [tomcat-coyote.jar:6.0.35]
at java.lang.Thread.run(Unknown Source) [na:1.6.0_30]
Oleg Chaikovsky
AegisIdentity - The Identity Software Company
303-222-1064
714-742-2823 mobile
http://www.aegisidentity.com
twitter- @aegisidentity
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130715/b53e724c/attachment-0001.html
More information about the users
mailing list