Problems authenticating with TestShib

mstech msimpson at amersham.ac.uk
Mon Jun 24 07:43:08 EDT 2013


If anyone can shed any light on my latest stumbling block...

I am trying to figure out the best way to allow attributes through for a
multiple OUs in my LDAP database.

I have the login.confif working as expected and allowing logins from users
either in the staff OU or Computer Services:

ShibUserPassAuth {


   edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient
     
	  host="domaincontroller.amersham.ac.uk"
	  port="389"
	  base="ou=staff,dc=amersham,dc=ac,dc=uk"
	  subtreeSearch="true"
	  tls="false"
	  ssl="false"
	  userFilter="userPrincipalName={0}"
	  userField="userPrincipalName"
	  serviceUser="cn=******,ou=staff,dc=amersham,dc=ac,dc=uk"
	  serviceCredential="*****";
	  
	  edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient
     
	  host="domain controller.amersham.ac.uk"
	  port="389"
	  base="ou=computer services,dc=amersham,dc=ac,dc=uk"
	  subtreeSearch="true"
	  tls="false"
	  ssl="false"
	  userFilter="userPrincipalName={0}"
	  userField="userPrincipalName"
	  serviceUser="cn=****,ou=staff,dc=amersham,dc=ac,dc=uk"
	  serviceCredential="*****";


However my problem is I cant work out how to perform a similar operation on
the attribute resolver.  At present I have this config:

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ldapURL="ldap://domaincontroller.amersham.ac.uk:389" 
        baseDN="ou=staff,dc=amersham,dc=ac,dc=uk" 
        principal="*****@amersham.ac.uk"
        principalCredential="*****">
        <dc:FilterTemplate>
            
        </dc:FilterTemplate>
    </resolver:DataConnector>

Which works fine for members of the Staff OU, but not for people in Computer
Services.  I can see that this is because my baseDN is set to look at the
staff OU only, but I am unsure how to change this to either;

a) Look in the Staff AND Computer Services OUs
b) Look at the computer services OU if it finds no matches in Staff
c) Search the entirety of the LDAP database

I hope that is well explained, I am happy to upload any further info if
needed.
    



--
View this message in context: http://shibboleth.1660669.n2.nabble.com/Idp-testing-with-TestShib-some-begginers-questions-tp7587572p7587778.html
Sent from the Shibboleth - Users mailing list archive at Nabble.com.


More information about the users mailing list