Setting up LDAP with Shibboleth Idp 2.4.0
Farrukh Najmi
farrukh at wellfleetsoftware.com
Mon May 20 15:25:13 EDT 2013
I am wondering ifmy authentication problem with my ldap server is due to
my not specifying bindDN and bindCredential in my
edu.vt.middleware.ldap.jaas.LdapLoginModule configuration.
My Ldap server does not have a privileged user to create the connection
with. Thus I do not specify bindDN and bindCredential in my
edu.vt.middleware.ldap.jaas.LdapLoginModule configuration.
Is this the correct thing to do in my situation?
On 05/20/2013 01:09 PM, Farrukh Najmi wrote:
>
> And here are the debug messages leading up to the authenticatiuon
> failure. Again the same config works with spring-security in my webapp
> and it also works with a JXplorer random ldap viewer app
> <http://sourceforge.net/projects/jxplorer/?source=dlp> I tried.
>
> 12:49:53.138 - DEBUG
> [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:170]
> - Attempting to authenticate user rod
> 12:49:53.155 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:144]
> - Begin initialize
> 12:49:53.155 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180]
> - useFirstPass = false
> 12:49:53.155 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:181]
> - tryFirstPass = false
> 12:49:53.156 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:182]
> - storePass = false
> 12:49:53.156 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:183]
> - clearPass = false
> 12:49:53.156 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:184]
> - setLdapPrincipal = true
> 12:49:53.156 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:185]
> - setLdapDnPrincipal = false
> 12:49:53.156 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:186]
> - setLdapCredential = true
> 12:49:53.156 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:187]
> - defaultRole = []
> 12:49:53.157 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188]
> - principalGroupName = null
> 12:49:53.157 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189]
> - roleGroupName = null
> 12:49:53.157 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77]
> - userRoleAttribute = []
> 12:49:53.178 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
> searchScope: ONELEVEL
> 12:49:53.181 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1370] - setting baseDn:
> 12:49:53.182 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1834] - setting ssl:
> false
> 12:49:53.182 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168] - setting
> ldapUrl:
> ldap://wellfleet1.wellfleetsoftware.com:33389/dc=springframework,dc=org
> 12:49:53.183 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:290] - setting
> userFilter: uid={0}
> 12:49:53.184 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83]
> - Created authenticator:
> edu.vt.middleware.ldap.auth.AuthenticatorConfig at 611704718::env={java.naming.provider.url=ldap://wellfleet1.wellfleetsoftware.com:33389/dc=springframework,dc=org,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
> 12:49:53.185 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:412]
> - Begin getCredentials
> 12:49:53.185 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:413]
> - useFistPass = false
> 12:49:53.186 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:414]
> - tryFistPass = false
> 12:49:53.186 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:415]
> - useCallback = false
> 12:49:53.186 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:416]
> - callbackhandler class =
> javax.security.auth.login.LoginContext$SecureCallbackHandler
> 12:49:53.186 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:419]
> - name callback class = javax.security.auth.callback.NameCallback
> 12:49:53.186 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:421]
> - password callback class =
> javax.security.auth.callback.PasswordCallback
> 12:49:53.187 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN
> using userFilter
> 12:49:53.188 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the
> following parameters:
> 12:49:53.188 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:194] - dn =
> 12:49:53.188 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:195] - filter = uid={0}
> 12:49:53.189 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:196] - filterArgs = [rod]
> 12:49:53.189 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:197] - searchControls =
> javax.naming.directory.SearchControls at 69a6c106
> 12:49:53.189 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:198] - handler =
> [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler at 42caa71a]
> 12:49:53.189 - TRACE
> [edu.vt.middleware.ldap.auth.SearchDnResolver:200] - config =
> {java.naming.provider.url=ldap://wellfleet1.wellfleetsoftware.com:33389/dc=springframework,dc=org,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
> 12:49:53.190 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
> connectionStrategy: DEFAULT
> 12:49:53.190 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
> setting connectionRetryExceptions: [class javax.naming.NamingException]
> 12:49:53.190 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {0}
> Attempting connection to
> ldap://wellfleet1.wellfleetsoftware.com:33389/dc=springframework,dc=org for
> strategy DEFAULT
> 12:49:53.190 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind
> with the following parameters:
> 12:49:53.191 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -
> authtype = simple
> 12:49:53.191 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] - dn = null
> 12:49:53.191 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] -
> credential = <suppressed>
> 12:49:53.191 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:87] - env =
> {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.provider.url=ldap://wellfleet1.wellfleetsoftware.com:33389/dc=springframework,dc=org}
> 12:49:53.215 - INFO [edu.vt.middleware.ldap.auth.SearchDnResolver:161]
> - Search for user: rod failed using filter: uid={0}
> 12:49:53.223 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:136]
> - Authentication failed
> javax.naming.AuthenticationException: Cannot authenticate dn, invalid dn
> at
> edu.vt.middleware.ldap.auth.AbstractAuthenticator.authenticateAndAuthorize(AbstractAuthenticator.java:160)
> ~[vt-ldap-3.3.6.jar:na]
> at
> edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74)
> ~[vt-ldap-3.3.6.jar:na]
> at
> edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320)
> ~[vt-ldap-3.3.6.jar:na]
> at
> edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277)
> ~[vt-ldap-3.3.6.jar:na]
> at
> edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60)
> ~[vt-ldap-3.3.6.jar:na]
> at
> edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103)
> ~[vt-ldap-3.3.6.jar:na]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[na:1.7.0_21]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
> ~[na:1.7.0_21]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> ~[na:1.7.0_21]
> at java.lang.reflect.Method.invoke(Method.java:601) ~[na:1.7.0_21]
> at
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
> [na:1.7.0_21]
>
>
> On 05/20/2013 12:54 PM, Farrukh Najmi wrote:
>>
>> Here is the relevant stack trace from logs/idp-process.log.
>>
>> 12:49:53.223 - DEBUG
>> [edu.vt.middleware.ldap.jaas.LdapLoginModule:136] - Authentication failed
>> javax.naming.AuthenticationException: Cannot authenticate dn, invalid dn
>> at
>> edu.vt.middleware.ldap.auth.AbstractAuthenticator.authenticateAndAuthorize(AbstractAuthenticator.jav
>> a:160) ~[vt-ldap-3.3.6.jar:na]
>> at
>> edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74)
>> ~[vt-ldap-3.3.
>> 6.jar:na]
>> at
>> edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320)
>> ~[vt-ldap-3.3.6.jar:n
>> a]
>> at
>> edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277)
>> ~[vt-ldap-3.3.6.jar:n
>> a]
>> at
>> edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60)
>> ~[vt-ldap-3.3.
>> 6.jar:na]
>> at
>> edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103)
>> ~[vt-ldap-3.3.6.jar:na]
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
>> Method) ~[na:1.7.0_21]
>> at
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
>> ~[na:1.7.0_21]
>> at
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
>> ~[na:1.7.0_21]
>> at java.lang.reflect.Method.invoke(Method.java:601)
>> ~[na:1.7.0_21]
>> at
>> javax.security.auth.login.LoginContext.invoke(LoginContext.java:784)
>> [na:1.7.0_21]
>> at
>> javax.security.auth.login.LoginContext.access$000(LoginContext.java:203)
>> [na:1.7.0_21]
>> at
>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:698)
>> [na:1.7.0_21]
>> at
>> javax.security.auth.login.LoginContext$4.run(LoginContext.java:696)
>> [na:1.7.0_21]
>>
>>
>> FWIW, The same config works fine in my webapp using spring-security.
>>
>> <bean id="contextSource"
>> class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
>> <constructor-arg
>> value="ldap://localhost:33389/dc=springframework,dc=org"/>
>> </bean>
>>
>> <bean id="userSearch"
>> class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
>> <constructor-arg index="0" value=""/>
>> <constructor-arg index="1" value="(uid={0})"/>
>> <constructor-arg index="2" ref="contextSource" />
>> </bean>
>>
>> Any suggestions what else could I try?
>>
>> On 05/20/2013 12:07 PM, Farrukh Najmi wrote:
>>>
>>> I have been unsuccessful thus far in setting up IdP 2.4.0 with my
>>> test ldap server (spring-security-ldap-sample).
>>>
>>> I have made the following config changes by adding config elements
>>> shown for each file below:
>>>
>>> *
>>>
>>> conf/login.config
>>>
>>>
>>> edu.vt.middleware.ldap.jaas.LdapLoginModule required
>>>
>>> ldapUrl="ldap://localhost:33389/dc=springframework,dc=org"
>>>
>>> baseDn=""
>>>
>>> ssl="false"
>>>
>>> userFilter="uid={0}";
>>>
>>> };
>>>
>>> *
>>>
>>>
>>> conf/handler.xml
>>>
>>>
>>> <!-- Username/password login handler -->
>>>
>>> <ph:LoginHandler xsi:type="ph:UsernamePassword"
>>>
>>>
>>> jaasConfigurationLocation="file:///home/najmi/shibboleth/shibboleth-identityprovider-2.4.0/installation/conf/login.config">
>>>
>>> <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
>>>
>>> </ph:LoginHandler>
>>>
>>>
>>> I then try and login at the idp/login.jsp page with well-known
>>> credentials. I get the error below.
>>>
>>>
>>> ERROR
>>>
>>> An error occurred while processing your request. Please contact your
>>> helpdesk or user ID office for assistance.
>>>
>>> *Error Message: Invalid IdP URL (HTTP 404)*
>>>
>>>
>>> Also, I notice that the login.jsp code "Log in to <idpui:serviceName/>"
>>>
>>> renders as "Log in to Unspecified Service Provider". I guess this is
>>> telling that my config for the ldap provider is not being read for
>>> some reason.
>>>
>>> I have done no customization of the login.jsp page beyond changing
>>> the logo.
>>> What could be wrong and how can I debug this better.
>>>
>>> TIA for your kind help.
>>>
>>
--
Regards,
Farrukh Najmi
Web: http://www.wellfleetsoftware.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130520/33a3106a/attachment-0001.html
More information about the users
mailing list