Syntax for referral in login.config

Dave Perry Dave.Perry at
Mon Nov 3 05:17:30 EST 2014

I had to deal with this the other day when I realised from the logs it was still talking to our old eDirectory setup (the IdP wasn't setup by me) even though my attribute-resolver is set to look at AD for attributes.

Here is my working code (with usernames/password redacted, and we use dual DCs in case one goes down):

ShibUserPassAuth {
      edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient

//AD version

      host="DCIP1 DCIP2"
	  bindDn="ServiceUser at YourDomain.YourExtension"

Note: Our AD analyst created a service account, which all our web services use to bind to AD LDAP when doing username/password/attribute lookups.

I had to consult the LDAP server weirdness page of the Wiki for this:

See the section about MS AD.

Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning at *

-----Original Message-----
From: users-bounces at [mailto:users-bounces at] On Behalf Of Cantor, Scott
Sent: 01 November 2014 02:08
To: Shib Users
Cc: Danovan Golding
Subject: Re: Syntax for referral in login.config

On 10/31/14, 9:55 PM, "Christopher Bland" <chris at> wrote:
>Have been struggling with the syntax for querying Active Directory 
>using ssl.  Currently getting a error which I believe is caused by the 
>referral property.  I am configured like this
>ShibUserPassAuth {
>   edu.vt.middleware.ldap.jaas.LdapLoginModule required
>      host="<host>"
>      port="636"
>      base="<base>"
>      ssl="false"
>      tls="true"
>      userField="userPrincipalName"
>      subtreeSearch="true"
>      referral="follow"
>      serviceUser="<service_user>"
>      serviceCredential="<password>";

Can't say anything about referrals, but that looks a little odd to me, you have ssl off, but startTLS on, but on the port usually used for ldaps.
Maybe that's still common, I don't know.

FWIW, I use an AD behind a NetScaler and there's no referral required, which probably doesn't help you, but I thought I'd make sure it wasn't something simpler.

-- Scott

To unsubscribe from this list send an email to users-unsubscribe at

This message is sent in confidence for the addressee
only. It may  contain confidential or sensitive
information.  The contents are not to be disclosed
to anyone other than the addressee.  Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission.  Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College.  Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.


More information about the users mailing list