Which handler LDAP SSO

Morris, Andi amorris at cardiffmet.ac.uk
Thu Nov 13 03:47:14 EST 2014 

Cheers Douglas, that was helpful.

I discovered that the keytab file was only readable by the apache user and not the tomcat user. I've chmod'd this so that only the tomcat user has access, and the Kerberos user is now authenticated.

> With AD as ldap, you may want to add:
>(!(userAccountControl:1.2.840.113556.1.4.803:=2))
>to not accept disabled accounts.

Really interested in that. How would I plumb that in?

Cheers,
Andi

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Douglas E Engert
Sent: 12 November 2014 21:22
To: users at shibboleth.net
Subject: Re: Which handler LDAP SSO



On 11/12/2014 8:08 AM, Morris, Andi wrote:
> Ok, thanks Peter.
> I'm getting somewhere with this, slowly and frustratingly so.
>
> I have Kerberos running between my idp box and my Active Directory servers, that was the easy bit.
>
> I've gone through https://crypt.ncl.ac.uk/login-gateway/docs/Shibboleth_SPNEGO_Setup.pdf up until the part where the login.jsp is modded to autodetect browsers, ip addresses and relying parties, as I don't think that's necessary for my site. I've also been cross referencing these against the documentation at https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler which had some confusing parts, but I think I've made it through the majority. I wasn't sure with the section at the beginning of the handler.xml in the wiki as it doesn't describe whether to add these new schemas, replace the old ones, and amend them for the shibboleth setup. I ended up putting:
>
>
> <ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
>                          xmlns:krb="http://www.switch.ch/aai/idp/kerberos" krb:schemalocation="http://www.switch.ch/aai/idp/kerberos classpath:/schema/kerberos-login-handler.xsd"
>                          
> xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler 
> classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd">
>
> Is this correct?

Before I retired, we used something like this, that added the krb5 and x509 handlers to the original user/password group Realm/AD dommain name changed to OURREALM.EDU. IDP on RedHat.


<ph:ProfileHandlerGroup xmlns:ph="urn:mace:shibboleth:2.0:idp:profile-handler"
        xmlns:x509="http://www.switch.ch/aai/idp/x509"
        xmlns:krb="http://www.switch.ch/aai/idp/kerberos"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:idp:profile-handler classpath:/schema/shibboleth-2.0-idp-profile-handler.xsd http://www.switch.ch/aai/idp/x509 classpath:/schema/x509-login-handler.xsd http://www.switch.ch/aai/idp/kerberos classpath:/schema/kerberos-login-handler.xsd">

The later in the group:
    <!-- Kerberos Idp -->
     <ph:LoginHandler xsi:type="krb:KERBEROS"
                   kerberosCfg="/etc/krb5.conf"
                   customUnauthorized="/opt/shibboleth-idp-2.3.8/other/unauthorized.html"
                   autoLoginDurantion="300"
           loginPagePattern="/kerberos-login-try-first.jsp"
           krbServletPattern="/Authn/Kerberos/Login"

     <!-- LoginHandler optional attributes:
                   kerberosCfg - kerberos configuration file
                   customUnauthorized - custom html page for error 401 - Unauthorized. (e.g.: jar:/example/unauthorized.html)
                   auto_login_durantion - auto login duration (seconds)
                   loginPagePattern - (default: "/login.jsp") - path for login page
                   krbServletPattern - (default: "/Authn/Kerberos") - path for kerberos login page
     -->
         <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:Kerberos</ph:AuthenticationMethod>
         <krb:Realm domain="OURREALM.EDU">
             <krb:principal>HTTP/idp.ourrealm.edu at OURREALM.EDU</krb:principal>
             <krb:keytab>/etc/krb5.keytab.http</krb:keytab>
         </krb:Realm>
  </ph:LoginHandler>



>
> However the main part I'm getting stuck on is the configuration of the attribute resolver. When restarting tomcat I get the following in the idp-process.log:
> 13:56:17.734 - INFO 
> [edu.internet2.middleware.shibboleth.common.config.BaseService:158] - 
> Loading new configuration for service shibboleth.AttributeResolver
> 13:56:17.790 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.AttributeResolver service, error creating components.  The root cause of this error was: org.xml.sax.SAXParseException: Key 'DataConnectorAttributeDefinitionDependencyRef' with value 'HTTP/servername.cardiffmet.ac.uk' not found for identity constraint of element 'AttributeResolver'.
>
> Now clearly it doesn't like the prinicipal name here. attribute-resolver.conf has the following configuration for that part, as taken from https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler+-+Attribute+resolver:
>      <resolver:DataConnector id="fhnwAdmLDAP"
>          xsi:type="dc:LDAPDirectory"
>          ldapURL="${ldap.address}"
>          baseDN="OU=UserAccs,DC=internal,DC=domain,DC=ac,DC=uk"
>          principal="${ldap.principal}"
>          principalCredential="${ldap.credential}" >

As noted in other responses, these do not look correct.

>        <resolver:Dependency ref="HTTP/servername.cardiffmet.ac.uk" />
>        <resolver:Dependency ref="INTERNAL.DOMAIN.AC.UK" />
>          <dc:FilterTemplate>
> <!--
> (mail=$requestContext.principalName) - matches UsernamePassword 
> Principal
> &(samaccountname=${})(msSFU30NisDomain=${}) - matches Kerberos 
> Principal

Not the way we did it, but could be OK.

With AD as ldap, you may want to add:
(!(userAccountControl:1.2.840.113556.1.4.803:=2))
to not accept disabled accounts.

http://support.microsoft.com/kb/269181


> -->
>              <![CDATA[
>                  (&(|(mail=$requestContext.principalName)(&(samaccountname=${krb_principalname.get(0)})(msSFU30NisDomain=${krb_domain.get(0)})))(objectclass=user))
>              ]]>
>          </dc:FilterTemplate>
>          <dc:LDAPProperty name="java.naming.referral" value="follow"/>
>      </resolver:DataConnector>
>
> What have I missed here.

It is also not clear if your IDP is in the same DNS domain as the AD domain that your users are in.
This can make it harder for a client to determine if it needs to do cross realm.

HTTP/servername.cardiffmet.ac.uk implies IDP is servername.cardiffmet.ac.uk

You say this is the realm name, INTERNAL.DOMAIN.AC.UK which implies AD domain name is internal.domain.ac.uk.


>
> Thanks in advance for any help,
> Andi
>
> -----Original Message-----
> From: users-bounces at shibboleth.net 
> [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
> Sent: 11 November 2014 13:03
> To: users at shibboleth.net
> Subject: Re: Which handler LDAP SSO
>
> * Morris, Andi <amorris at cardiffmet.ac.uk> [2014-11-11 13:44]:
>> Thanks. I have UsernamePassword configured at the moment and I'm 
>> having trouble getting the bind to work so that users can login, but 
>> I'll continue to work on that.
>
> This is all within the JAAS config file, login.config, as per the Shib documentation.
>
>> However, when running against test shib I'm being shown a login 
>> screen, as expected at the moment.
>
> Yes, https://wiki.shibboleth.net/confluence/display/SHIB2/IdPUserAuthn
> says
>
>    "Username/Password:
>    Presents the user with an authentication page and then checks the
>    entered username and password against an LDAP directory or Kerberos 5
>    domain."
>
> So the UsernamePassword will generate HTML to collect credentials, and validate them via LDAP (or Kerberos, but that doesn't change the fact that a HTML form is rendered at the IDP).
>
>
>> When I have the ldap running correctly will the users still be shown 
>> this screen if they already currently have valid windows credentials
>
> Yes.
>
>> or will I need to configure this with Kerberos? What we have at the 
>> moment is users being logged on without being prompted when they 
>> access a shibboleth resource internally.
>
> You'll have to do something entirely different:
>
> https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Ha
> ndler
>
> The folks from Uni Newcastle have quite complete documentation for this, IIRC, if you (or your peers from the UKfederation) don't find anything better to offer try this:
> https://www.google.com/search?q=newcastle+shib+SPNEGO
> -peter
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list