Which handler LDAP SSO - NOW kerberos integration

Morris, Andi amorris at cardiffmet.ac.uk
Fri Nov 21 10:10:00 EST 2014

Thanks both,
I figured out that the catalina issues were because I hadn't used the 8443 connector as laid out in the https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare document, however I can see that the clash in 8443 listeners was also an issue.

I think I need to keep this within Apache as I want to use mod_auth_kerb to throw the user to Authn/RemoteUser for the Kerberos login. I was getting confused with the Newcastle docs as they seem to still use the Tomcat connector even with Apache.

I'll give that a  retweak so it all comes from Apache apart from the AJP connector to tomcat on localhost.

Thanks again.

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: 21 November 2014 14:50
To: users at shibboleth.net
Subject: Re: Which handler LDAP SSO - NOW kerberos integration

* Morris, Andi <amorris at cardiffmet.ac.uk> [2014-11-21 15:32]:
> Listen 443
> Listen 8443
> Setup the 8443 connector in Tomcat
> <Connector port="8443"

Obviously that cannot work and it doesn't make sense to try to have both httpd and Tomcat serve backchannel requests on port 8443.
Pick either one, I'd use httpd for both, for consistency (once process
-- httpd -- handling all external requests, the other --Tomcat -- only available on the loopback interface).

Though I'm missing mod_proxy directices in both your httpd virtual hosts. How do you expect Tomcat to be reachable then, though httpd?

> LifecycleException:  Protocol handler initialization failed:
>   java.io.IOException: DelegateToApplication TrustManagerFactory not
>   available

If you decide to use httpd for port 8443 (as I suggest above) you don't use the DTA extension at all. So you cannot use the Shibboleth documentation for SOAP requests, you *only* configure the 8009 AJP connector in Tomcat and proxy to that from /both/ httpd vhosts.

Look at the SWITCHaai documentation for complete instructions on how to do that.
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list