Which handler LDAP SSO - NOW kerberos integration

Morris, Andi amorris at cardiffmet.ac.uk
Fri Nov 21 10:32:39 EST 2014 

All sorted, thanks.

I just enabled the AJP connector 8009 in tomcat and removed the 8443.

Re-enabled the both the 443 and 8443 connectors in apache.

Tested with test shib and this is now logging me on transparently with Kerberos.

Amazing, thanks so much for your help this far.

Cheers,
Andi

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Morris, Andi
Sent: 21 November 2014 15:10
To: 'Shib Users'
Subject: RE: Which handler LDAP SSO - NOW kerberos integration

Thanks both,
I figured out that the catalina issues were because I hadn't used the 8443 connector as laid out in the https://wiki.shibboleth.net/confluence/display/SHIB2/IdPApacheTomcatPrepare document, however I can see that the clash in 8443 listeners was also an issue.

I think I need to keep this within Apache as I want to use mod_auth_kerb to throw the user to Authn/RemoteUser for the Kerberos login. I was getting confused with the Newcastle docs as they seem to still use the Tomcat connector even with Apache.

I'll give that a  retweak so it all comes from Apache apart from the AJP connector to tomcat on localhost.

Thanks again.

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Peter Schober
Sent: 21 November 2014 14:50
To: users at shibboleth.net
Subject: Re: Which handler LDAP SSO - NOW kerberos integration

* Morris, Andi <amorris at cardiffmet.ac.uk> [2014-11-21 15:32]:
> Listen 443
> Listen 8443
[...]
> Setup the 8443 connector in Tomcat
> 
> <Connector port="8443"

Obviously that cannot work and it doesn't make sense to try to have both httpd and Tomcat serve backchannel requests on port 8443.
Pick either one, I'd use httpd for both, for consistency (once process
-- httpd -- handling all external requests, the other --Tomcat -- only available on the loopback interface).

Though I'm missing mod_proxy directices in both your httpd virtual hosts. How do you expect Tomcat to be reachable then, though httpd?

> LifecycleException:  Protocol handler initialization failed:
>   java.io.IOException: DelegateToApplication TrustManagerFactory not
>   available

If you decide to use httpd for port 8443 (as I suggest above) you don't use the DTA extension at all. So you cannot use the Shibboleth documentation for SOAP requests, you *only* configure the 8009 AJP connector in Tomcat and proxy to that from /both/ httpd vhosts.

Look at the SWITCHaai documentation for complete instructions on how to do that.
-peter
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-- 
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list