LDAP Dataconnector baseDN search

Martin, Brandon L martinb at psd401.net
Sat Aug 8 14:35:59 EDT 2015 

Hello Shibboleth users,


I am in the process of setting up a shibboleth server and have run into a problem authentication with my ldap server. I am using CAS as my remote user provider using Unicon's authn plugin<https://github.com/Unicon/shib-cas-authn3>, which works great as far as I can tell. I need to be able to resolve attributes to send to my vendors, but the only parameter given to Shibboleth from CAS is the principalName. So to get the necessary data I have to do an ldap lookup. I am getting successful ldap authentication but am getting errors on the baseDN property. Here is the error:


2015-08-08 17:56:11,849 - ERROR [net.shibboleth.idp.profile.impl.ResolveAttributes:256] - Profile Action ResolveAttributes: Error resolving attributes

net.shibboleth.idp.attribute.resolver.ResolutionException: Data Connector 'psdldap': Unable to execute LDAP search

        at net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector.retrieveAttributes(LDAPDataConnector.java:148)

Caused by: org.ldaptive.LdapException: javax.naming.directory.InvalidSearchFilterException: invalid attribute description; remaining name 'ou=psd,dc=peninsula,dc=wednet,dc=edu'

        at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:77)

Caused by: javax.naming.directory.InvalidSearchFilterException: invalid attribute description

        at com.sun.jndi.ldap.Filter.encodeSimpleFilter(Unknown Source)



And here is my ldap data connector:


<resolver:DataConnector xsi:type="dc:LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" id="psdldap"ldapURL="ldap://172.31.1.36:389" baseDN="ou=psd,dc=peninsula,dc=wednet,dc=edu" principal="serv_ldapbind at psd401.net"principalCredential="password" lowercaseAttributeNames="true" useStartTLS="false">


        <dc:FilterTemplate>

        <![CDATA[

            (samaccountname=$requestContext.principalName)

        ]]>

        </dc:FilterTemplate>


        <ReturnAttributes>givenname employeetype distinguishedname</ReturnAttributes>

</resolver:DataConnector>


if I change the principal to invalid credentials I get the expected INVALID_CREDENTIALS error. To me it looks like the authentication was successful, but it could not search or find the user. Would this be an issue with BaseDN or the FilterTemplate? Here is the debug ldap request:


DEBUG [org.ldaptive.BindOperation:138] - execute request=[org.ldaptive.BindRequest at 1833441181::bindDn=serv_ldapbind at psd401.net, saslConfig=null, controls=null] with connection=[org.ldaptive.DefaultConnectionFacto

ry$DefaultConnection at 403078264::config=[org.ldaptive.ConnectionConfig at 902444170::ldapUrl=ldap://172.31.1.36:389, connectTimeout=-1, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig at 1849650076::credentialConfig=org.ldaptive.ssl.Cr

edentialConfigFactory$2 at 5b20750, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 179503

7211::bindDn=serv_ldapbind at psd401.net, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1372960410::metadata=[ldapUrl=ldap://172.31.1.36:389, count=1], environment={java

.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.ldap.version=3}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 353212268::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, co

nnectionStrategy=org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy at 2f503e40, controlProcessor=org.ldaptive.provider.ControlProcessor at 3d26f404, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreRe

sultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection at 25c7626f]

2015-08-08 18:20:09,980 - DEBUG [org.ldaptive.BindOperation:168] - execute response=[org.ldaptive.Response at 503115302::result=null, resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1] f

or request=[org.ldaptive.BindRequest at 1833441181::bindDn=serv_ldapbind at psd401.net, saslConfig=null, controls=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 403078264::config=[org.ldaptive.ConnectionConfig at 90

2444170::ldapUrl=ldap://172.31.1.36:389, connectTimeout=-1, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig at 1849650076::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2 at 5b20750, trustManagers=null, enabledCipherSuites

=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 1795037211::bindDn=serv_ldapbind at psd401.net, bindSaslConfig=null, bindControls

=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1372960410::metadata=[ldapUrl=ldap://172.31.1.36:389, count=1], environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.ld

ap.version=3}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 353212268::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$ActivePassiv

eConnectionStrategy at 2f503e40, controlProcessor=org.ldaptive.provider.ControlProcessor at 3d26f404, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], s

slSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection at 25c7626f]

2015-08-08 18:20:09,982 - DEBUG [org.ldaptive.SearchOperation:138] - execute request=[org.ldaptive.SearchRequest at 1882631444::baseDn=ou=psd,dc=peninsula,dc=wednet,dc=edu, searchFilter=[org.ldaptive.SearchFilter at -2030641523::filter=????????

????????????(cn=martinb)

????????

????, parameters={}], returnAttributes=[givenname, employeetype, distinguishedname], searchScope=SUBTREE, timeLimit=3000, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=

[[org.ldaptive.handler.CaseChangeEntryHandler at 1319618537::dnCaseChange=NONE, attributeNameCaseChange=LOWER, attributeValueCaseChange=NONE]], searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=

null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 403078264::config=[org.ldaptive.ConnectionConfig at 902444170::ldapUrl=ldap://172.31.1.36:389, connectTimeout=-1, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.

SslConfig at 1849650076::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2 at 5b20750, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connection

Initializer=[org.ldaptive.BindConnectionInitializer at 1795037211::bindDn=serv_ldapbind at psd401.net, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1372960410::metadata=[l

dapUrl=ldap://172.31.1.36:389, count=1], environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.ldap.version=3}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 353212268::operationExceptionRe

sultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy at 2f503e40, controlProcessor=org.ldaptive.provider.ControlProcessor at 3d26f404, environment=

null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@

25c7626f]



Brandon Martin

martinb at psd401.net

Peninsula School District

Data Integration Analyst

Ext: 3712
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150808/733f2d29/attachment-0001.html>

More information about the users mailing list