Attribute resolution fails for directAuthenticator strategy
Zoltan JANOTA
zoltan.janota at unodc.org
Tue Dec 22 09:37:02 EST 2015
Hi All!
I am trying to configure both the authentication and attribute retrieval
using the credentials provided by the user. According to the docs, this
should be possible using the directAuthenticator strategy.
The authentication works fine but the attribute resolution fails with the
following error:
2015-12-22 15:14:15,437 - ERROR
[net.shibboleth.idp.profile.impl.ResolveAttributes:257] - Profile Action
ResolveAttributes: Error resolving attributes
net.shibboleth.idp.attribute.resolver.ResolutionException: Data Connector
'LDAP_01': Unable to execute LDAP search
at
net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector.retrieveAttributes
(LDAPDataConnector.java:168)
Caused by: org.ldaptive.LdapException: javax.naming.NamingException: [LDAP:
error code 1 - 000004DC: LdapErr: DSID-0C0906E8, comment: In order to
perform this operation a successful bind must be completed on]; remaining
name 'OU=People,DC=global,DC=un,DC=org'
at org.ldaptive.provider.ProviderUtils.throwOperationException
(ProviderUtils.java:77)
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC:
LdapErr: DSID-0C0906E8, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, v1]b1
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
2015-12-22 15:14:15,526 - WARN
[net.shibboleth.idp.saml.nameid.impl.AttributeSourcedSAML2NameIDGenerator:154]
- Unable to locate AttributeContext
ldap-auth-config-xml:
<!-- Direct Search Configuration -->
<bean name="directAuthenticator"
class="org.ldaptive.auth.Authenticator"
p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}">
<constructor-arg index="0" ref="formatDnResolver" />
<constructor-arg index="1" ref="authHandler" />
</bean>
ldap.properties:
idp.authn.LDAP.authenticator = directAuthenticator
idp.authn.LDAP.ldapURL = ldaps://host:636
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.useSSL = true
idp.authn.LDAP.connectTimeout= 3000
idp.authn.LDAP.sslConfig = certificateTrust
idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap.crt
idp.authn.LDAP.returnAttributes = division, telephoneNumber, mail,
givenName, employeeID, cn, sn, memberOf, employeeNumber
idp.authn.LDAP.baseDN = OU=People,DC=global,DC=un,DC=org
idp.authn.LDAP.subtreeSearch = false
idp.authn.LDAP.userFilter = (cn={user})
idp.authn.LDAP.bindDN =
idp.authn.LDAP.bindDNCredential =
idp.authn.LDAP.dnFormat = CN=%s,OU=People,DC=global,DC=un,DC=org
idp.attribute.resolver.LDAP.returnAttributes = *
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN}
idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN}
idp.attribute.resolver.LDAP.bindDNCredential =
%{idp.authn.LDAP.bindDNCredential}
idp.attribute.resolver.LDAP.useStartTLS =
%{idp.authn.LDAP.useStartTLS}
idp.attribute.resolver.LDAP.trustCertificates =
%{idp.authn.LDAP.trustCertificates}
idp.attribute.resolver.LDAP.searchFilter = (cn=
$requestContext.principalName)
attribute-resolver.xml:
<resolver:DataConnector id="LDAP_01" xsi:type="dc:LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
<dc:FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</dc:FilterTemplate>
<dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes>
</resolver:DataConnector>
Thanks!
Zoltan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20151222/1a968bc1/attachment-0001.html>
More information about the users
mailing list