Two dataconnectors (openldap and AD)

Vignesh, Vanna G. vignesh at musc.edu
Wed May 13 18:05:47 EDT 2015 

This is what I see in idp logs.

17:57:47.108 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
17:57:47.108 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   authtype = simple
17:57:47.108 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] -   dn = ********
17:57:47.109 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] -   credential = <suppressed>
17:57:47.118 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:163] - Error connecting to LDAP URL: ldap://*****
javax.naming.CommunicationException: ****.local:389
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:208) ~[na:1.6.0_31]
        at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:116) ~[na:1.6.0_31]

From: Vignesh, Vanna G.
Sent: Wednesday, May 13, 2015 5:56 PM
To: users at shibboleth.net
Subject: Two dataconnectors (openldap and AD)

I have a openldap data connector which works fine.  I am trying to write another dc for active directory just to pull the groups from AD of the authenticated users. Openldap us used for authentication
First ,
I am getting CommunicationException error.  Error connecting to LDAP URL: ldap://xyz.abc.edu    javax.naming.CommunicationException: xyz.abc. edu:389. I also see javax.naming.PartialResultException: Unprocessed Continuation Reference. Here is my dc. Should I use dependency as openldap?
  <resolver:DataConnector id="mytestAD" xsi:type="LDAPDirectory"
        xmlns="urn:mace:shibboleth:2.0:resolver:dc"
        ldapURL=" ldap://xyz.abc.edu "
        baseDN="dc=***,dc=local"
        principal="CN=***,OU=***,OU=***,DC=***,DC=local"
        principalCredential="****">

        <FilterTemplate>
            <![CDATA[
                (sAMAccountName=$requestContext.principalName)
            ]]>
        </FilterTemplate>
        <ReturnAttributes>*</ReturnAttributes>
    </resolver:DataConnector>



Second,
Where else should I define the samAccountName? The principal name of openldap is uid and principal name of AD is samaccountname. How would I tie it together to return all the group names of the user from AD?

Third,
To return the groups of the authenticated user from another dataconnector AD , should I use the following attribute definition? i.e. passing MemberOf to isMemberOf

<resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
        sourceAttributeID="MemberOf">
        <resolver:Dependency ref="mytestAD" />
        <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" />
     </resolver:AttributeDefinition>


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20150513/770eb08c/attachment-0001.html>

More information about the users mailing list