IdP AuthN LDAP Connection Pooling + Directory with disabled anonymous binds...

Jeremy A Scott jeremy.scott at wisc.edu
Mon Apr 25 13:39:58 EDT 2016 

Hi All,

Recently I upgraded a V2 IdP instance to V3 and have had an issue with the ldaptive authn LDAP connection pooling and the directory's security settings regarding anonymous binds.

For reference, we use bindSearchAuthenticator in ldap-authn-config.xml and have a service account authorized to perform searches for user DN's. 

For security reasons, the directory has anonymous binds disabled. Unbound connections cannot get anything from the directory, not even the root DSE...
(It is unlikely that we will be able to change the security settings on this directory, it is this way for a reason and outside of our administrative control.)

Unfortunately, this setting interferes with ldaptive's pool connection validation for the pool it uses to authenticate users.

In this pool, the connection bind state varies from nothing/anonymous, to the user trying to authenticate, or anonymous if their password is invalid.
When the pool tries to validate these connections (in or out) by searching for the root DSE, they will fail because the directory won't allow it. 
Even if the password is good, the validation error propagates errors up to the login page and there is no session established.

In the meantime, I've configured the IdP to do JAAS authentication per the IdPv3 documentation for this IdP and that's been working fine. 

I would like to use the IdP's ldaptive methods for integrating with the directory instead of JAAS. (One of the reasons to upgrade to V3)
It seems like the only way to do that with this directory would be to modify the connection pooling's validation or disable pooling completely. 

I think possibly the ideal solution would be to modify what the pool validator accepts as a valid response for a good connection. 
It seems coded to look for a successful search, defaulting to the root DSE, and that's it. Perhaps it could be modified to look for other responses from the server as well?
(This directory says 'Not Authorized'... and I think that response is indicative of a good connection...) 

If that can't be done, then perhaps disabling connection pooling altogether might be the way to go, but that would require some serious editing of ldap-authn-config.xml...

Thoughts?


Thanks,

Jeremy Scott
UW-Madison DoIT EIS Middleware Access Management
jeremy.scott at wisc.edu
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2952 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20160425/cb460a63/attachment.p7s>

More information about the users mailing list