IdP AuthN LDAP Connection Pooling + Directory with disabled anonymous binds...

[Daniel Fisher]

On Mon, Apr 25, 2016 at 1:39 PM, Jeremy A Scott <jeremy.scott at wisc.edu>
wrote:

> I think possibly the ideal solution would be to modify what the pool
> validator accepts as a valid response for a good connection.
> It seems coded to look for a successful search, defaulting to the root
> DSE, and that's it. Perhaps it could be modified to look for other
> responses from the server as well?
> (This directory says 'Not Authorized'... and I think that response is
> indicative of a good connection...)
>

The current implementation checks for a result size > 0. Perhaps that could
be improved by checking the result code instead. (What result code is your
directory returning?).
Also, you may want to try the CompareValidator to see whether that
operation is allowed for anonymous connections.


>
> If that can't be done, then perhaps disabling connection pooling
> altogether might be the way to go, but that would require some serious
> editing of ldap-authn-config.xml...
>

The editing isn't particularly bad, but there may be another option. You
could configure a BindPassivator on the pool, that binds as your service
account. This would put idle connections back into a state that works for
validation. Of course this options requires editing the config as well....

Let me know which option you prefer and I'll help you with the config.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160425/2695a439/attachment.html>