IdP AuthN LDAP Connection Pooling + Directory with disabled anonymous binds...
Jeremy A Scott
jeremy.scott at wisc.edu
Mon Apr 25 19:48:51 EDT 2016
Thanks for the reply!
This is what the directory responds with when a search without credentials occurs (this is from ldapsearch - code 48):
ldap_bind: Inappropriate authentication (48)
additional info: Anonymous Simple Bind Disabled.
I'd like to use the pools as they were originally intended, so what are the options/config for returning the connections to the pool in a known state with BindPassivator?
> On Apr 25, 2016, at 1:29 PM, Daniel Fisher <dfisher at vt.edu> wrote:
> On Mon, Apr 25, 2016 at 1:39 PM, Jeremy A Scott <jeremy.scott at wisc.edu> wrote:
> I think possibly the ideal solution would be to modify what the pool validator accepts as a valid response for a good connection.
> It seems coded to look for a successful search, defaulting to the root DSE, and that's it. Perhaps it could be modified to look for other responses from the server as well?
> (This directory says 'Not Authorized'... and I think that response is indicative of a good connection...)
> The current implementation checks for a result size > 0. Perhaps that could be improved by checking the result code instead. (What result code is your directory returning?).
> Also, you may want to try the CompareValidator to see whether that operation is allowed for anonymous connections.
> If that can't be done, then perhaps disabling connection pooling altogether might be the way to go, but that would require some serious editing of ldap-authn-config.xml...
> The editing isn't particularly bad, but there may be another option. You could configure a BindPassivator on the pool, that binds as your service account. This would put idle connections back into a state that works for validation. Of course this options requires editing the config as well....
> Let me know which option you prefer and I'll help you with the config.
> --Daniel Fisher
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 2952 bytes
Desc: not available
More information about the users