IdP AuthN LDAP Connection Pooling + Directory with disabled anonymous binds...

Jeremy A Scott jeremy.scott at wisc.edu
Mon Apr 25 19:48:51 EDT 2016 

Hi,

Thanks for the reply!

This is what the directory responds with when a search without credentials occurs (this is from ldapsearch - code 48):

ldap_bind: Inappropriate authentication (48)
	additional info: Anonymous Simple Bind Disabled.

I'd like to use the pools as they were originally intended, so what are the options/config for returning the connections to the pool in a known state with BindPassivator?

Thanks,

-Jeremy


> On Apr 25, 2016, at 1:29 PM, Daniel Fisher <dfisher at vt.edu> wrote:
> 
> On Mon, Apr 25, 2016 at 1:39 PM, Jeremy A Scott <jeremy.scott at wisc.edu> wrote:
> I think possibly the ideal solution would be to modify what the pool validator accepts as a valid response for a good connection.
> It seems coded to look for a successful search, defaulting to the root DSE, and that's it. Perhaps it could be modified to look for other responses from the server as well?
> (This directory says 'Not Authorized'... and I think that response is indicative of a good connection...)
> 
> The current implementation checks for a result size > 0. Perhaps that could be improved by checking the result code instead. (What result code is your directory returning?).
> Also, you may want to try the CompareValidator to see whether that operation is allowed for anonymous connections.
>  
> 
> If that can't be done, then perhaps disabling connection pooling altogether might be the way to go, but that would require some serious editing of ldap-authn-config.xml...
> 
> The editing isn't particularly bad, but there may be another option. You could configure a BindPassivator on the pool, that binds as your service account. This would put idle connections back into a state that works for validation. Of course this options requires editing the config as well....
> 
> Let me know which option you prefer and I'll help you with the config.
> 
> --Daniel Fisher
> 
> -- 
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2952 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20160425/1a6878f1/attachment-0001.p7s>

More information about the users mailing list