Shib v3 IDP with multiple OU's
Daniel McDonald
daniel.mcdonald at umb.edu
Wed Aug 17 12:13:44 EDT 2016
Thanks Dave, but unfortunatly all the OU's are top level, theres nothing
above them. And we also some OU's we want to avoid checking so we dont
we dont do subtree searches.
Dan
On 08/16/2016 04:53 AM, Dave Perry wrote:
>
> (should have noted, that goes in ldap.properties)
>
> _________________________________________________
>
> Dave Perry
> eLearning Technologist, Hull College Group
>
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
> Extension 2230 / Direct Dial 01482 381930
>
> ** Need a fast reply? Try elearning at hull-college.ac.uk
> <mailto:elearning at hull-college.ac.uk> **
>
> *From:*users [mailto:users-bounces at shibboleth.net] *On Behalf Of *Dave
> Perry
> *Sent:* 16 August 2016 09:48
> *To:* Shib Users
> *Subject:* RE: Shib v3 IDP with multiple OU's
>
> Just use something like this:
>
> idp.authn.LDAP.baseDN =
> ou=accounts,dc=domain,dc=local (so dc=umb,dc=edu for you)
>
> idp.authn.LDAP.subtreeSearch = true
>
> idp.authn.LDAP.userFilter = (samaccountname={user})
>
> Under Accounts, we have Staff and Students also. Then sites, then
> departments… etc. And the above works fine.
>
> HTH,
>
> Dave
>
> _________________________________________________
>
> Dave Perry
> eLearning Technologist, Hull College Group
>
> Room L34 - Queens Gardens Library
> Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
> Extension 2230 / Direct Dial 01482 381930
>
> ** Need a fast reply? Try elearning at hull-college.ac.uk
> <mailto:elearning at hull-college.ac.uk> **
>
> *From:*users [mailto:users-bounces at shibboleth.net] *On Behalf Of
> *Daniel McDonald
> *Sent:* 15 August 2016 22:53
> *To:* users at shibboleth.net <mailto:users at shibboleth.net>
> *Subject:* Shib v3 IDP with multiple OU's
>
> Hi,
>
> Im trying to configure shibboleth IDP 3.2.1 and having some probs
> authenticating against our AD....
>
> We have multiple ou's with no account overlap:
> ou=Staff
> ou=Students
> ou=Faculty
>
> The doc for LDAPAuthnConfiguration
> <https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration>
> says that you can have idp.authn.LDAP.userFilter=
> (&(|(ou:dn:=people)(ou:dn:=guests))(uid={user})) and have it search
> multiple OU's.
>
> This works for me with just 1 ou in ldap.properties:
> idp.authn.LDAP.baseDN = ou=Staff,DC=umb,DC=edu
> idp.authn.LDAP.userFilter = (mail={user})
>
> But when I try to use what the docs suggest to use 2 OU's it doesnt work:
> idp.authn.LDAP.baseDN = DC=umb,DC=edu
> idp.authn.LDAP.userFilter =
> (&(|(ou:dn:=Staff)(ou:dn=Students))(mail={user}))
>
> I noticed it says "Active Directory does not fully support extensible
> match rules" and im im assuming thats why it doesnt work.
>
> Does someone have a config that they use to connect to 2 or more OU's
> in AD that they could share????
>
> Thanks!!
> Dan
>
> The Review Newsletter
> <http://www.hull-college.ac.uk/about-us/stakeholders-newsletter>
>
>
> This message is sent in confidence for the addressee only. It may
> contain confidential or sensitive information. The contents are not
> to be disclosed to anyone other than the addressee. Unauthorised
> recipients are requested to preserve this confidentiality and to
> advise us of any errors in transmission. Any views expressed in this
> message are solely the views of the individual and do not represent
> the views of the College. Nothing in this message should be construed
> as creating a contract.
>
> Hull College Group owns the email infrastructure, including the contents.
>
> Hull College Group is committed to sustainability, please reflect
> before printing this email.
>
> ------------------------------------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160817/4b69c793/attachment-0001.html>
More information about the users
mailing list