IdPv3 LDAP password issue
John Horne
john.horne at plymouth.ac.uk
Fri Feb 26 07:25:36 EST 2016
Hello,
In our IdP configuration we have an LDAP data connector which uses a
userid and password to bind to the LDAP server. If I specify the LDAP
password directly in the attribute-resolver.xml file, then this works:
principalCredential="abc123"
However, looking at the example 'attribute-resolver-ldap.xml' file, if
I change our attribute-resolver.xml file and modify the ldap.properties
file accordingly, then we get an error when using:
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
The error indicates it is the credentials that is failing:
=====
2016-02-26 12:17:09,420 - ERROR
[net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector:1
43] - Data Connector 'myLDAP': Invalid connector configuration
net.shibboleth.idp.attribute.resolver.dc.ValidationException: [org.ldap
tive.LdapException at 1744389827::resultCode=INVALID_CREDENTIALS,
matchedDn=null, responseControls=null, referralURLs=null, messageId=-1,
message=javax.naming.AuthenticationException: [LDAP: error code 49 -
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error,
data 52e, v1db1],
providerException=javax.naming.AuthenticationException: [LDAP: error
code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]]
=====
The password itself is obviously more complex than 'abc123' I used
above, so I am wondering if there is some sort of processing going on
which is objecting (or mis-interpreting) one of the password
characters.
As said we can put the password directly into the attibute-resolver.xml
file and it works fine. We are curious though as to why setting it in
the ldap.properties file causes LDAP to fail.
Thanks,
John.
--
John Horne Tel: +44 (0)1752 587287
Plymouth University, UK
More information about the users
mailing list