IdPv3 LDAP password issue

John Horne john.horne at plymouth.ac.uk
Fri Feb 26 07:25:36 EST 2016


Hello,

In our IdP configuration we have an LDAP data connector which uses a
userid and password to bind to the LDAP server. If I specify the LDAP
password directly in the attribute-resolver.xml file, then this works:

  principalCredential="abc123"

However, looking at the example 'attribute-resolver-ldap.xml' file, if
I change our attribute-resolver.xml file and modify the ldap.properties
file accordingly, then we get an error when using:

  principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"

The error indicates it is the credentials that is failing:

=====
2016-02-26 12:17:09,420 - ERROR
[net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector:1
43] - Data Connector 'myLDAP': Invalid connector configuration
net.shibboleth.idp.attribute.resolver.dc.ValidationException: [org.ldap
tive.LdapException at 1744389827::resultCode=INVALID_CREDENTIALS,
matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, 
message=javax.naming.AuthenticationException: [LDAP: error code 49 -
80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error,
data 52e, v1db1],
providerException=javax.naming.AuthenticationException: [LDAP: error
code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 52e, v1db1]]
=====

The password itself is obviously more complex than 'abc123' I used
above, so I am wondering if there is some sort of processing going on
which is objecting (or mis-interpreting) one of the password
characters.

As said we can put the password directly into the attibute-resolver.xml 
file and it works fine. We are curious though as to why setting it in
the ldap.properties file causes LDAP to fail.



Thanks,

John.

-- 
John Horne                   Tel: +44 (0)1752 587287
Plymouth University, UK




More information about the users mailing list