Need Help regarding certificate load and IDP metadata
Ram, Budh
budh.ram at sap.com
Thu May 5 12:48:46 EDT 2016
Hi,
Ok, if the below line is the problem then what should I specify in the below line.
<MetadataFilter type="Signature" certificate="accounts400_idp_cert.pem"/>
I am new to shibboleth, as per my understanding it should have metadataprovider certificate here in this line. If I am wrong then can you please correct me?
Regards,
Budh Ram
-----Original Message-----
From: users [mailto:users-bounces at shibboleth.net] On Behalf Of users-request at shibboleth.net
Sent: Thursday, May 5, 2016 7:03 PM
To: users at shibboleth.net
Subject: users Digest, Vol 59, Issue 22
Send users mailing list submissions to
users at shibboleth.net
To subscribe or unsubscribe via the World Wide Web, visit
http://shibboleth.net/mailman/listinfo/users
or, via email, send a message with subject or body 'help' to
users-request at shibboleth.net
You can reach the person managing the list at
users-owner at shibboleth.net
When replying, please edit your Subject line so it is more specific
than "Re: Contents of users digest..."
Today's Topics:
1. Re: Need Help regarding certificate load and IDP metadata
(Nate Klingenstein)
2. Re: [Ext] Re: Need Help regarding certificate load and IDP
metadata (Nate Klingenstein)
3. Re: Get list of groups in which user has membership in
shibboleth with openLDAP (Chaitanya Kumar Ch)
4. Re: attribute-resolver-ldap.xml and attribute-resolver.xml
(Shweta Kautia)
5. RE: attribute-resolver-ldap.xml and attribute-resolver.xml
(Cantor, Scott)
----------------------------------------------------------------------
Message: 1
Date: Wed, 4 May 2016 21:32:58 -0600
From: Nate Klingenstein <ndk at sudonym.me>
To: Shib Users <users at shibboleth.net>
Subject: Re: Need Help regarding certificate load and IDP metadata
Message-ID: <AE9E656A-F229-4162-B4C7-D415185254D0 at sudonym.me>
Content-Type: text/plain; charset=utf-8
Budh,
I think there?s a pretty good chance that you?re trying to validate InCommon?s signature using your certificate or an empty file. I would expect that to fail.
> <MetadataFilter type="Signature" certificate="accounts400_idp_cert.pem"/>
Hope this helps,
Nate.
------------------------------
Message: 2
Date: Wed, 4 May 2016 21:39:13 -0600
From: Nate Klingenstein <ndk at sudonym.me>
To: Shib Users <users at shibboleth.net>
Subject: Re: [Ext] Re: Need Help regarding certificate load and IDP
metadata
Message-ID: <501534D8-6D5E-475D-95B4-D263746E6910 at sudonym.me>
Content-Type: text/plain; charset="utf-8"
> InCommon?s
(or whoever your choice of metadata registrar is, sorry, didn?t read that closely enough)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160504/56d98483/attachment-0001.html>
------------------------------
Message: 3
Date: Thu, 5 May 2016 09:57:20 +0530
From: Chaitanya Kumar Ch <chaitu381923 at gmail.com>
To: users at shibboleth.net
Subject: Re: Get list of groups in which user has membership in
shibboleth with openLDAP
Message-ID:
<CABBwwD_yS+auo4qVvGXeGgZ4QJ3qvA-RGg4MB9Fj=8WdAgBqoA at mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
overaly is enough for me.
Followed this
<http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay-ubuntu-12-04/>link
to add memberOf attribute but I am not getting memberOf result
whilesearching for attribute using below query:
ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=ddharma)" -b dc=test,dc=com
memberO
*Query Result*:
SASL/EXTERNAL authentication started
SASL username:
gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1
dn: cn=dharma,ou=people,dc=test,dc=com
*Please find the below attachments:*
1. ldap-structure.PNG : My ldap architecture. user "dharma" is member of
twitter, historical, powertarck groups.
2. backend.memberof.ldif
3. backend.refint.ldif
ldap-structure.PNG
<http://shibboleth.1660669.n2.nabble.com/file/n7625251/ldap-structure.PNG>
backend.ldif
<http://shibboleth.1660669.n2.nabble.com/file/n7625251/backend.ldif>
backend.ldif
<http://shibboleth.1660669.n2.nabble.com/file/n7625251/backend.ldif>
On Tue, May 3, 2016 at 9:05 PM, Chaitanya Kumar Ch <chaitu381923 at gmail.com>
wrote:
> Hi,
>
> I tried to get list of groups of a user by following
> https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinitionExamples
>
> but I am getting error in idp-process.log as distinguishedName always
> returning nothing.
>
> attribute-resolver.xml:
> <!-- get the user's DN from the main LDAP connector (myLDAP) for searching
> the groups the user is in -->
> <resolver:AttributeDefinition id="distinguishedName"
> xsi:type="ad:Simple" sourceAttributeID="distinguishedName">
> <resolver:Dependency ref="myLDAP" />
> <!-- no encoder needed -->
> </resolver:AttributeDefinition>
>
> <!-- search for all groups the user is recursively in - and flatten the
> distinguishedName(s)
> of all the groups into a single multivalued attribute -->
> <resolver:DataConnector id="groupLDAP" xsi:type="dc:LDAPDirectory"
> ldapURL="ldap://192.XXXXXXXX:389" baseDN="OU=Groups and
> Resources,DC=test,DC=com"
> principal="CN=admin,DC=test,DC=com" principalCredential="XXXXXXX">
> <resolver:Dependency ref="distinguishedName" />
> <dc:FilterTemplate>
> <![CDATA[
> (member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})
> ]]>
> </dc:FilterTemplate>
> <dc:ReturnAttributes>distinguishedName</dc:ReturnAttributes>
> <dc:LDAPProperty name="java.naming.referral" value="follow" />
> </resolver:DataConnector>
>
> <!-- define the memberOf attribute based on the distinguishedName
> attribute
> returned by the groupLDAP connector - names of all groups the user is
> in -->
> <resolver:AttributeDefinition id="memberOf"
> xsi:type="ad:Simple" sourceAttributeID="distinguishedName">
> <resolver:Dependency ref="groupLDAP" />
> <!-- no encoder needed -->
> </resolver:AttributeDefinition>
>
> Please help me.
>
> --
> Thank You,
> Chaitanya Kumar Ch,
> +91 9550837582
>
--
Thank You,
Chaitanya Kumar Ch,
+91 9550837582
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160505/cb23afce/attachment-0001.html>
------------------------------
Message: 4
Date: Thu, 5 May 2016 12:51:13 +0000
From: Shweta Kautia <skautia at northcarolina.edu>
To: Shib Users <users at shibboleth.net>
Subject: Re: attribute-resolver-ldap.xml and attribute-resolver.xml
Message-ID: <0ED11E9C-BDC1-4C95-8547-703B2C376B02 at northcarolina.edu>
Content-Type: text/plain; charset="utf-8"
Peter/Scott,
So, based on your replies, I emptied the -ldap.xml file, copied over to attribute-resolver.xml. Now the DC is not producing any attribs. I have the log attached below.
I have all vars used in myLDAP DC defined in ldap.properties. Some relevant ones here:
idp.authn.LDAP.userFilter = (uid={sAMAccountName})
idp.attribute.resolver.LDAP.searchFilter = (uid=${resolutionContext.principal})
idp.attribute.resolver.LDAP.returnAttributes =cn,sn,displayName,mail,sAMAccountName,givenName.
Question: What is causing no entries to be returned, even after uid is found? ?Results did not contain any entries, nothing to map?..
Attempting to resolve the following attribute definitions [uid, mail, eduPersonScopedAffiliation, displayName, logoutURL, givenName, eduPersonPrincipalName, sn]
2016-05-04 14:42:14,276 - TRACE [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:251] - Attribute Resolver 'ShibbolethAttributeResolver': Beginning to resolve attribute definition 'uid'
2016-05-04 14:42:14,276 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:372] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving dependencies for 'uid'
2016-05-04 14:42:14,277 - DEBUG [net.shibboleth.idp.attribute.resolver.impl.AttributeResolverImpl:329] - Attribute Resolver 'ShibbolethAttributeResolver': Resolving data connector myLDAP
2016-05-04 14:42:14,278 - TRACE [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.TemplatedExecutableSearchFilterBuilder:165] - Creating search filter using attribute resolution context net.shibboleth.idp.attribute.resolver.context.AttributeResolutionContext at 3ece7128
2016-05-04 14:42:14,279 - TRACE [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.TemplatedExecutableSearchFilterBuilder:170] - Adding v2 request context V2SAMLProfileRequestContext{Id=null, PrincipalName=skautia, PeerEntityId=https://......./sp/shibboleth, LocalEntityId=https://......../idp/shibboleth}
2016-05-04 14:42:14,282 - DEBUG [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.TemplatedExecutableSearchFilterBuilder:212] - Template text (uid=${resolutionContext.principal}) yields (uid=skautia)
2016-05-04 14:42:14,417 - TRACE [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.AbstractExecutableSearchFilterBuilder:62] - Search returned response [org.ldaptive.Response at 1833608032::result=[org.ldaptive.SearchResult at 4303153::entries=[], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[.......], messageId=-1]
2016-05-04 14:42:14,418 - TRACE [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector:165] - Data Connector 'myLDAP': Search returned [org.ldaptive.SearchResult at 4303153::entries=[], references=[]]
2016-05-04 14:42:14,418 - DEBUG [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.StringAttributeValueMappingStrategy:60] - Results did not contain any entries, nothing to map
2016-05-04 14:42:14,419 - TRACE [net.shibboleth.idp.attribute.resolver.dc.impl.AbstractSearchDataConnector:190] - Data Connector 'myLDAP': Resolved attributes: null
2016-05-04 14:42:14,419 - DEBUG [net.shibboleth.idp.attribute.resolver.AbstractDataConnector:136] - myLDAP no attributes were produced during resolution
2016-05-04 14:42:14,420 - INFO [net.shibboleth.idp.attribute.resolver.AbstractResolverPlugin:191] - Resolver plugin 'myLDAP' produced no value.
Thanks,
Shweta
> On May 4, 2016, at 1:00 PM, Peter Schober <peter.schober at univie.ac.at> wrote:
>
> * Shweta Kautia <skautia at northcarolina.edu> [2016-05-04 18:56]:
>> We are setting up 3.2.1 from scratch. We?re moving up from V2, and
>> I?m fairly new at this setup. Quick question(s)- do
>> attribute-resolver-ldap.xml and attribute-resolver.xml work in
>> coexistence or only either is to be used?
>
> I think the idea what that you'd pick either one you want to start
> from, possibly copying attribute-resolver-ldap.xml to
> attribute-resolver.xml. Either way a single resolver config file
> should suffice, so that's where all definitions go.
> -peter
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
------------------------------
Message: 5
Date: Thu, 5 May 2016 13:33:00 +0000
From: "Cantor, Scott" <cantor.2 at osu.edu>
To: Shib Users <users at shibboleth.net>
Subject: RE: attribute-resolver-ldap.xml and attribute-resolver.xml
Message-ID:
<9846A6064BD102419D06814DD0D78DE1128EF0C9 at CIO-TNC-D2MBX02.osuad.osu.edu>
Content-Type: text/plain; charset="utf-8"
> So, based on your replies, I emptied the -ldap.xml file, copied over to
> attribute-resolver.xml.
You said you're upgrading from V2. That means you already have a resolver file, and you should be using it.
If you follow the upgrade instructions, you would already be using it since you would have upgraded the original configuration directly. That's what you should do.
-- Scott
------------------------------
Subject: Digest Footer
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
------------------------------
End of users Digest, Vol 59, Issue 22
*************************************
More information about the users
mailing list