authn eDirectory LDAP and grace logins

Glenn Wearen glenn.wearen at heanet.ie
Wed Jul 5 12:00:20 EDT 2017


Hi

I tried the Clemson NDS config (below) and have ldaptive running TRACE, 
but I cannot see the NDS error code returned for a user who has an 
expired password.

I know what the NDS error code is (using Jxplorer) but I don't think 
ldaptive is handling it. I would appreciate if any NDS shib users could 
post sample configs.

Regards

Glenn

reading search result: cn=pptestglenn,ou=PPtest: null:null:No attributes
formatting relative dn 'cn=pptestglenn,ou=PPtest,o=myuni'
formatted dn 'cn=pptestglenn,ou=PPtest,o=myuni'
Received search 
item=[org.ldaptive.provider.SearchItem at 2029401882::searchEntry=[dn=cn=pptestglenn,ou=PPtest,o=myuni[], 
responseControls=null, messageId=-1]]
execute 
response=[org.ldaptive.Response at 1822149120::result=[org.ldaptive.SearchResult at -2029842160::entries=[[dn=cn=pptestglenn,ou=PPtest,o=myuni[], 
responseControls=null, messageId=-1]], references=[]], 
resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, 
referralURLs=null, messageId=-1] for 
request=[org.ldaptive.SearchRequest at -532422962::baseDn=o=myuni, 
searchFilter=[org.ldaptive.SearchFilter at -199321719::filter=(uid={user}), 
parameters={user=pptestGlenn}], returnAttributes=[1.1], 
searchScope=SUBTREE, timeLimit=0, sizeLimit=0, derefAliases=null, 
typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, 
searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, 
followReferrals=false, intermediateResponseHandlers=null] with 
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1458033141::config=[org.ldaptive.ConnectionConfig at 862292683::ldapUrl=ldaps://testldaps.myuni.ie:636, 
connectTimeout=3000, responseTimeout=-1, 
sslConfig=[org.ldaptive.ssl.SslConfig at 210203845::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 691e89b2, 
trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, 
handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, 
connectionInitializer=[org.ldaptive.BindConnectionInitializer at 285423600::bindDn=cn=webservicesproxy,o=myuni, 
bindSaslConfig=null, bindControls=null]], 
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 227104870::metadata=[ldapUrl=ldaps://testldaps.myuni.ie:636, 
count=1], 
environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, 
com.sun.jndi.ldap.connect.timeout=3000, 
java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, 
java.naming.security.protocol=ssl, java.naming.ldap.version=3}, 
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 673699074::operationExceptionResultCodes=[PROTOCOL_ERROR, 
SERVER_DOWN], properties={}, 
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 2ba97721, 
controlProcessor=org.ldaptive.provider.ControlProcessor at 4f61fc2e, 
environment=null, tracePackets=null, removeDnUrls=true, 
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, 
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], 
providerConnection=org.ldaptive.provider.jndi.JndiConnection at 340a977b]
no passivator configured
waiting on pool lock for check in 0
returned active connection: 
org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy at 56e8affc
resolved dn=cn=pptestglenn,ou=PPtest,o=myuni for user=pptestGlenn
authenticate dn=cn=pptestglenn,ou=PPtest,o=myuni with 
request=[org.ldaptive.auth.AuthenticationRequest at 1743453620::user=pptestGlenn, 
retAttrs=[cn, passwordExpirationTime, passwordExpirationInterval, 
loginExpirationTime, loginGraceRemaining, loginDisabled, 
nspmPasswordPolicyDN ]]
authenticate 
criteria=[org.ldaptive.auth.AuthenticationCriteria at 1958111672::dn=cn=pptestglenn,ou=PPtest,o=myuni, 
authenticationRequest=[org.ldaptive.auth.AuthenticationRequest at 1743453620::user=pptestGlenn, 
retAttrs=[cn, passwordExpirationTime, passwordExpirationInterval, 
loginExpirationTime, loginGraceRemaining, loginDisabled, 
nspmPasswordPolicyDN ]]]
waiting on pool lock for check out 0
retrieve available connection from pool of size 3
waiting on pool lock for retrieve available 0
retrieved available connection: 
org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy at 105ba75a
no activator configured
execute 
request=[org.ldaptive.BindRequest at 584538662::bindDn=cn=pptestglenn,ou=PPtest,o=myuni, 
saslConfig=null, 
controls=[[org.ldaptive.control.PasswordPolicyControl at -350057371::criticality=false, 
timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]]] with 
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 274385235::config=[org.ldaptive.ConnectionConfig at 492236026::ldapUrl=ldaps://testldaps.myuni.ie:636, 
connectTimeout=3000, responseTimeout=-1, 
sslConfig=[org.ldaptive.ssl.SslConfig at 210203845::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 691e89b2, 
trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, 
handshakeCompletedListeners=null], useSSL=true, useStartTLS=false, 
connectionInitializer=null], 
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1751090856::metadata=[ldapUrl=ldaps://testldaps.myuni.ie:636, 
count=1], 
environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, 
com.sun.jndi.ldap.connect.timeout=3000, 
java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, 
java.naming.security.protocol=ssl, java.naming.ldap.version=3}, 
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 1619549734::operationExceptionResultCodes=[PROTOCOL_ERROR, 
SERVER_DOWN], properties={}, 
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 2ba97721, 
controlProcessor=org.ldaptive.provider.ControlProcessor at 714fd9fe, 
environment=null, tracePackets=null, removeDnUrls=true, 
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, 
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], 
providerConnection=org.ldaptive.provider.jndi.JndiConnection at 5781b520]
processing request controls: 
[[org.ldaptive.control.PasswordPolicyControl at -350057371::criticality=false, 
timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]]
produced provider request controls: [javax.naming.ldap.BasicControl at ea2e194]
naming exception class javax.naming.NamingException is ambiguous, maps 
to multiple result codes: [OPERATIONS_ERROR, ALIAS_PROBLEM, 
ALIAS_DEREFERENCING_PROBLEM, LOOP_DETECT, AFFECTS_MULTIPLE_DSAS, OTHER]
could not find result code in naming exception LDAP response read timed 
out, timeout used:3000ms.
no passivator configured
waiting on pool lock for check in 0
returned active connection: 
org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy at 105ba75a
Profile Action ValidateUsernamePasswordAgainstLDAP: Login by pptestGlenn 
produced exception
org.ldaptive.LdapException: javax.naming.NamingException: LDAP response 
read timed out, timeout used:3000ms.
         at 
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:77)
Caused by: javax.naming.NamingException: LDAP response read timed out, 
timeout used:3000ms.
         at com.sun.jndi.ldap.Connection.readReply(Connection.java:490)


On 16/06/2016 19:07, cbaker wrote:
> That worked!  Alright here's my implementation so if anyone else asks you can
> just direct them here lol...
> Thanks so much Scott and Daniel!
>
> in *conf/ldap-authn-config.xml*:
>      
>      
>      <bean name="bindSearchAuthenticator"
> class="org.ldaptive.auth.Authenticator"
> p:authenticationResponseHandlers-ref="eDirAuthenticationResponseHandler"
> p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"
> p:entryResolver-ref="searchEntryResolver">
>          <constructor-arg index="0" ref="bindSearchDnResolver" />
>          <constructor-arg index="1" ref="authHandler" />
>      </bean>
>      <bean id="bindSearchDnResolver"
> class="org.ldaptive.auth.PooledSearchDnResolver"
>          p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
>          p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
>          p:userFilter="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}"
>          p:connectionFactory-ref="bindSearchPooledConnectionFactory" />
>      <bean id="bindSearchPooledConnectionFactory"
> class="org.ldaptive.pool.PooledConnectionFactory"
>          p:connectionPool-ref="bindSearchConnectionPool" />
>      <bean id="bindSearchConnectionPool"
> class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
>          p:connectionFactory-ref="bindSearchConnectionFactory"
> p:name="search-pool" />
>      <bean id="bindSearchConnectionFactory"
> class="org.ldaptive.DefaultConnectionFactory"
> p:connectionConfig-ref="bindSearchConnectionConfig" />
>      <bean id="bindSearchConnectionConfig" parent="connectionConfig"
> p:connectionInitializer-ref="bindConnectionInitializer" />
>      <bean id="bindConnectionInitializer"
> class="org.ldaptive.BindConnectionInitializer"
>              p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}">
>          <property name="bindCredential">
>              <bean class="org.ldaptive.Credential">
>                  <constructor-arg
> value="%{idp.authn.LDAP.bindDNCredential:undefined}" />
>              </bean>
>          </property>
>      </bean>
>      
>      
>      <bean id="searchEntryResolver"
> class="org.ldaptive.auth.SearchEntryResolver"
>          p:connectionFactory-ref="bindSearchPooledConnectionFactory" />
>
>      <bean id="eDirAuthenticationResponseHandler"
> class="org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler" />
>      
>
> And I've set the following in *conf/ldap.properties*
> idp.authn.LDAP.subtreeSearch                    = true
> idp.authn.LDAP.returnAttributes                 =
> cn,passwordExpirationTime,passwordExpirationInterval,loginExpirationTime,loginGraceRemaining,loginDisabled,nspmPasswordPolicyDN
> idp.authn.LDAP.resolveEntryOnFailure            =true
>
>
> and in *messages/authn-messages.properties*
> NoGraces = no-graces
> no-graces.message = That username has no grace logins remaining.
>
>
> and finally in *views/login-error.vm*
> ## Velocity Template for login error message production, included by
> login.vm
> ##
> ## authenticationErrorContext - context containing error data, if available
> ##
> #if ($authenticationErrorContext &&
> $authenticationErrorContext.getClassifiedErrors().size() > 0 &&
> $authenticationErrorContext.getClassifiedErrors().iterator().next() !=
> "ReselectFlow")
>      ## This handles errors that are classified by the message maps in the
> authentication config.
>      #set ($eventId =
> $authenticationErrorContext.getClassifiedErrors().iterator().next())
>
>      ##custom code to change eventKey
>      #if ($eventId == "InvalidPassword")
>          ##since we got invalidPassword the ldapEntry shoul exist, no need to
> check for null
>          #set ($entry =
> $ldapResponseContext.getAuthenticationResponse().getLdapEntry())
>          
>          ##If the RHS is a property or method reference that evaluates to
> null, it will not be assigned to the LHS.
>          ##so I have to init the grace attribute to false and then if the
> getAttribute fails and returns null
>          ##it won't overwrite the false.
>          #set ($graceAttr = false)
>          #set ($graceAttr = $entry.getAttribute("loginGraceRemaining"))
>          #if ($graceAttr)
>              #set ($graces = $graceAttr.getStringValue())
>              #if ($graces == "0")
>                  #set($eventId = "NoGraces")
>              #end
>          #end
>      #end
>
>      #set ($eventKey = $springMacroRequestContext.getMessage("$eventId",
> "login"))
>      #set ($message =
> $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure:
> $eventId"))
> #elseif ($authenticationErrorContext &&
> $authenticationErrorContext.getExceptions().size() > 0)
>      ## This handles login exceptions that are left unclassified.
>      #set ($loginException =
> $authenticationErrorContext.getExceptions().get(0))
>      #if ($loginException.getMessage())
>          #set ($message = "Login Failure: $loginException.getMessage()")
>      #else
>      	#set ($message = $loginException.toString())
>      #end
> #end
>
> #if ($message)
>    <p class="toperror">$encoder.encodeForHTML($message)</p>
> #end
>
>
>
>
>
> --
> View this message in context: http://shibboleth.1660669.n2.nabble.com/authn-eDirectory-LDAP-and-grace-logins-tp7626143p7626184.html
> Sent from the Shibboleth - Users mailing list archive at Nabble.com.



More information about the users mailing list