authn eDirectory LDAP and grace logins
Glenn Wearen
glenn.wearen at heanet.ie
Wed Jul 5 12:00:20 EDT 2017
Hi
I tried the Clemson NDS config (below) and have ldaptive running TRACE,
but I cannot see the NDS error code returned for a user who has an
expired password.
I know what the NDS error code is (using Jxplorer) but I don't think
ldaptive is handling it. I would appreciate if any NDS shib users could
post sample configs.
Regards
Glenn
reading search result: cn=pptestglenn,ou=PPtest: null:null:No attributes
formatting relative dn 'cn=pptestglenn,ou=PPtest,o=myuni'
formatted dn 'cn=pptestglenn,ou=PPtest,o=myuni'
Received search
item=[org.ldaptive.provider.SearchItem at 2029401882::searchEntry=[dn=cn=pptestglenn,ou=PPtest,o=myuni[],
responseControls=null, messageId=-1]]
execute
response=[org.ldaptive.Response at 1822149120::result=[org.ldaptive.SearchResult at -2029842160::entries=[[dn=cn=pptestglenn,ou=PPtest,o=myuni[],
responseControls=null, messageId=-1]], references=[]],
resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null,
referralURLs=null, messageId=-1] for
request=[org.ldaptive.SearchRequest at -532422962::baseDn=o=myuni,
searchFilter=[org.ldaptive.SearchFilter at -199321719::filter=(uid={user}),
parameters={user=pptestGlenn}], returnAttributes=[1.1],
searchScope=SUBTREE, timeLimit=0, sizeLimit=0, derefAliases=null,
typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED,
searchEntryHandlers=null, searchReferenceHandlers=null, controls=null,
followReferrals=false, intermediateResponseHandlers=null] with
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1458033141::config=[org.ldaptive.ConnectionConfig at 862292683::ldapUrl=ldaps://testldaps.myuni.ie:636,
connectTimeout=3000, responseTimeout=-1,
sslConfig=[org.ldaptive.ssl.SslConfig at 210203845::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 691e89b2,
trustManagers=null, enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=true, useStartTLS=false,
connectionInitializer=[org.ldaptive.BindConnectionInitializer at 285423600::bindDn=cn=webservicesproxy,o=myuni,
bindSaslConfig=null, bindControls=null]],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 227104870::metadata=[ldapUrl=ldaps://testldaps.myuni.ie:636,
count=1],
environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
com.sun.jndi.ldap.connect.timeout=3000,
java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
java.naming.security.protocol=ssl, java.naming.ldap.version=3},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 673699074::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 2ba97721,
controlProcessor=org.ldaptive.provider.ControlProcessor at 4f61fc2e,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection at 340a977b]
no passivator configured
waiting on pool lock for check in 0
returned active connection:
org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy at 56e8affc
resolved dn=cn=pptestglenn,ou=PPtest,o=myuni for user=pptestGlenn
authenticate dn=cn=pptestglenn,ou=PPtest,o=myuni with
request=[org.ldaptive.auth.AuthenticationRequest at 1743453620::user=pptestGlenn,
retAttrs=[cn, passwordExpirationTime, passwordExpirationInterval,
loginExpirationTime, loginGraceRemaining, loginDisabled,
nspmPasswordPolicyDN ]]
authenticate
criteria=[org.ldaptive.auth.AuthenticationCriteria at 1958111672::dn=cn=pptestglenn,ou=PPtest,o=myuni,
authenticationRequest=[org.ldaptive.auth.AuthenticationRequest at 1743453620::user=pptestGlenn,
retAttrs=[cn, passwordExpirationTime, passwordExpirationInterval,
loginExpirationTime, loginGraceRemaining, loginDisabled,
nspmPasswordPolicyDN ]]]
waiting on pool lock for check out 0
retrieve available connection from pool of size 3
waiting on pool lock for retrieve available 0
retrieved available connection:
org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy at 105ba75a
no activator configured
execute
request=[org.ldaptive.BindRequest at 584538662::bindDn=cn=pptestglenn,ou=PPtest,o=myuni,
saslConfig=null,
controls=[[org.ldaptive.control.PasswordPolicyControl at -350057371::criticality=false,
timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]]] with
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 274385235::config=[org.ldaptive.ConnectionConfig at 492236026::ldapUrl=ldaps://testldaps.myuni.ie:636,
connectTimeout=3000, responseTimeout=-1,
sslConfig=[org.ldaptive.ssl.SslConfig at 210203845::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 691e89b2,
trustManagers=null, enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=true, useStartTLS=false,
connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1751090856::metadata=[ldapUrl=ldaps://testldaps.myuni.ie:636,
count=1],
environment={java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
com.sun.jndi.ldap.connect.timeout=3000,
java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory,
java.naming.security.protocol=ssl, java.naming.ldap.version=3},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 1619549734::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$DefaultConnectionStrategy at 2ba97721,
controlProcessor=org.ldaptive.provider.ControlProcessor at 714fd9fe,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection at 5781b520]
processing request controls:
[[org.ldaptive.control.PasswordPolicyControl at -350057371::criticality=false,
timeBeforeExpiration=0, graceAuthNsRemaining=0, error=null]]
produced provider request controls: [javax.naming.ldap.BasicControl at ea2e194]
naming exception class javax.naming.NamingException is ambiguous, maps
to multiple result codes: [OPERATIONS_ERROR, ALIAS_PROBLEM,
ALIAS_DEREFERENCING_PROBLEM, LOOP_DETECT, AFFECTS_MULTIPLE_DSAS, OTHER]
could not find result code in naming exception LDAP response read timed
out, timeout used:3000ms.
no passivator configured
waiting on pool lock for check in 0
returned active connection:
org.ldaptive.pool.AbstractConnectionPool$DefaultPooledConnectionProxy at 105ba75a
Profile Action ValidateUsernamePasswordAgainstLDAP: Login by pptestGlenn
produced exception
org.ldaptive.LdapException: javax.naming.NamingException: LDAP response
read timed out, timeout used:3000ms.
at
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:77)
Caused by: javax.naming.NamingException: LDAP response read timed out,
timeout used:3000ms.
at com.sun.jndi.ldap.Connection.readReply(Connection.java:490)
On 16/06/2016 19:07, cbaker wrote:
> That worked! Alright here's my implementation so if anyone else asks you can
> just direct them here lol...
> Thanks so much Scott and Daniel!
>
> in *conf/ldap-authn-config.xml*:
>
>
> <bean name="bindSearchAuthenticator"
> class="org.ldaptive.auth.Authenticator"
> p:authenticationResponseHandlers-ref="eDirAuthenticationResponseHandler"
> p:resolveEntryOnFailure="%{idp.authn.LDAP.resolveEntryOnFailure:false}"
> p:entryResolver-ref="searchEntryResolver">
> <constructor-arg index="0" ref="bindSearchDnResolver" />
> <constructor-arg index="1" ref="authHandler" />
> </bean>
> <bean id="bindSearchDnResolver"
> class="org.ldaptive.auth.PooledSearchDnResolver"
> p:baseDn="#{'%{idp.authn.LDAP.baseDN:undefined}'.trim()}"
> p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
> p:userFilter="#{'%{idp.authn.LDAP.userFilter:undefined}'.trim()}"
> p:connectionFactory-ref="bindSearchPooledConnectionFactory" />
> <bean id="bindSearchPooledConnectionFactory"
> class="org.ldaptive.pool.PooledConnectionFactory"
> p:connectionPool-ref="bindSearchConnectionPool" />
> <bean id="bindSearchConnectionPool"
> class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool"
> p:connectionFactory-ref="bindSearchConnectionFactory"
> p:name="search-pool" />
> <bean id="bindSearchConnectionFactory"
> class="org.ldaptive.DefaultConnectionFactory"
> p:connectionConfig-ref="bindSearchConnectionConfig" />
> <bean id="bindSearchConnectionConfig" parent="connectionConfig"
> p:connectionInitializer-ref="bindConnectionInitializer" />
> <bean id="bindConnectionInitializer"
> class="org.ldaptive.BindConnectionInitializer"
> p:bindDn="#{'%{idp.authn.LDAP.bindDN:undefined}'.trim()}">
> <property name="bindCredential">
> <bean class="org.ldaptive.Credential">
> <constructor-arg
> value="%{idp.authn.LDAP.bindDNCredential:undefined}" />
> </bean>
> </property>
> </bean>
>
>
> <bean id="searchEntryResolver"
> class="org.ldaptive.auth.SearchEntryResolver"
> p:connectionFactory-ref="bindSearchPooledConnectionFactory" />
>
> <bean id="eDirAuthenticationResponseHandler"
> class="org.ldaptive.auth.ext.EDirectoryAuthenticationResponseHandler" />
>
>
> And I've set the following in *conf/ldap.properties*
> idp.authn.LDAP.subtreeSearch = true
> idp.authn.LDAP.returnAttributes =
> cn,passwordExpirationTime,passwordExpirationInterval,loginExpirationTime,loginGraceRemaining,loginDisabled,nspmPasswordPolicyDN
> idp.authn.LDAP.resolveEntryOnFailure =true
>
>
> and in *messages/authn-messages.properties*
> NoGraces = no-graces
> no-graces.message = That username has no grace logins remaining.
>
>
> and finally in *views/login-error.vm*
> ## Velocity Template for login error message production, included by
> login.vm
> ##
> ## authenticationErrorContext - context containing error data, if available
> ##
> #if ($authenticationErrorContext &&
> $authenticationErrorContext.getClassifiedErrors().size() > 0 &&
> $authenticationErrorContext.getClassifiedErrors().iterator().next() !=
> "ReselectFlow")
> ## This handles errors that are classified by the message maps in the
> authentication config.
> #set ($eventId =
> $authenticationErrorContext.getClassifiedErrors().iterator().next())
>
> ##custom code to change eventKey
> #if ($eventId == "InvalidPassword")
> ##since we got invalidPassword the ldapEntry shoul exist, no need to
> check for null
> #set ($entry =
> $ldapResponseContext.getAuthenticationResponse().getLdapEntry())
>
> ##If the RHS is a property or method reference that evaluates to
> null, it will not be assigned to the LHS.
> ##so I have to init the grace attribute to false and then if the
> getAttribute fails and returns null
> ##it won't overwrite the false.
> #set ($graceAttr = false)
> #set ($graceAttr = $entry.getAttribute("loginGraceRemaining"))
> #if ($graceAttr)
> #set ($graces = $graceAttr.getStringValue())
> #if ($graces == "0")
> #set($eventId = "NoGraces")
> #end
> #end
> #end
>
> #set ($eventKey = $springMacroRequestContext.getMessage("$eventId",
> "login"))
> #set ($message =
> $springMacroRequestContext.getMessage("${eventKey}.message", "Login Failure:
> $eventId"))
> #elseif ($authenticationErrorContext &&
> $authenticationErrorContext.getExceptions().size() > 0)
> ## This handles login exceptions that are left unclassified.
> #set ($loginException =
> $authenticationErrorContext.getExceptions().get(0))
> #if ($loginException.getMessage())
> #set ($message = "Login Failure: $loginException.getMessage()")
> #else
> #set ($message = $loginException.toString())
> #end
> #end
>
> #if ($message)
> <p class="toperror">$encoder.encodeForHTML($message)</p>
> #end
>
>
>
>
>
> --
> View this message in context: http://shibboleth.1660669.n2.nabble.com/authn-eDirectory-LDAP-and-grace-logins-tp7626143p7626184.html
> Sent from the Shibboleth - Users mailing list archive at Nabble.com.
More information about the users
mailing list