Questions about making Shibboleth IdP Windows Installer easier to deploy [searchFilter, useStartTLS, Hostname/FQDN]

Fri May 19 07:19:36 EDT 2017

On Thu, 2017-05-18 at 15:01 +0100, Rod Widdowson wrote:
> Thanks for the feedback.

Thanks for picking up the thread.  Rod - I've raised JIRA cases, which
both appear to have landed in your queue.

> 
> I suggest that you take this to a JIRA case but you need to bear in
> mind that the MSI installer is just a skin on the standard
> installer.  It sets up a few property replacement files and then just
> runs it.
> 
> A few immediate thoughts:
> 
> > 
> > 1. The installer does the correct thing with
> > idp.authn.LDAP.userFilter=
> > and refers to sAMAccountName rather than uid, but not for
> > idp.attribute.resolver.LDAP.searchFilter=
> This was a conscious decision after significantly bad experiences
> with the V2 (and indeed V1) installer.  We make no attempt whatsoever
> to configure attributes.  These are far too site specific to be able
> to do anything but "mostly wrong" and we decided to make it
> "completely wrong" and move the burden to the deployer.  We can
> discuss further in the case, but this becomes very complicated very
> quickly (because of issues with XML editing).
> 
> 

I've raised this one in IDP-1175.

> > 
> > 2. The default installation of Microsoft AD supports neither
> > STARTTLS
> > or SSL (LDAPS).   Thus must users then just change useStartTLS to
> > false.   There's two trains of thought in my mind;
> > 
> > a) Keeping this hurdle deliberately reminds IdP operators that they
> > should be using something better than unencrypted LDAP on TCP port
> > 389

I should add for completeness it's not just TCP/389 is it, it would
also be TCP/3268 when its a Global Catalog.

> This is the only one I am prepared to countenance.  I want default
> installations to be secure and if people want to compromise their
> security (WireShark is simple to deploy and trivial to use) they
> should do it knowingly.

I'll leave this one where it is.   

> 
> > 
> > 3. During the Windows Installer it asks two questions on 'Configure
> > Shibboleth' (step 3).
> > 
> > * "Choose the DNS name for this IdP.  It will be used to generate
> > the
> > EntityID, Certificates and Metadata"
> > * "Choose the Scope that this IdP will assert"
> [snip]
> 
> I think that we can discuss this one in the case.  Any assistance in
> getting that critical decision right is always welcome.

I've raised this one in IDP-1176

> 
> Thanks again
> 
> /Rod
>  
> 

Cheers,

Jon

-- 
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT

No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company
number 2881024, VAT number GB 197 0632 86. The registered office is:
One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5448 bytes
Desc: not available
URL: <http://shibboleth.net/pipermail/users/attachments/20170519/e49952c2/attachment.bin>