Questions about making Shibboleth IdP Windows Installer easier to deploy [searchFilter, useStartTLS, Hostname/FQDN]
Jon.Agland at jisc.ac.uk
Fri May 19 07:19:36 EDT 2017
On Thu, 2017-05-18 at 15:01 +0100, Rod Widdowson wrote:
> Thanks for the feedback.
Thanks for picking up the thread. Rod - I've raised JIRA cases, which
both appear to have landed in your queue.
> I suggest that you take this to a JIRA case but you need to bear in
> mind that the MSI installer is just a skin on the standard
> installer. It sets up a few property replacement files and then just
> runs it.
> A few immediate thoughts:
> > 1. The installer does the correct thing with
> > idp.authn.LDAP.userFilter=
> > and refers to sAMAccountName rather than uid, but not for
> > idp.attribute.resolver.LDAP.searchFilter=
> This was a conscious decision after significantly bad experiences
> with the V2 (and indeed V1) installer. We make no attempt whatsoever
> to configure attributes. These are far too site specific to be able
> to do anything but "mostly wrong" and we decided to make it
> "completely wrong" and move the burden to the deployer. We can
> discuss further in the case, but this becomes very complicated very
> quickly (because of issues with XML editing).
I've raised this one in IDP-1175.
> > 2. The default installation of Microsoft AD supports neither
> > STARTTLS
> > or SSL (LDAPS). Thus must users then just change useStartTLS to
> > false. There's two trains of thought in my mind;
> > a) Keeping this hurdle deliberately reminds IdP operators that they
> > should be using something better than unencrypted LDAP on TCP port
> > 389
I should add for completeness it's not just TCP/389 is it, it would
also be TCP/3268 when its a Global Catalog.
> This is the only one I am prepared to countenance. I want default
> installations to be secure and if people want to compromise their
> security (WireShark is simple to deploy and trivial to use) they
> should do it knowingly.
I'll leave this one where it is.
> > 3. During the Windows Installer it asks two questions on 'Configure
> > Shibboleth' (step 3).
> > * "Choose the DNS name for this IdP. It will be used to generate
> > the
> > EntityID, Certificates and Metadata"
> > * "Choose the Scope that this IdP will assert"
> I think that we can discuss this one in the case. Any assistance in
> getting that critical decision right is always welcome.
I've raised this one in IDP-1176
> Thanks again
Jisc is a registered charity (number 1149740) and a company limited by
guarantee which is registered in England under Company No. 5747339, VAT
No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower
Hill, Bristol, BS2 0JA. T 0203 697 5800.
Jisc Services Limited is a wholly owned Jisc subsidiary and a company
limited by guarantee which is registered in England under company
number 2881024, VAT number GB 197 0632 86. The registered office is:
One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 5448 bytes
Desc: not available
More information about the users