shibboleth IdP configuration with active directory
vaishali prajapati
vbprajapati39 at gmail.com
Mon Sep 11 08:40:01 EDT 2017
Hello All,
While configuring shibboleth IdP with active directory I got
following Error:
*Error generated during
login:[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:192]
- Profile Action ValidateUsernamePasswordAgainstLDAP: Login by shibboleth
produced exception org.ldaptive.LdapException:
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
DSID-0C0906E8, comment: In order to perform this operation a successful
bind must be completed on the connection., data 0, v1db1^@]; remaining name
'ou=***,dc=***,dc=***' *
The configration of *ldap.properties* are as below:
## Authenticator strategy, either anonSearchAuthenticator,
bindSearchAuthenticator, directAuthenticator, adAuthenticator
#idp.authn.LDAP.authenticator =bindSearchAuthenticator
## Connection properties ##
idp.authn.LDAP.ldapURL = ldap://172.16.0.2:389
#idp.authn.LDAP.useStartTLS = false
#idp.authn.LDAP.useSSL = false
# Time in milliseconds that connects will block
#idp.authn.LDAP.connectTimeout = TS3M
# Time in milliseconds to wait for responses
#idp.authn.LDAP.responseTimeout = TS3M
## Return attributes during authentication
idp.authn.LDAP.returnAttributes =
passwordExpirationTime,loginGraceRemaining
## DN resolution properties ##
# Search DN resolution, used by anonSearchAuthenticator,
bindSearchAuthenticator
# for AD:DN:Users,OU=***,DC=***,DC=***
idp.authn.LDAP.baseDN = ou=***,dc=***,dc=***
#idp.authn.LDAP.subtreeSearch = false
idp.authn.LDAP.userFilter =(sAMAccountName={uid})
# bind search configuration
idp.authn.LDAP.bindDN
=uid=****,ou=***,dc=***,dc=***
idp.attribute.resolver.LDAP.bindDNCredential =****
# Format DN resolution, used by directAuthenticator, adAuthenticator
idp.authn.LDAP.dnFormat = ou=***,dc=***,dc=***
idp.attribute.resolver.LDAP.returnAttributes =
eduPersonPrincipalName,uid,sAMAccountName
# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver
configurations
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout =
%{idp.authn.LDAP.connectTimeout:300}
idp.attribute.resolver.LDAP.responseTimeout =
%{idp.authn.LDAP.responseTimeout:300}
idp.attribute.resolver.LDAP.baseDN =
%{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN =
%{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.bindDNCredential =
%{idp.authn.LDAP.bindDNCredential:undefined}
idp.attribute.resolver.LDAP.useStartTLS =
%{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates =
%{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter =
(uid=$resolutionContext.principal)
# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize = 0
#idp.pool.LDAP.maxSize = 10
#idp.pool.LDAP.validateOnCheckout = false
#idp.pool.LDAP.validatePeriodically = true
#idp.pool.LDAP.validatePeriod = TS5M
#idp.pool.LDAP.prunePeriod = 600
#idp.pool.LDAP.idleTime = 600
The configration of *attribute-resolver.xml* are as below:
<?xml version="1.0" encoding="UTF-8"?>
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:sec="urn:mace:shibboleth:2.0:security"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://
shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
urn:mace:shibboleth:2.0:security
http://shibboleth.net/schema/idp/shibboleth-security.xsd">
<AttributeDefinition xsi:type="Simple" id="uid"
sourceAttributeID="sAMAccountName">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="mail"
sourceAttributeID="mail">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="organizationalUnit"
sourceAttributeID="ou">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:ou" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11"
friendlyName="ou" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation"
sourceAttributeID="eduPersonAffiliation">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation"
encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement"
sourceAttributeID="eduPersonEntitlement">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement"
encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId"
scope="%{idp.scope}" sourceAttributeID="localUniqueId">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId"
encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName"
sourceAttributeID="eduPersonPrincipalName">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false"
/>
<AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName"
encodeType="false" />
</AttributeDefinition>
<AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation"
scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
encodeType="false" />
<AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation"
encodeType="false" />
</AttributeDefinition>
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCre
dential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:false}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
</DataConnector>
</AttributeResolver>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170911/c22d3532/attachment-0001.html>
More information about the users
mailing list