shibboleth IdP configuration with active directory

vaishali prajapati vbprajapati39 at gmail.com
Mon Sep 11 08:40:01 EDT 2017


Hello All,
             While configuring shibboleth IdP with active directory I got
following Error:


*Error generated during
login:[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:192]
- Profile Action ValidateUsernamePasswordAgainstLDAP: Login by shibboleth
produced exception org.ldaptive.LdapException:
javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr:
DSID-0C0906E8, comment: In order to perform this operation a successful
bind must be completed on the connection., data 0, v1db1^@]; remaining name
'ou=***,dc=***,dc=***' *

The configration of *ldap.properties* are as below:

## Authenticator strategy, either anonSearchAuthenticator,
bindSearchAuthenticator, directAuthenticator, adAuthenticator
#idp.authn.LDAP.authenticator                   =bindSearchAuthenticator

## Connection properties ##
idp.authn.LDAP.ldapURL                          = ldap://172.16.0.2:389
#idp.authn.LDAP.useStartTLS                     = false
#idp.authn.LDAP.useSSL                          = false
# Time in milliseconds that connects will block
#idp.authn.LDAP.connectTimeout                  = TS3M
# Time in milliseconds to wait for responses
#idp.authn.LDAP.responseTimeout                 = TS3M
## Return attributes during authentication
idp.authn.LDAP.returnAttributes                 =
passwordExpirationTime,loginGraceRemaining

## DN resolution properties ##

# Search DN resolution, used by anonSearchAuthenticator,
bindSearchAuthenticator
# for AD:DN:Users,OU=***,DC=***,DC=***
idp.authn.LDAP.baseDN                           = ou=***,dc=***,dc=***
#idp.authn.LDAP.subtreeSearch                   = false
idp.authn.LDAP.userFilter                       =(sAMAccountName={uid})
# bind search configuration

idp.authn.LDAP.bindDN
=uid=****,ou=***,dc=***,dc=***
idp.attribute.resolver.LDAP.bindDNCredential    =****
# Format DN resolution, used by directAuthenticator, adAuthenticator

idp.authn.LDAP.dnFormat                         = ou=***,dc=***,dc=***
idp.attribute.resolver.LDAP.returnAttributes    =
eduPersonPrincipalName,uid,sAMAccountName
# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver
configurations
idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout      =
%{idp.authn.LDAP.connectTimeout:300}
idp.attribute.resolver.LDAP.responseTimeout     =
%{idp.authn.LDAP.responseTimeout:300}
idp.attribute.resolver.LDAP.baseDN              =
%{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN              =
%{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.bindDNCredential    =
%{idp.authn.LDAP.bindDNCredential:undefined}
idp.attribute.resolver.LDAP.useStartTLS         =
%{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates   =
%{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter        =
(uid=$resolutionContext.principal)

# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize                          = 0
#idp.pool.LDAP.maxSize                          = 10
#idp.pool.LDAP.validateOnCheckout          = false
#idp.pool.LDAP.validatePeriodically             = true
#idp.pool.LDAP.validatePeriod                   = TS5M
#idp.pool.LDAP.prunePeriod                      = 600
#idp.pool.LDAP.idleTime                         = 600

The configration of *attribute-resolver.xml* are as below:

<?xml version="1.0" encoding="UTF-8"?>

<AttributeResolver
        xmlns="urn:mace:shibboleth:2.0:resolver"
        xmlns:sec="urn:mace:shibboleth:2.0:security"
        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver http://
shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd
                            urn:mace:shibboleth:2.0:security
http://shibboleth.net/schema/idp/shibboleth-security.xsd">


    <AttributeDefinition xsi:type="Simple" id="uid"
sourceAttributeID="sAMAccountName">
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:uid" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
encodeType="false" />
    </AttributeDefinition>

    <AttributeDefinition xsi:type="Simple" id="mail"
sourceAttributeID="mail">
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
encodeType="false" />
    </AttributeDefinition>

    <AttributeDefinition xsi:type="Simple" id="organizationalUnit"
sourceAttributeID="ou">
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:ou" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:2.5.4.11"
friendlyName="ou" encodeType="false" />
    </AttributeDefinition>


    <AttributeDefinition xsi:type="Simple" id="eduPersonAffiliation"
sourceAttributeID="eduPersonAffiliation">
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:eduPersonAffiliation" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation"
encodeType="false" />
    </AttributeDefinition>

    <AttributeDefinition xsi:type="Simple" id="eduPersonEntitlement"
sourceAttributeID="eduPersonEntitlement">
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:eduPersonEntitlement" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement"
encodeType="false" />
    </AttributeDefinition>

    <AttributeDefinition xsi:type="Scoped" id="eduPersonUniqueId"
scope="%{idp.scope}" sourceAttributeID="localUniqueId">
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.13" friendlyName="eduPersonUniqueId"
encodeType="false" />
    </AttributeDefinition>

    <AttributeDefinition xsi:type="Prescoped" id="eduPersonPrincipalName"
sourceAttributeID="eduPersonPrincipalName">
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false"
/>
        <AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName"
encodeType="false" />
    </AttributeDefinition>

    <AttributeDefinition xsi:type="Scoped" id="eduPersonScopedAffiliation"
scope="%{idp.scope}" sourceAttributeID="eduPersonAffiliation">
        <Dependency ref="myLDAP" />
        <AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
encodeType="false" />
        <AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9"
friendlyName="eduPersonScopedAffiliation"
encodeType="false" />
    </AttributeDefinition>



    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        principal="%{idp.attribute.resolver.LDAP.bindDN}"
        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCre
dential}"
        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:false}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
        <FilterTemplate>


<![CDATA[
                %{idp.attribute.resolver.LDAP.searchFilter}
            ]]>


        </FilterTemplate>

    </DataConnector>


</AttributeResolver>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170911/c22d3532/attachment-0001.html>


More information about the users mailing list