users Digest, Vol 75, Issue 60
Selin R
selinr9982 at gmail.com
Sat Sep 16 12:34:52 EDT 2017
Earlier error:
org.ldaptive.LdapException: javax.naming.AuthenticationException: [LDAP:
error code 49 - Invalid Credentials] at
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:77)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 -
Invalid Credentials] at
com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3136)
2017-09-16 12:44:57,470 - WARN
[org.ldaptive.pool.BlockingConnectionPool:600] - unable to create active
connection2017-09-16 12:44:57,470 - ERROR
[org.ldaptive.pool.BlockingConnectionPool:197] - Could not service check
out request
2017-09-16 12:44:57,472 - ERROR
[net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator:152]
- Connection factory validation failed
org.ldaptive.pool.PoolExhaustedException: Pool is empty and connection
creation failed at
org.ldaptive.pool.BlockingConnectionPool.getConnection(BlockingConnectionPool.java:198)
2017-09-16 12:44:57,473 - ERROR
[net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector:145]
- Data Connector 'myLDAP': Invalid connector configuration
attribute-resolver.xml like this:
<?xml version="1.0" encoding="UTF-8"?>
<AttributeResolver
xmlns="urn:mace:shibboleth:2.0:resolver"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver
http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
<AttributeDefinition id="eduPersonPrincipalName"
xsi:type="Prescoped" sourceAttributeID="eduPersonPrincipalName">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1ScopedString"
name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false"
/>
<AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
friendlyName="eduPersonPrincipalName" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition id="uid" xsi:type="Simple" sourceAttributeID="uid">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:uid" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
encodeType="false" />
</AttributeDefinition>
<AttributeDefinition id="mail" xsi:type="Simple"
sourceAttributeID="mail">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
encodeType="false" />
</AttributeDefinition>
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:false}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:0}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT3S}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}"
/>
</DataConnector>
</AttributeResolver>
On Sat, Sep 16, 2017 at 9:30 PM, <users-request at shibboleth.net> wrote:
> Send users mailing list submissions to
> users at shibboleth.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> http://shibboleth.net/mailman/listinfo/users
> or, via email, send a message with subject or body 'help' to
> users-request at shibboleth.net
>
> You can reach the person managing the list at
> users-owner at shibboleth.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of users digest..."
>
>
> Today's Topics:
>
> 1. LDAP configuration with shibboleth Idp (Selin R)
> 2. RE: LDAP configuration with shibboleth Idp (Rod Widdowson)
> 3. Re: LDAP Integration Error (Peter Schober)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 16 Sep 2017 20:03:24 +0530
> From: Selin R <selinr9982 at gmail.com>
> To: users at shibboleth.net
> Subject: LDAP configuration with shibboleth Idp
> Message-ID:
> <CAMN5t_cJEM2UnmfgULgeaYDt3JHy2F-PaA8Pd0q7irZX1s097A at mail.
> gmail.com>
> Content-Type: text/plain; charset="utf-8"
>
> I got following error while integrate LDAP with Shibboleth:
>
>
> *net.shibboleth.utilities.java.support.service.ServiceException:
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'myLDAP': Invocation of init method failed; nested exception
> is
> net.shibboleth.utilities.java.support.component.
> ComponentInitializationException:
> Data Connector 'myLDAP': Invalid connector configuration
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'shibboleth.metrics.RegisterMetricSets$child#0' defined in
> file [/opt/shibboleth-idp/system/conf/../../conf/admin/metrics.xml]:
> Cannot
> resolve reference to bean 'shibboleth.metrics.AttributeResolverGaugeSet'
> while setting bean property 'arguments' with key [7]; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'shibboleth.metrics.AttributeResolverGaugeSet' defined in
> file [/opt/shibboleth-idp/system/conf/general-admin-system.xml]:
> Invocation
> of init method failed; nested exception is
> net.shibboleth.utilities.java.support.component.
> ComponentInitializationException:
> Injected service was null or not an AttributeResolver *
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> *attribute-resolver.xml<?xml version="1.0" encoding="UTF-8"?>
> <AttributeResolver xmlns="urn:mace:shibboleth:2.0:resolver"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance%22>
> xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver
> http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
> <http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd%22%3E
> ><?xml
> version="1.0" encoding="UTF-8"?> <AttributeResolver
> xmlns="urn:mace:shibboleth:2.0:resolver"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> <http://www.w3.org/2001/XMLSchema-instance%22>
> xsi:schemaLocation="urn:mace:shibboleth:2.0:resolver
> http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd">
> <http://shibboleth.net/schema/idp/shibboleth-attribute-resolver.xsd%22%3E>
> <AttributeDefinition id="eduPersonPrincipalName" xsi:type="Prescoped"
> sourceAttributeID="eduPersonPrincipalName"> <Dependency
> ref="myLDAP"
> /> <AttributeEncoder xsi:type="SAML1ScopedString"
> name="urn:mace:dir:attribute-def:eduPersonPrincipalName"
> encodeType="false"
> /> <AttributeEncoder xsi:type="SAML2ScopedString"
> name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6"
> friendlyName="eduPersonPrincipalName" encodeType="false" />
> </AttributeDefinition> <AttributeDefinition id="uid" xsi:type="Simple"
> sourceAttributeID="uid"> <Dependency ref="myLDAP" />
> <AttributeEncoder xsi:type="SAML1String"
> name="urn:mace:dir:attribute-def:uid" encodeType="false" />
> <AttributeEncoder xsi:type="SAML2String"
> name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid"
> encodeType="false" /> </AttributeDefinition> <AttributeDefinition
> id="mail" xsi:type="Simple" sourceAttributeID="mail"> <Dependency
> ref="myLDAP" /> <AttributeEncoder xsi:type="SAML1String"
> name="urn:mace:dir:attribute-def:mail" encodeType="false" />
> <AttributeEncoder xsi:type="SAML2String"
> name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
> encodeType="false" /> </AttributeDefinition> <DataConnector
> id="myLDAP" xsi:type="LDAPDirectory"
> ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
> baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
> principal="%{idp.attribute.resolver.LDAP.bindDN}"
> principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
> useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:false}"
> connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
> responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
> <FilterTemplate> *
>
> <![CDATA[
> %{idp.attribute.resolver.LDAP.searchFilter}
> ]]>
>
>
> </FilterTemplate>
> <ConnectionPool
> minPoolSize="%{idp.pool.LDAP.minSize:0}"
> maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
> blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
> validatePeriodically="%{idp.pool.LDAP.
> validatePeriodically:true}"
>
> validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT3S}"
> expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
> failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}"
> />
> </DataConnector>
> </AttributeResolver>
>
> *ldap.properties*
> idp.authn.LDAP.authenticator = anonSearchAuthenticator
> idp.authn.LDAP.ldapURL = ldap://localhost:389
>
> idp.authn.LDAP.useStartTLS = false
> idp.authn.LDAP.useSSL = false
>
>
> idp.authn.LDAP.returnAttributes =
> passwordExpirationTime,loginGraceRemaining
>
>
>
> idp.authn.LDAP.baseDN = ou=Staff,dc=##,dc=#,dc=#
> #idp.authn.LDAP.subtreeSearch = false
> idp.authn.LDAP.userFilter = (uid={user})
> # for AD: idp.authn.LDAP.bindDN=adminuser at domain.com
> idp.authn.LDAP.bindDN = uid=#,ou=Staff
> idp.authn.LDAP.bindDNCredential = #
>
> idp.authn.LDAP.dnFormat =
> cn=%s,ou=Staff,dc=#,dc=#,dc=#
> idp.attribute.resolver.LDAP.returnAttributes = uid,mail
>
> idp.attribute.resolver.LDAP.ldapURL =
> %{idp.authn.LDAP.ldapURL}
> idp.attribute.resolver.LDAP.baseDN =
> %{idp.authn.LDAP.baseDN:undefined}
>
> idp.attribute.resolver.LDAP.bindDN =
> %{idp.authn.LDAP.bindDN:undefined}
>
> idp.attribute.resolver.LDAP.bindDNCredential =
> %{idp.authn.LDAP.bindDNCredential:undefined}
>
> idp.attribute.resolver.LDAP.useStartTLS =
> %{idp.authn.LDAP.useStartTLS:false}
> idp.attribute.resolver.LDAP.searchFilter =
> (uid=$requestContext.principal)
>
> idp.attribute.resolver.LDAP.responseTimeout = 30000
> idp.attribute.resolver.LDAP.connectTimeout = 30000
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL: <http://shibboleth.net/pipermail/users/attachments/
> 20170916/cc0e0f84/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 16 Sep 2017 16:20:53 +0100
> From: "Rod Widdowson" <rdw at steadingsoftware.com>
> To: "'Shib Users'" <users at shibboleth.net>
> Subject: RE: LDAP configuration with shibboleth Idp
> Message-ID: <00b801d32eff$63758260$2a608720$@steadingsoftware.com>
> Content-Type: text/plain; charset="utf-8"
>
> > I got following error while integrate LDAP with Shibboleth:
>
> We heard (!).
>
> > Error creating bean with name 'shibboleth.metrics.AttributeResolverGaugeSet'
> defined in file [/opt/shibboleth-idp/system/conf/general-admin-system.xml]:
> Invocation of init
>
> There is a syntax error in your attribute resolver file and it failed to
> load. What you have reported is the damage down stream when the IdP tries
> to wire up a non-existant resolver configuration.
>
> Look for the (explicit) error further up the log file you'll see the error.
>
> I am having problems with your HTML but do you _really_ have two
> <AttributeResolver> lines in your file and two <?xml version blablabla>
> lines?
>
> R
>
>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 16 Sep 2017 17:21:08 +0200
> From: Peter Schober <peter.schober at univie.ac.at>
> To: users at shibboleth.net
> Subject: Re: LDAP Integration Error
> Message-ID: <20170916152108.7domfkfz7usgb2vo at aco.net>
> Content-Type: text/plain; charset=us-ascii
>
> * Selin R <selinr9982 at gmail.com> [2017-09-16 16:33]:
> > net.shibboleth.utilities.java.support.component.
> ComponentInitializationException:
> > Data Connector 'myLDAP': Invalid connector configuration
> > org.springframework.beans.factory.BeanCreationException: Error creating
> > bean with name 'shibboleth.metrics.RegisterMetricSets$child#0'
>
> Any error about the metrics subsystem usually is a side-effect of an
> ealier (unrelated to metrics, but related to your) error.
> So just look at earlier errors in the log. If you don't care about the
> content of your logs (i.e., this is not a production system) you can
> truncate your log and restart the IDP. Then look at the first WARN and
> ERROR you find there, fix, rinse and repeat.
> -peter
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> ------------------------------
>
> End of users Digest, Vol 75, Issue 60
> *************************************
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170916/79f31c97/attachment-0001.html>
More information about the users
mailing list