Shibboleth IdP- configuration with Active Directory

vaishali prajapati vbprajapati39 at gmail.com
Tue Dec 4 02:41:35 EST 2018


Hi All,
Error generated while configuring AD with Shibboleth IdP version 3:
2018-12-03 17:48:58,285 - INFO
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:152] -
Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'tanujg'
succeeded
2018-12-03 17:48:58,938 - DEBUG [org.ldaptive.SearchOperation:138] -
execute request=[org.ldaptive.SearchRequest at 1559215280::baseDn=ou=M***,dc=m***,dc=m***,dc=n***,
searchFilter=[org.ldaptive.SearchFilter at -1909578509::filter=(sAMAccountName=tanujg),
parameters={}], returnAttributes=[mail, sn, cn], searchScope=SUBTREE,
timeLimit=3000, sizeLimit=1, derefAliases=null, typesOnly=false,
binaryAttributes=null, sortBehavior=UNORDERED,
searchEntryHandlers=[[org.ldaptive.handler.DnAttributeEntryHandler at -1580910376::dnAttributeName=entryDN,
addIfExists=false]], searchReferenceHandlers=null, controls=null,
followReferrals=false, intermediateResponseHandlers=null] with
connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1998378069
::config=[org.ldaptive.ConnectionConfig at 1978747221::ldapUrl=ldap://localhost:389,
connectTimeout=3000, responseTimeout=3000,
sslConfig=[org.ldaptive.ssl.SslConfig at 74209876
::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2 at 4de95b72,
trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null,
enabledCipherSuites=null, enabledProtocols=null,
handshakeCompletedListeners=null], useSSL=false, useStartTLS=false,
connectionInitializer=null],
providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory at 1527862708::metadata=[ldapUrl=ldap:/localhost:389,
count=1], environment={java.naming.referral=follow,
com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
com.sun.jndi.ldap.read.timeout=3000},
providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig at 117730519::operationExceptionResultCodes=[PROTOCOL_ERROR,
SERVER_DOWN], properties={java.naming.referral=follow},
connectionStrategy=org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy at 7959c753,
controlProcessor=org.ldaptive.provider.ControlProcessor at 68760a51,
environment=null, tracePackets=null, removeDnUrls=true,
searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED,
PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]],
providerConnection=org.ldaptive.provider.jndi.JndiConnection at 391b5e1e]
2018-12-03 17:48:58,950 - DEBUG
[org.ldaptive.provider.jndi.NamingExceptionUtils:358] - naming exception
class javax.naming.NamingException is ambiguous, maps to multiple result
codes: [OPERATIONS_ERROR, ALIAS_PROBLEM, ALIAS_DEREFERENCING_PROBLEM,
LOOP_DETECT, AFFECTS_MULTIPLE_DSAS, OTHER]
2018-12-03 17:48:58,955 - ERROR
[net.shibboleth.idp.profile.impl.ResolveAttributes:299] - Profile Action
ResolveAttributes: Error resolving attributes
net.shibboleth.idp.attribute.resolver.ResolutionException: Data Connector
'myLDAP': Unable to execute LDAP search
        at
net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector.retrieveAttributes(LDAPDataConnector.java:208)
Caused by: org.ldaptive.LdapException: javax.naming.NamingException: [LDAP:
error code 1 - 000004DC: LdapErr: DSID-0C090A4C, comment: In order to
perform this operation a successful bind must be completed on the
connection., data 0, v3839^@]; remaining name
'ou=M***,dc=m***,dc=m***,dc=n***'
        at
org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:77)
Caused by: javax.naming.NamingException: [LDAP: error code 1 - 000004DC:
LdapErr: DSID-0C090A4C, comment: In order to perform this operation a
successful bind must be completed on the connection., data 0, v3839^@]
        at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3194)


ldap properties :
idp.authn.LDAP.authenticator                   = adAuthenticator
idp.authn.LDAP.ldapURL                          = ldap://localhost:389
idp.authn.LDAP.useStartTLS                      = false
idp.authn.LDAP.useSSL                           = false
idp.authn.LDAP.baseDN                           =
ou=M***,dc=m***,dc=m***,dc=n***
idp.authn.LDAP.subtreeSearch                    = true
idp.authn.LDAP.userFilter                       = (sAMAccountName={user})
idp.authn.LDAP.bindDN = **@m**.m**.n**
idp.authn.LDAP.bindDNCredential                 = RJ14yd89 at 1
idp.authn.LDAP.dnFormat=%s at m**.m**.n**
idp.attribute.resolver.LDAP.searchFilter        =
(sAMAccountName=$resolutionContext.principal)
idp.attribute.resolver.LDAP.returnAttributes    = mail,sn,cn

attribute-resolver dataconnector:

 <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
     <dc:FilterTemplate>
%{idp.attribute.resolver.LDAP.searchFilter}</dc:FilterTemplate>

 <dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes>
     <dc:LDAPProperty name="java.naming.referral" value="follow"/>

    </resolver:DataConnector>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20181204/c66b81c9/attachment.html>


More information about the users mailing list