Shibboleth IdP- configuration with Active Directory

Peter Schober peter.schober at
Tue Dec 4 07:26:30 EST 2018

* vaishali prajapati <vbprajapati39 at> [2018-12-04 08:36]:
> 2018-12-03 17:48:58,285 - INFO
> [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:152] -
> Profile Action ValidateUsernamePasswordAgainstLDAP: Login by 'tanujg'
> succeeded

Note that authentication via LDAP was successful!
The error come from the attribute lookup after that:

> 2018-12-03 17:48:58,955 - ERROR
> [net.shibboleth.idp.profile.impl.ResolveAttributes:299] - Profile Action
> ResolveAttributes: Error resolving attributes
> net.shibboleth.idp.attribute.resolver.ResolutionException: Data Connector
> 'myLDAP': Unable to execute LDAP search
>         at
> net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector.retrieveAttributes(
> Caused by: org.ldaptive.LdapException: javax.naming.NamingException: [LDAP:
> error code 1 - 000004DC: LdapErr: DSID-0C090A4C, comment: In order to
> perform this operation a successful bind must be completed on the
> connection., data 0, v3839^@]

> ldap properties :

That' mostly OK, with one exception:

> idp.attribute.resolver.LDAP.returnAttributes    = mail,sn,cn

I'd recommend to change that back as it's intended use is not within
the attribute resolver (see the commend above in the distributed file).
By changing your resolver to make use of this property all you're
gaining is that you now would have to restart the whole IDP to change
the LDAP attributes you request from the resolver, instead of just
reloading the resolver itself dynamically.

So go back to what dist/conf/ contains for this parameter.

> attribute-resolver dataconnector:
>  <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
>         ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
>         baseDN="%{idp.attribute.resolver.LDAP.baseDN}">
>      <dc:FilterTemplate>
> %{idp.attribute.resolver.LDAP.searchFilter}</dc:FilterTemplate>
>  <dc:ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</dc:ReturnAttributes>
>      <dc:LDAPProperty name="java.naming.referral" value="follow"/>
>     </resolver:DataConnector>

Obviouly (as a simple comparison with the default/example LDAP
DataConnector will show) you've removed all the XML attributes needed
for a DataCOnnector that requires authentication.
(As the error message is clear that you need to bind to the LDAP
directory before performing the attribute lookup).

So start over by copying the complete DataConnector example in
dist/conf/attribute-resolver-ldap.xml -- yes, the whole thing at the
end -- and you should be good to go. The only change being to remove
the 'trustFile' XML-attribute, as you're using neither LDAP+StartTLS
nor LDAPS.


More information about the users mailing list