Authentication Error

Waqas Ahmed Khan waqas.ahmed0 at gmail.com
Fri Jul 13 05:22:24 EDT 2018 

I have installed Shibboleth IDP and its working fine with  SamAccountName
for IdP authentication. Now we got the request from management to switch
from using samaccountname in authentication to user’s email address.

I made these two changes in ldap.properties:

idp.authn.LDAP.userFilter= (mail ={user})
idp.attribute.resolver.LDAP.searchFilter=(mail=$requestContext.principalName)

But getting error "The password is incorrect". The password is correct and
working fine with SamAccountName.

*Error in idp-process log:*
2018-07-13 10:16:20,994 - INFO
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:166] -
Profile Action ValidateUsernamePasswordAgainstLDAP: Login by '
testuser at hec.gov.pk' failed
2018-07-13 10:16:30,020 - INFO
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:166] -
Profile Action ValidateUsernamePasswordAgainstLDAP: Login by '
testuser at hec.gov.pk' failed

*ldap.properties:*

# LDAP authentication configuration, see authn/ldap-authn-config.xml
# Note, this doesn't apply to the use of JAAS

## Authenticator strategy, either anonSearchAuthenticator,
bindSearchAuthenticator, directAuthenticator, adAuthenticator
idp.authn.LDAP.authenticator= adAuthenticator

## Connection properties ##
idp.authn.LDAP.ldapURL= ldap://pern.pk:389
idp.authn.LDAP.useStartTLS                     = false
idp.authn.LDAP.useSSL                          = false

# Time in milliseconds that connects will block
#idp.authn.LDAP.connectTimeout                  = PT3S
# Time in milliseconds to wait for responses
#idp.authn.LDAP.responseTimeout                 = PT3S

## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
#idp.authn.LDAP.sslConfig                       = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
#idp.authn.LDAP.trustCertificates= %{idp.home}/credentials/ldap-server.crt
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore= %{idp.home}/credentials/ldap-server.truststore

## Return attributes during authentication
idp.authn.LDAP.returnAttributes= passwordExpirationTime,loginGraceRemaining

## DN resolution properties ##

# Search DN resolution, used by anonSearchAuthenticator,
bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN= CN=Users, DC=pern, DC=pk
#idp.authn.LDAP.subtreeSearch                   = false

#idp.authn.LDAP.userFilter= (sAMAccountName={user})
idp.authn.LDAP.userFilter= (mail={user})

# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser at domain.com
idp.authn.LDAP.bindDN= administrator at pern.pk
idp.authn.LDAP.bindDNCredential= *****

# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s at domain.com

#idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=example,dc=org
idp.authn.LDAP.dnFormat= %s at pern.pk
#idp.authn.LDAP.dnFormat= uid=%s,CN=Users,DC=pern,DC=edu,DC=pk

# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver
configurations
idp.attribute.resolver.LDAP.ldapURL= %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout=
%{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout=
%{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN= %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN= %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.bindDNCredential=
%{idp.authn.LDAP.bindDNCredential:undefined}
idp.attribute.resolver.LDAP.useStartTLS= %{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates=
%{idp.authn.LDAP.trustCertificates:undefined}

#idp.attribute.resolver.LDAP.searchFilter=
(sAMAccountName=$resolutionContext.principal)
idp.attribute.resolver.LDAP.searchFilter=
(mail=$requestContext.PrincipalName)

# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize                          = 3
#idp.pool.LDAP.maxSize                          = 10
#idp.pool.LDAP.validateOnCheckout               = false
#idp.pool.LDAP.validatePeriodically             = true
#idp.pool.LDAP.validatePeriod                   = PT5M
#idp.pool.LDAP.prunePeriod                      = PT5M
#idp.pool.LDAP.idleTime                         = PT10M
#idp.pool.LDAP.blockWaitTime                    = PT3S
#idp.pool.LDAP.failFastInitialize               = false


Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180713/43402d55/attachment.html>

More information about the users mailing list