IdP to LDAP StartTLS
Organic_Iowa
spencer.babcock at enseva.com
Thu Mar 22 14:14:33 EDT 2018
Hello,
Packet capture on my OpenLDAP server shows my bindDN in cleartext when
jetty+shibboleth starts, as well as profile attributes when shibboleth is
authenticating a user.
*ldap.properties:*
idp.authn.LDAP.ldapURL = ldap://ldap.domain:389
idp.authn.LDAP.useStartTLS = true
idp.authn.LDAP.useSSL = false
## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
idp.authn.LDAP.sslConfig = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
#idp.authn.LDAP.trustCertificates =
%{idp.home}/credentials/ldapcert.pem
idp.authn.LDAP.trustCertificates =
%{idp.home}/credentials/cacert.pem
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore =
%{idp.home}/credentials/ldap-server.truststore
#idp.authn.LDAP.trustStore =
/etc/pki/ca-trust/extracted/java
*attribute resolver:*
<AttributeDefinition id="mail" sourceAttributeID="mail"
xsi:type="Simple">
<Dependency ref="myLDAP" />
<AttributeEncoder xsi:type="SAML1String"
name="urn:mace:dir:attribute-def:mail" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail"
encodeType="false" />
</AttributeDefinition>
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<FilterTemplate>
</FilterTemplate>
<StartTLSTrustCredential id="LDAPtoIdPCredential"
xsi:type="security:X509ResourceBacked"
xmlns:security="urn:mace:shibboleth:2.0:security">
<security:Certificate>/opt/shibboleth-idp/credentials/cacert.pem</security:Certificate>
</StartTLSTrustCredential>
<StartTLSAuthenticationCredential id="ldapcert"
xsi:type="security:X509ResourceBacked"
xmlns:security="urn:mace:shibboleth:2.0:security">
<security:PrivateKey>/opt/shibboleth-idp/credentials/ldapkey.pem</security:PrivateKey>
<security:Certificate>/opt/shibboleth-idp/credentials/ldapcert.pem</security:Certificate>
</StartTLSAuthenticationCredential>
</DataConnector>
I have tried several combinations with java truststores, jvm and
certificate, so I feel that insanity creeping in. Sanity checking myself, I
cleared everything, and configured moodle for TLS against my OpenLDAP. I did
this by uploading my custom CA into openssl's ca-trust, and configuring the
ldap plugin for ldap://ldap.domain and clicking on StartTLS. Super easy, and
packet capture showed encrypted packets. I tried to mimic this process on my
shibboleth+jetty server in both /jdk/security/cert and my jetty keystore
(which is storing the web server ssl cert), though no dice.
Turning on TLS enforcement on openldap throws an error and 503s shibboleth
(expected if it is not encrypting with TLS), but moodle continued to
function normally.
Within the packet capture this is a packet which shows normal details about
the cert, but around that packet with "OpenSSL.Generated.Certificate" are
packets in cleartext.
Everything seems to be "on", but I still do not have encryption, thanks for
your help.
--
Sent from: http://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
More information about the users
mailing list