IdP 3.4.3 attribute-resolver.xml LDAP DataConnector errors

Glanville, Peter C. pcglanville at nsu.edu
Wed Apr 10 09:49:24 EDT 2019 

I am setting up my LDAP DataConnector using the attribute-resolver-ldap.xml as my template.

I have not edited the attribute-resolver.xml except to add the DataConnector item.

Below are the settings in my ldap.properties which I have verified work with my test SP, we just aren't passing attributes yet:
idp.authn.LDAP.authenticator                    =adAuthenticator
idp.authn.LDAP.useSSL                               = true
idp.authn.LDAP.useStartTLS                      = false
idp.authn.LDAP.ldapURL                              = ldaps://snsudc05.nsu.edu
idp.authn.LDAP.sslConfig                            = jvmTrust
idp.authn.LDAP.returnAttributes              =*
idp.authn.LDAP.userFilter=(sAMAccountName={user})

This is the DataConnector in my attribute-resolver.xml :

<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        principal="%{idp.attribute.resolver.LDAP.bindDN}"
        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:false}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
        responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
        <FilterTemplate>
            <![CDATA[
                %{idp.attribute.resolver.LDAP.searchFilter}
            ]]>
        </FilterTemplate>
                    <ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize:3}"
            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
            validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
            failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
                                <LDAPProperty name="java.naming.referral" value="follow"/>
    </DataConnector>


The issue I have right now is that on start up I am getting an LDAP Pool Error with these properties:

2019-04-10 09:18:12,636 -  - ERROR [org.ldaptive.pool.BlockingConnectionPool:509] - [org.ldaptive.pool.BlockingConnectionPool at 1689743775::name=resolver-pool, poolConfig=[org.ldaptive.pool.PoolConfig at 1095465052::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300, validateTimeout=5000], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator at 1340123681::searchRequest=[org.ldaptive.SearchRequest at 697827740::baseDn=, searchFilter=[org.ldaptive.SearchFilter at 1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy at 946350149::prunePeriod=300, idleTime=600], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory at 1922251979::provider=org.ldaptive.provider.unboundid.UnboundIDProvider at 730e663a, config=[org.ldaptive.ConnectionConfig at 1806329661::ldapUrl=ldaps://snsudc05.nsu.edu, connectTimeout=3000, responseTimeout=3000, sslConfig=[org.ldaptive.ssl.SslConfig at 306910057::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2 at 22bd6b0a, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 571704265::bindDn=LDAPShibTest at nsu.edu, bindSaslConfig=null, bindControls=null]]], initialized=true, availableCount=0, activeCount=0] unable to connect to the ldap
org.ldaptive.LdapException: LDAPException(resultCode=49 (invalid credentials), diagnosticMessage='80090308: LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext error, data 52e, v1db1 ', ldapSDKVersion=4.0.9, revision=29290)

When I was spinning up the LDAP connection originally, I had to set my useSSL to true and startTLS to false as seen in the ldap.properties file along with the keystore to pull the certificates from.

Looking in the LDAPConnector properties of the Data Connector Cofiguration page https://wiki.shibboleth.net/confluence/display/IDP30/LDAPConnector there does not seem to be a way to specifiy this for the LDAP dataconnector.

What would be the correct way of going about this?

Thank you,



Peter Glanville
Enterprise Infrastructure Manager
Office of Information Technology
Marie V. McDemmond Center for Applied Research
555 Park Avenue, Suite 401
Norfolk, Virginia 23504
(757) 823-8098 (Office)
(757) 823-2128 (Fax)
pcglanville at nsu.edu
www.nsu.edu<http://www.nsu.edu/>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190410/6c1feaa3/attachment.html>

More information about the users mailing list