IdP 3.4.3 attribute-resolver.xml LDAP DataConnector errors

Glanville, Peter C. pcglanville at nsu.edu
Wed Apr 10 10:32:59 EDT 2019 

Well let me back up here. 

If I leave the attribute-resolver.xml defaulted. My LDAP configuration does authenticate with my AD server and returns at least a "yes this account exists" with the BindDN and BindDNCredential. 

However, when using the dataconnector for the attributes, there are a lot of LDAP variables that don't seem to carry over. For example: 

idp.authn.LDAP.useSSL
idp.authn.LDAP.sslConfig

(Which per Scott I get because this is "supported" by the library but not something we should be doing. And honestly I am planning to use some variation on openLDAP to disambiguate AD from this in the future for dependency reasons.) 

But also 

idp.authn.LDAP.dnFormat (which in this case, is being used so that my bindDN can just be sAMAccountName at domain.org instead of the complete DN. )

If this is also not something that is not recommended, I totally get that and will get it going in the most generalized LDAP way I can. 

Peter Glanville
Enterprise Infrastructure Manager
Office of Information Technology
Marie V. McDemmond Center for Applied Research
555 Park Avenue, Suite 401
Norfolk, Virginia 23504
(757) 823-8098 (Office)
(757) 823-2128 (Fax)
pcglanville at nsu.edu
www.nsu.edu


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Peter Schober
Sent: Wednesday, April 10, 2019 10:22 AM
To: users at shibboleth.net
Subject: Re: IdP 3.4.3 attribute-resolver.xml LDAP DataConnector errors

This email may be spoofed.

* Peter Schober <peter.schober at univie.ac.at> [2019-04-10 16:17]:
> * Glanville, Peter C. <pcglanville at nsu.edu> [2019-04-10 15:50]:
> > resultCode=49 (invalid credentials), diagnosticMessage='80090308:
> >         LdapErr: DSID-0C0903A8, comment: AcceptSecurityContext
> 
> The actual error you're getting here means "wrong DN/password", though.
> Plus whatever details M$ adds there in the diagnosticMessage stuff.
> Did you look those up?

I failed to include one of the relevant bits when quoting above:
According to random web search results[1] the "52e" bit of the error message you got means the username/DN is valid, but the password is wrong.

So AFAICT this has nothing to do with even resolving attributes, yet.

-peter

[1] https://ldapwiki.com/wiki/Common%20Active%20Directory%20Bind%20Errors
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list