Trying to add an additional LDAP server, getting error when trying to authenticate
Cody Carmichael
ccarmichael at voalte.com
Tue Apr 16 10:26:21 EDT 2019
I originally had shibboleth (version 3.4.3) set up with an AD LDAP server
and it worked fine. Now I'm trying to add an additional LDAP server which
is RHDS. Here is part of the error from the log when I attempt to
authenticate with a user against the original AD server (I tried to include
the whole error but the message was too big):
2019-04-16 13:16:23,815 - ERROR [net.shibboleth.idp.authn:-2] - Uncaught
> runtime exception
> org.springframework.binding.expression.EvaluationException: An ELException
> occurred getting the value for expression 'ValidateUsernamePassword' on
> context [class
> org.springframework.webflow.engine.impl.RequestControlContextImpl]
> at
> org.springframework.binding.expression.spel.SpringELExpression.getValue(SpringELExpression.java:94)
> Caused by: org.springframework.expression.spel.SpelEvaluationException:
> EL1021E: A problem occurred whilst attempting to access the property
> 'ValidateUsernamePassword': 'Error creating bean with name
> 'ValidateUsernamePasswordAgainstLDAP' defined in file [/opt/shibboleth-i
> dp/system/flows/authn/password-authn-beans.xml]: Cannot resolve reference
> to bean 'shibboleth.authn.LDAP.authenticator' while setting bean property
> 'authenticator'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name
> 'aggregateAuthenticator' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: Cannot resolve
> reference to bean 'aggregateAuthHandler' while setting constructor
> argument; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'aggregateAuthHandler' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: Cannot resolve
> reference to bean 'authHandlers' while setting bean property
> 'authenticationHandlers'; nested exception is
> org.springframework.beans.facto
> ry.BeanCreationException: Error creating bean with name 'authHandlers':
> Cannot resolve reference to bean 'authHandler1' while setting bean property
> 'sourceMap' with key [TypedStringValue: value [directory1], target type
> [null]]; nested exception is org.springframework.bea
> ns.factory.BeanCreationException: Error creating bean with name
> 'authHandler1' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: Cannot resolve
> reference to bean 'bindPooledConnectionFactory1' while setting bean
> property 'connectionFactory'; nested e
> xception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'bindPooledConnectionFactory1' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: Cannot resolve
> reference to bean 'bindConnectionPool1' while setting b
> ean property 'connectionPool'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'bindConnectionPool1' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: Cannot resolve
> reference to bean 'bindCo
> nnectionFactory1' while setting bean property 'connectionFactory'; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'bindConnectionFactory1' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: C
> annot resolve reference to bean 'bindConnectionConfig1' while setting bean
> property 'connectionConfig'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'bindConnectionConfig1' defined in file [/opt/shibboleth-idp/
> conf/authn/ldap-authn-config.xml]: Initialization of bean failed; nested
> exception is org.springframework.beans.TypeMismatchException: Failed to
> convert property value of type 'java.lang.String' to required type 'long'
> for property 'connectTimeout'; nested exception is ja
> va.lang.NumberFormatException: For input string: "PT5S"'
> at
> org.springframework.expression.spel.ast.PropertyOrFieldReference.readProperty(PropertyOrFieldReference.java:221)
> Caused by: org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'ValidateUsernamePasswordAgainstLDAP' defined in
> file [/opt/shibboleth-idp/system/flows/authn/password-authn-beans.xml]:
> Cannot resolve reference to bean 'shibboleth.authn.LD
> AP.authenticator' while setting bean property 'authenticator'; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'aggregateAuthenticator' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: Canno
> t resolve reference to bean 'aggregateAuthHandler' while setting
> constructor argument; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'aggregateAuthHandler' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-au
> thn-config.xml]: Cannot resolve reference to bean 'authHandlers' while
> setting bean property 'authenticationHandlers'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'authHandlers': Cannot resolve reference to be
> an 'authHandler1' while setting bean property 'sourceMap' with key
> [TypedStringValue: value [directory1], target type [null]]; nested
> exception is org.springframework.beans.factory.BeanCreationException: Error
> creating bean with name 'authHandler1' defined in file [/opt/s
> hibboleth-idp/conf/authn/ldap-authn-config.xml]: Cannot resolve reference
> to bean 'bindPooledConnectionFactory1' while setting bean property
> 'connectionFactory'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'bindPooledConnectionFactory1' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: Cannot resolve
> reference to bean 'bindConnectionPool1' while setting bean property
> 'connectionPool'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'bindConnectionPool1' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: Cannot resolve
> reference to bean 'bindConnectionFactory1' while setting bean property
> 'connectionFactory'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'bindConnectionFactory1' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: Cannot resolve
> reference to bean 'bindConnectionConfig1' while setting bean property
> 'connectionConfig'; nested exception is
> org.springframework.beans.factory.BeanCreationException: Error creating
> bean with name 'bindConnectionConfig1' defined in file
> [/opt/shibboleth-idp/conf/authn/ldap-authn-config.xml]: Initialization of
> bean failed; nested exception is
> org.springframework.beans.TypeMismatchException: Failed to convert property
> value of type 'java.lang.String' to required type 'long' for property
> 'connectTimeout'; nested exception is java.lang.NumberFormatException: For
> input string: "PT5S"
> at
> org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveReference(BeanDefinitionValueResolver.java:359)
There were more "Error creating bean with name" messages similar to the
above. Here is my ldap-authn-config.xml file which I based on the example
given in the LDAPAuthnConfiguration wiki page:
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:context="
> http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util" xmlns:p="
> http://www.springframework.org/schema/p" xmlns:c="
> http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
> http://www.springframework.org/schema/beans/spring-beans.xsd
>
http://www.springframework.org/schema/context
> http://www.springframework.org/schema/context/spring-context.xsd
>
http://www.springframework.org/schema/util
> http://www.springframework.org/schema/util/spring-util.xsd"
default-init-method="initialize"
default-destroy-method="destroy"
default-lazy-init="true">
<!--
<alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}"
> alias="shibboleth.authn.LDAP.authenticator" />
<bean id="shibboleth.authn.LDAP.returnAttributes"
> parent="shibboleth.CommaDelimStringArray">
<constructor-arg type="java.lang.String"
> value="%{idp.authn.LDAP.returnAttributes:1.1}" />
</bean>
-->
<bean id="aggregateAuthenticator"
> class="org.ldaptive.auth.Authenticator"
c:resolver-ref="aggregateDnResolver"
c:handler-ref="aggregateAuthHandler" />
<!-- Aggregate DN resolution -->
<bean id="aggregateDnResolver"
> class="org.ldaptive.auth.AggregateDnResolver"
c:resolvers-ref="dnResolvers"
p:allowMultipleDns="true" />
<util:map id="dnResolvers">
<entry key="directory1" value-ref="bindSearchDnResolver1" />
<entry key="directory2" value-ref="bindSearchDnResolver2" />
</util:map>
<alias name="%{idp.authn.LDAP.authenticator:anonSearchAuthenticator}"
> alias="shibboleth.authn.LDAP.authenticator" />
<bean id="shibboleth.authn.LDAP.returnAttributes"
> parent="shibboleth.CommaDelimStringArray">
<constructor-arg type="java.lang.String"
> value="%{idp.authn.LDAP.returnAttributes:1.1}" />
</bean>
<alias name="ValidateUsernamePasswordAgainstLDAP"
> alias="ValidateUsernamePassword" />
<!-- DN Resolver 1 (Active Directory) -->
<bean id="bindSearchDnResolver1"
> class="org.ldaptive.auth.PooledSearchDnResolver"
p:baseDn="#{'%{idp.authn.LDAP.baseDN1:undefined}'.trim()}"
p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
p:userFilter="#{'%{idp.authn.LDAP.userFilter1:undefined}'.trim()}"
p:connectionFactory-ref="bindSearchPooledConnectionFactory" />
<bean id="bindSearchPooledConnectionFactory1"
> class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="bindSearchConnectionPool1" />
<bean id="bindSearchConnectionPool1"
> class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool1"
p:connectionFactory-ref="bindSearchConnectionFactory1"
p:name="search-pool1" />
<bean id="bindSearchConnectionFactory1"
> class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindSearchConnectionConfig1" />
<bean id="bindSearchConnectionConfig1" parent="connectionConfig1"
p:connectionInitializer-ref="bindConnectionInitializer1"
p:ldapUrl="%{idp.authn.LDAP.ldapURL1}" />
<bean id="bindConnectionInitializer1"
> class="org.ldaptive.BindConnectionInitializer"
p:bindDn="#{'%{idp.authn.LDAP.bindDN1:undefined}'.trim()}">
<property name="bindCredential">
<bean class="org.ldaptive.Credential"
> c:password="%{idp.authn.LDAP.bindDNCredential1:undefined}" />
</property>
</bean>
<!-- DN resolver 2 (RHDS) -->
<bean id="bindSearchDnResolver2"
> class="org.ldaptive.auth.PooledSearchDnResolver"
p:baseDn="#{'%{idp.authn.LDAP.baseDN2:undefined}'.trim()}"
p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}"
p:userFilter="#{'%{idp.authn.LDAP.userFilter2:undefined}'.trim()}"
p:connectionFactory-ref="bindSearchPooledConnectionFactory" />
<bean id="bindSearchPooledConnectionFactory2"
> class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="bindSearchConnectionPool2" />
<bean id="bindSearchConnectionPool2"
> class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool2"
p:connectionFactory-ref="bindSearchConnectionFactory2"
p:name="search-pool2" />
<bean id="bindSearchConnectionFactory2"
> class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindSearchConnectionConfig2" />
<bean id="bindSearchConnectionConfig2" parent="connectionConfig2"
p:connectionInitializer-ref="bindConnectionInitializer2"
p:ldapUrl="%{idp.authn.LDAP.ldapURL2}" />
<bean id="bindConnectionInitializer2"
> class="org.ldaptive.BindConnectionInitializer"
p:bindDn="#{'%{idp.authn.LDAP.bindDN2:undefined}'.trim()}">
<property name="bindCredential">
<bean class="org.ldaptive.Credential"
> c:password="%{idp.authn.LDAP.bindDNCredential2:undefined}" />
</property>
</bean>
<!-- Aggregate authentication -->
<bean id="aggregateAuthHandler"
> class="org.ldaptive.auth.AggregateDnResolver$AuthenticationHandler"
p:authenticationHandlers-ref="authHandlers" />
<util:map id="authHandlers">
<entry key="directory1" value-ref="authHandler1" />
<entry key="directory2" value-ref="authHandler2" />
</util:map>
<!-- Authentication handler 1 -->
<bean id="authHandler1"
> class="org.ldaptive.auth.PooledBindAuthenticationHandler"
p:connectionFactory-ref="bindPooledConnectionFactory1" />
<bean id="bindPooledConnectionFactory1"
> class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="bindConnectionPool1" />
<bean id="bindConnectionPool1"
> class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool1"
p:connectionFactory-ref="bindConnectionFactory1"
p:name="bind-pool1" />
<bean id="bindConnectionFactory1"
> class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindConnectionConfig1" />
<bean id="bindConnectionConfig1" parent="connectionConfig1"
p:ldapUrl="%{idp.authn.LDAP.ldapURL1}" />
<!-- Authentication handler 2 -->
<bean id="authHandler2"
> class="org.ldaptive.auth.PooledBindAuthenticationHandler"
p:connectionFactory-ref="bindPooledConnectionFactory2" />
<bean id="bindPooledConnectionFactory2"
> class="org.ldaptive.pool.PooledConnectionFactory"
p:connectionPool-ref="bindConnectionPool2" />
<bean id="bindConnectionPool2"
> class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool2"
p:connectionFactory-ref="bindConnectionFactory2"
p:name="bind-pool2" />
<bean id="bindConnectionFactory2"
> class="org.ldaptive.DefaultConnectionFactory"
p:connectionConfig-ref="bindConnectionConfig2" />
<bean id="bindConnectionConfig2" parent="connectionConfig2"
p:ldapUrl="%{idp.authn.LDAP.ldapURL2}" />
<!-- Pool Configuration 1 -->
<bean id="connectionConfig1" class="org.ldaptive.ConnectionConfig"
> abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL1:undefined}"
p:useStartTLS="%{idp.authn.LDAP.useStartTLS1:true}"
p:useSSL="%{idp.authn.LDAP.useSSL1:false}"
p:connectTimeout="%{idp.authn.LDAP.connectTimeout1:3000}"
p:sslConfig-ref="sslConfig1" />
<bean id="connectionPool1"
> class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
p:blockWaitTime="%{idp.pool.LDAP.blockWaitTime.1:3000}"
p:poolConfig-ref="poolConfig1"
p:pruneStrategy-ref="pruneStrategy1"
p:validator-ref="searchValidator"
p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
<bean id="poolConfig1" class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
p:validatePeriod="%{idp.pool.LDAP.validatePeriod:300}" />
<bean id="pruneStrategy1" class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="%{idp.pool.LDAP.prunePeriod:300}"
p:idleTime="%{idp.pool.LDAP.idleTime:600}" />
<bean id="searchValidator" class="org.ldaptive.pool.SearchValidator" />
<!-- Pool Configuration 2 -->
<bean id="connectionConfig2" class="org.ldaptive.ConnectionConfig"
> abstract="true" p:ldapUrl="%{idp.authn.LDAP.ldapURL2:undefined}"
p:useStartTLS="%{idp.authn.LDAP.useStartTLS:true}"
p:useSSL="%{idp.authn.LDAP.useSSL:false}"
p:connectTimeout="%{idp.authn.LDAP.connectTimeout2:3000}"
p:sslConfig-ref="sslConfig2" />
<bean id="connectionPool2"
> class="org.ldaptive.pool.BlockingConnectionPool" abstract="true"
p:blockWaitTime="%{idp.pool.LDAP.blockWaitTime:3000}"
p:poolConfig-ref="poolConfig2"
p:pruneStrategy-ref="pruneStrategy2"
p:validator-ref="searchValidator2"
p:failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
<bean id="poolConfig2" class="org.ldaptive.pool.PoolConfig"
p:minPoolSize="%{idp.pool.LDAP.minSize:3}"
p:maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
p:validateOnCheckOut="%{idp.pool.LDAP.validateOnCheckout:false}"
p:validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
p:validatePeriod="%{idp.pool.LDAP.validatePeriod:300}" />
<bean id="pruneStrategy2" class="org.ldaptive.pool.IdlePruneStrategy"
p:prunePeriod="%{idp.pool.LDAP.prunePeriod:300}"
p:idleTime="%{idp.pool.LDAP.idleTime:600}" />
<bean id="searchValidator2" class="org.ldaptive.pool.SearchValidator" />
</beans>
I'm not clear on what the root error is from the log. It seems like this is
the result of a typo somewhere or trailing whitespace but I'm not seeing
it. Is there something else more obvious that I'm missing?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20190416/728387c4/attachment.html>
More information about the users
mailing list