AD Bind Credentials

[Christopher Bland]

Hi All,

My AD guys are restructuring OUs and user placement which is going to affect my AD service account.  At present I am running IDP v3.4.4 using a JAAS config going against AD.  Following the directions when I set this up earlier in the year I set the following values

jaas.config
bindDn = ”Service Account DistinquishedName”

ldap.properties
idp.authn.LDAP.bindDN = ”Service Account DistinquishedName”

idp.authn.LDAP.bindDN
idp.authn.LDAP.bindDN = ”Service Account DistinquishedName”

In an effort not to have to make these changes in the future I switched the bindDN value to the UPN value of my AD service account and things seem to work during testing on my dev IDP.  Since the value is supposed to be a DN, I am wondering what other admins have done?

My second question -  In my ldap.properties and ldap.properties.pool I have configure “idp.authn.LDAP.authenticator = adAuthenticator”.  As such my understanding is that there is no need to search for the user’s DN because the IDP accepts the user at domain format for authentication.  Is it necessary to have credentials configured in the bindDN and bindCredential for authentication?  Also can my AD DataConnector in my attribute-resolver.xml file resolve attributes based on the user that it has authenticated?

-Chris
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191114/16c6f071/attachment.html>