[External]Re: AD Shibboleth Authentication

Christopher Bland chris at fdu.edu
Fri Oct 18 14:54:11 EDT 2019 

Hi David & Peter,

Thank you for the good info.  I think I need to restate my question.

My AD admins have a brand new auditing tool and they are trying to find a way to track user authentications on the AD side.  They are going to be generating all kinds of reports to management and can't fully trust their data because it doesn't show all user activity.

Does anyone have a Shibboleth IDP running on Linux with AD authentication that creates authentication logs in AD?  If so, what kind of special hoops did you have to jump through?

-Chris



________________________________
From: IAM David Bantz <dabantz at alaska.edu>
Sent: Friday, October 18, 2019 1:52 PM
To: Shib Users <users at shibboleth.net>
Cc: Christopher Bland <chris at fdu.edu>; Peter Schober <peter.schober at univie.ac.at>
Subject: [External]Re: AD Shibboleth Authentication

I use the JAAS config to AD as well.
The logger org.ldaptive.auth provides detail about the AD responses to authN requests if set to DEBUG
(including, IIRC, detail data code that indicates the reason for authN failure - 532=expired pwd, 52e=bad pwd, 701=expired acct, etc.).

David Bantz
UA OIT IAM

On Fri, Oct 18, 2019 at 9:06 AM Peter Schober <peter.schober at univie.ac.at<mailto:peter.schober at univie.ac.at>> wrote:
* Christopher Bland <chris at fdu.edu<mailto:chris at fdu.edu>> [2019-10-18 18:31]:
> I have a cluster of IDPs which use the JAAS config to authenticate
> users against AD.  My jaas.config uses bindDN with bindCredential
> and works fine.  My question is on the AD side.  I am not seeing any
> kind of log for authentication being create in AD.  I am wondering
> what kind of experiences other admins have with regard to tracking
> user authentications in AD?

No idea but with non-JAAS you have logs for those events from the IDP itself:

2019-10-18 17:03:35,132 - $IPADDR - INFO
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:166]
- Profile Action ValidateUsernamePasswordAgainstLDAP: Login by '$USER' failed

2019-10-18 17:03:40,218 - $IPADDR - INFO
[net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:152]
- Profile Action ValidateUsernamePasswordAgainstLDAP: Login by '$USER' succeeded

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20191018/13208023/attachment.html>

More information about the users mailing list