JAAS ldap issue
IAM David Bantz
dabantz at alaska.edu
Wed Jun 3 16:16:27 UTC 2020
Mike Grady correctly noted my use of very old (v2) names in my JAAS config.
The following appears to work (ssl-> useSSL, tls->useStartTLS,
sslSocketFactory->credetnialConfig; cf. bottom of
https://wiki.shibboleth.net/confluence/display/IDP30/JAASAuthnConfiguration)
I'm testing with random credentials, so await final verification by real
users.
// UA Authenticator is proxy to AD allows some expired accounts to
authenticate
org.ldaptive.jaas.LdapLoginModule sufficient
ldapUrl="ldaps://cas-auth-t.alaska.edu:6361"
baseDn="dc=ua,dc=adt,dc=alaska,dc=edu"
bindDn="CN=cas c. casacct,ou=sw_service
accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu"
bindCredential="$C at c99@cT"
subtreeSearch="true"
credentialConfig="{trustCertificates=file:/opt/shibboleth-idp-D/credentials/UAADrootCAs-P-Q-D-T-InC.pem}"
useSSL="true"
useStartTLS="false"
userFilter="(|(sAMAccountName={user})(uaIdentifier={user}))"
connectTimeout="3000"
resultTimeout="3000"
;
On Wed, Jun 3, 2020 at 7:52 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
> You can crank up logging, but at the end of the day, the error means what
> it says. Having been spelunking a whole lot of trust chain issues since
> Saturday, I can tell you that when it's not working there's always a
> reason, even when you're banging your head against it.
>
> Of course if you can connect over ldap://and you're getting a real error
> anyway, I'd be more worried about resolving that since it's just going to
> happen again once you manage to connect with ldaps://
>
> -- Scott
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200603/e76f587d/attachment.htm>
More information about the users
mailing list