JAAS ldap issue
IAM David Bantz
dabantz at alaska.edu
Wed Jun 3 19:00:50 UTC 2020
Mea Culpa
My legacy JAAS config was modeled on this v2 documentation:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass
Seems I have several places with the older v2 vocabulary; I don't know why
it has apparently been working for StartTLS and for ldap (unencrypted)
connections, but I will update all the modules.
David Bantz
On Wed, Jun 3, 2020 at 8:16 AM IAM David Bantz <dabantz at alaska.edu> wrote:
> Mike Grady correctly noted my use of very old (v2) names in my JAAS config.
>
> The following appears to work (ssl-> useSSL, tls->useStartTLS,
> sslSocketFactory->credetnialConfig; cf. bottom of
> https://wiki.shibboleth.net/confluence/display/IDP30/JAASAuthnConfiguration
> )
> I'm testing with random credentials, so await final verification by real
> users.
>
> // UA Authenticator is proxy to AD allows some expired accounts to
> authenticate
>
> org.ldaptive.jaas.LdapLoginModule sufficient
>
> ldapUrl="ldaps://cas-auth-t.alaska.edu:6361"
>
> baseDn="dc=ua,dc=adt,dc=alaska,dc=edu"
>
> bindDn="CN=cas c. casacct,ou=sw_service
> accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu"
>
> bindCredential="$C at c99@cT"
>
> subtreeSearch="true"
>
>
> credentialConfig="{trustCertificates=file:/opt/shibboleth-idp-D/credentials/UAADrootCAs-P-Q-D-T-InC.pem}"
>
> useSSL="true"
>
> useStartTLS="false"
>
> userFilter="(|(sAMAccountName={user})(uaIdentifier={user}))"
>
> connectTimeout="3000"
>
> resultTimeout="3000"
>
> ;
>
> On Wed, Jun 3, 2020 at 7:52 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
>
>> You can crank up logging, but at the end of the day, the error means what
>> it says. Having been spelunking a whole lot of trust chain issues since
>> Saturday, I can tell you that when it's not working there's always a
>> reason, even when you're banging your head against it.
>>
>> Of course if you can connect over ldap://and you're getting a real error
>> anyway, I'd be more worried about resolving that since it's just going to
>> happen again once you manage to connect with ldaps://
>>
>> -- Scott
>>
>>
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200603/b5c43d56/attachment.htm>
More information about the users
mailing list