JAAS ldap issue

IAM David Bantz dabantz at alaska.edu
Wed Jun 3 19:00:50 UTC 2020


Mea Culpa

My legacy JAAS config was modeled on this v2 documentation:
https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAuthUserPass

Seems I have several places with the older v2 vocabulary; I don't know why
it has apparently been working for StartTLS and for ldap (unencrypted)
connections, but I will update all the modules.

David Bantz

On Wed, Jun 3, 2020 at 8:16 AM IAM David Bantz <dabantz at alaska.edu> wrote:

> Mike Grady correctly noted my use of very old (v2) names in my JAAS config.
>
> The following appears to work (ssl-> useSSL, tls->useStartTLS,
> sslSocketFactory->credetnialConfig; cf. bottom of
> https://wiki.shibboleth.net/confluence/display/IDP30/JAASAuthnConfiguration
> )
> I'm testing with random credentials, so await final verification by real
> users.
>
>   // UA Authenticator is proxy to AD allows some expired accounts to
> authenticate
>
>   org.ldaptive.jaas.LdapLoginModule sufficient
>
>     ldapUrl="ldaps://cas-auth-t.alaska.edu:6361"
>
>     baseDn="dc=ua,dc=adt,dc=alaska,dc=edu"
>
>     bindDn="CN=cas c. casacct,ou=sw_service
> accts,ou=sw,dc=ua,dc=adt,dc=alaska,dc=edu"
>
>     bindCredential="$C at c99@cT"
>
>     subtreeSearch="true"
>
>
> credentialConfig="{trustCertificates=file:/opt/shibboleth-idp-D/credentials/UAADrootCAs-P-Q-D-T-InC.pem}"
>
>     useSSL="true"
>
>     useStartTLS="false"
>
>     userFilter="(|(sAMAccountName={user})(uaIdentifier={user}))"
>
>     connectTimeout="3000"
>
>     resultTimeout="3000"
>
>     ;
>
> On Wed, Jun 3, 2020 at 7:52 AM Cantor, Scott <cantor.2 at osu.edu> wrote:
>
>> You can crank up logging, but at the end of the day, the error means what
>> it says. Having been spelunking a whole lot of trust chain issues since
>> Saturday, I can tell you that when it's not working there's always a
>> reason, even when you're banging your head against it.
>>
>> Of course if you can connect over ldap://and you're getting a real error
>> anyway, I'd be more worried about resolving that since it's just going to
>> happen again once you manage to connect with ldaps://
>>
>> -- Scott
>>
>>
>> --
>> For Consortium Member technical support, see
>> https://wiki.shibboleth.net/confluence/x/coFAAg
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200603/b5c43d56/attachment.htm>


More information about the users mailing list