shibboleth idp with google ldap

Aisha Al Fudhaili aisha at omren.om
Wed Aug 3 09:07:15 UTC 2022 

Hi,

I'm trying to connect shibboleth idp with google secure LDAP. I do not know how to configure the ldap since google did not show how to configure ldap with shibboleth. I'm using shibboleth idp 4.1.  Any idea how to configure it?

Ldap.properties file

# LDAP authentication (and possibly attribute resolver) configuration
# Note, this doesn't apply to the use of JAAS authentication via LDAP

## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
idp.authn.LDAP.authenticator                   = bindSearchAuthenticator

## Connection properties ##
idp.authn.LDAP.ldapURL                          = ldap://ldap.google.com:636
idp.authn.LDAP.useStartTLS                     = false
idp.authn.LDAP.useSSL                          = true


# Time in milliseconds that connects will block
idp.authn.LDAP.connectTimeout                  = PT120S
# Time in milliseconds to wait for responses
idp.authn.LDAP.responseTimeout                 = PT120S
# Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM
#idp.authn.LDAP.connectionStrategy               = ACTIVE_PASSIVE

## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
idp.authn.LDAP.sslConfig                       = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates                = %{idp.home}/credentials/ldap-client.pfx
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-server.truststore

## Return attributes during authentication
idp.authn.LDAP.returnAttributes                 = passwordExpirationTime,loginGraceRemaining

## DN resolution properties ##

# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN                           = dc=cas,dc=edu,dc=om
#idp.authn.LDAP.subtreeSearch                   = false
#idp.authn.LDAP.userFilter                       = (uid={user})

idp.authn.LDAP.userFilter                       = (sAMAccountName={uid})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser at domain.com<mailto:idp.authn.LDAP.bindDN=adminuser at domain.com>
#idp.authn.LDAP.bindDN                           = uid=myservice,ou=cas.edu.om
idp.authn.LDAP.bindDN                           = ##myusername

# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s at domain.com<mailto:idp.authn.LDAP.dnFormat=%25s at domain.com>
idp.authn.LDAP.dnFormat                         = %s at cas.edu.om

# pool passivator, either none, bind or anonymousBind
#idp.authn.LDAP.bindPoolPassivator                  = bind

# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
#idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
#idp.attribute.resolver.LDAP.connectTimeout      = %{idp.authn.LDAP.connectTimeout:PT3S}
#idp.attribute.resolver.LDAP.responseTimeout     = %{idp.authn.LDAP.responseTimeout:PT3S}
#idp.attribute.resolver.LDAP.connectionStrategy  = %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE}#
#idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN:undefined}
#idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN:undefined}
#idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
#idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
#idp.attribute.resolver.LDAP.searchFilter        = (uid=$resolutionContext.principal)


idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout      = %{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout     = %{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:false}
idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter        = (uid=$resolutionContext.principal)


# LDAP pool configuration, used for both authn and DN resolution
#idp.pool.LDAP.minSize                          = 3
#idp.pool.LDAP.maxSize                          = 10
#idp.pool.LDAP.validateOnCheckout               = false
#idp.pool.LDAP.validatePeriodically             = true
#idp.pool.LDAP.validatePeriod                   = PT5M
#idp.pool.LDAP.validateDN                       =
#idp.pool.LDAP.validateFilter                   = (objectClass=*)
#idp.pool.LDAP.prunePeriod                      = PT5M
#idp.pool.LDAP.idleTime                         = PT10M
#idp.pool.LDAP.blockWaitTime                    = PT3S

log file


ERROR [org.ldaptive.pool.BlockingConnectionPool:454] - [org.ldaptive.pool.BlockingConnectionPool at 888147565::name=bind-pool, poolConfig=[org.ldaptive.pool.PoolConfig at 404642328::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=PT5M, validateTimeout=PT5S], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator at 1602642360::searchRequest=[org.ldaptive.SearchRequest at 522471306::baseDn=, searchFilter=[org.ldaptive.SearchFilter at 1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy at 1554614646::prunePeriod=PT5M, idleTime=PT10M], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory at 1717476728::provider=org.ldaptive.provider.unboundid.UnboundIDProvider at 554a2725, config=[org.ldaptive.ConnectionConfig at 1469079299::ldapUrl=ldap://ldap.google.com:636, connectTimeout=PT2M, responseTimeout=PT2M, sslConfig=[org.ldaptive.ssl.SslConfig at 1206030014::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 132a4a9c, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=null, connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 55c57e67<mailto:connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 55c57e67>]], initialized=false, availableCount=0, activeCount=0] unable to connect to the ldap
org.ldaptive.provider.ConnectionException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldap.google.com:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))')
                at org.ldaptive.provider.unboundid.UnboundIDConnectionFactory.createInternal(UnboundIDConnectionFactory.java:65)
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ldap.google.com:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
                at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:875)
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')
                at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185)
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
                at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:269)
Caused by: java.net.ConnectException: Connection timed out: connect
                at java.base/java.net.PlainSocketImpl.waitForConnect(Native Method)
2022-08-03 12:55:26,408 - 185.186.207.49 - ERROR [org.ldaptive.pool.BlockingConnectionPool:454] - [org.ldaptive.pool.BlockingConnectionPool at 888147565::name=bind-pool, poolConfig=[org.ldaptive.pool.PoolConfig at 404642328::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=PT5M, validateTimeout=PT5S], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator at 1602642360::searchRequest=[org.ldaptive.SearchRequest at 522471306::baseDn=, searchFilter=[org.ldaptive.SearchFilter at 1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=PT0S, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy at 1554614646::prunePeriod=PT5M, idleTime=PT10M], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory at 1717476728::provider=org.ldaptive.provider.unboundid.UnboundIDProvider at 554a2725, config=[org.ldaptive.ConnectionConfig at 1469079299::ldapUrl=ldap://ldap.google.com:636, connectTimeout=PT2M, responseTimeout=PT2M, sslConfig=[org.ldaptive.ssl.SslConfig at 1206030014::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig at 132a4a9c, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=null, connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 55c57e67<mailto:connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 55c57e67>]], initialized=false, availableCount=0, activeCount=0] unable to connect to the ldap
org.ldaptive.provider.ConnectionException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldap.google.com:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))')
                at org.ldaptive.provider.unboundid.UnboundIDConnectionFactory.createInternal(UnboundIDConnectionFactory.java:65)
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ldap.google.com:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
                at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:875)
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')
                at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185)
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
                at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:269)
Caused by: java.net.ConnectException: Connection timed out: connect
                at java.base/java.net.PlainSocketImpl.waitForConnect(Native Method)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220803/ff264362/attachment.htm>

More information about the users mailing list