shibboleth idp with google

Aisha Al Fudhaili aisha at omren.om
Mon Aug 15 09:25:16 UTC 2022 

Hope you are doing great and staying safe, I would like to let you know that we are facing an issue to connect shibboleth IDP 4.1 with google LDAP, we have tried our best to configure the LDAP, although google did not show how to configure LDAP with shibboleth IDP.

It keeps showing the following error "Login Failure: Pool is empty, and connection creation failed" , when we tried to enter the user conditionals on authentication page. On the log file, we keep getting the below errors:

Please assets on how to solve this issue.

"DEBUG [org.ldaptive.provider.unboundid.UnboundIDConnectionFactory:90] - Error connecting to LDAP URL: ldap://ldap.google.com:636
org.ldaptive.provider.ConnectionException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to connect to server ldap.google.com:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))')
                at org.ldaptive.provider.unboundid.UnboundIDConnectionFactory.createInternal(UnboundIDConnectionFactory.java:65)
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to connect to server ldap.google.com:636:  IOException(LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb'))
                at com.unboundid.ldap.sdk.LDAPConnection.connect(LDAPConnection.java:875)
Caused by: java.io.IOException: LDAPException(resultCode=91 (connect error), errorMessage='An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')
                at com.unboundid.ldap.sdk.LDAPConnectionInternals.<init>(LDAPConnectionInternals.java:185)
Caused by: com.unboundid.ldap.sdk.LDAPException: An error occurred while attempting to establish a connection to server ldap.google.com/216.239.32.58:636:  ConnectException(Connection timed out: connect), ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb
                at com.unboundid.ldap.sdk.ConnectThread.getConnectedSocket(ConnectThread.java:269)
Caused by: java.net.ConnectException: Connection timed out: connect
                at java.base/java.net.PlainSocketImpl.waitForConnect(Native Method)"

ldap.properties

# LDAP authentication (and possibly attribute resolver) configuration
# Note, this doesn't apply to the use of JAAS authentication via LDAP

## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator
idp.authn.LDAP.authenticator                   = bindSearchAuthenticator

## Connection properties ##
idp.authn.LDAP.ldapURL                          = ldap://ldap.google.com:636
idp.authn.LDAP.useStartTLS                     = true

# Time in milliseconds that connects will block
idp.authn.LDAP.connectTimeout                  = PT120S
# Time in milliseconds to wait for responses
idp.authn.LDAP.responseTimeout                 = PT120S
# Connection strategy to use when multiple URLs are supplied, either ACTIVE_PASSIVE, ROUND_ROBIN, RANDOM
#idp.authn.LDAP.connectionStrategy               = ACTIVE_PASSIVE

## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust
idp.authn.LDAP.sslConfig                       = certificateTrust
## If using certificateTrust above, set to the trusted certificate's path
idp.authn.LDAP.trustCertificates                = %{idp.home}/credentials/ldap-client.p12
## If using keyStoreTrust above, set to the truststore path
#idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-server.truststore

## Return attributes during authentication
idp.authn.LDAP.returnAttributes                 = passwordExpirationTime,loginGraceRemaining

## DN resolution properties ##

# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN                           = ou=Users,dc=example,dc=edu,dc=om
#idp.authn.LDAP.subtreeSearch                   = false
#idp.authn.LDAP.userFilter                       = (uid={user})

idp.authn.LDAP.userFilter                       = (sAMAccountName={uid})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser at domain.com<mailto:idp.authn.LDAP.bindDN=adminuser at domain.com>
#idp.authn.LDAP.bindDN                           = uid=myservice,ou=
idp.authn.LDAP.bindDN                           = Myusername

# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s at domain.com<mailto:idp.authn.LDAP.dnFormat=%25s at domain.com>
#idp.authn.LDAP.dnFormat                         = dc=example ,dc=edu,dc=om

# pool passivator, either none, bind or anonymousBind
#idp.authn.LDAP.bindPoolPassivator                  = bind

# LDAP attribute configuration, see attribute-resolver.xml
# Note, this likely won't apply to the use of legacy V2 resolver configurations
#idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
#idp.attribute.resolver.LDAP.connectTimeout      = %{idp.authn.LDAP.connectTimeout:PT3S}
#idp.attribute.resolver.LDAP.responseTimeout     = %{idp.authn.LDAP.responseTimeout:PT3S}
#idp.attribute.resolver.LDAP.connectionStrategy  = %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE}#
#idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN:undefined}
#idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN:undefined}
#idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
#idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
#idp.attribute.resolver.LDAP.searchFilter        = (uid=$resolutionContext.principal)


idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectTimeout      = %{idp.authn.LDAP.connectTimeout:PT3S}
idp.attribute.resolver.LDAP.responseTimeout     = %{idp.authn.LDAP.responseTimeout:PT3S}
idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN:undefined}
idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN:undefined}
idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:false}
idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
idp.attribute.resolver.LDAP.searchFilter        = (uid=$resolutionContext.principal)


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20220815/6ef0501a/attachment.htm>

More information about the users mailing list