LDAP AUTHENTICATION FAILED UPGRADE SHIBBOLETH V2.3 TO V3.3

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

LDAP AUTHENTICATION FAILED UPGRADE SHIBBOLETH V2.3 TO V3.3

tolock

We are in the process of upgrading from Shibboleth V2.3 to V3.3 and I can’t seem to get the ldap connection to work properly. Authentication fails each time with a password incorrect.

The password is correct because the same process is working on the V2.3

I have worked with changing the idp.authn.LDAP.authenticator to bindSearchAuthenticator in which the ldap connection would fail. I changed it back to adAuthenticatior but as you can see by the logs user is still unable to login.

 

 

2018-06-26 18:22:34,321 - DEBUG [net.shibboleth.idp.authn.AbstractExtractionAction:137] - Profile Action ExtractUsernamePasswordFromFormRequest: Trimming whitespace of input string '*****'

2018-06-26 18:22:34,347 - DEBUG [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:131] - Profile Action ValidateUsernamePasswordAgainstLDAP: Attempting to authenticate user *****

2018-06-26 18:22:34,348 - DEBUG [org.ldaptive.auth.Authenticator:236] - authenticate dn= with request=[org.ldaptive.auth.AuthenticationRequest@1887069008::user=tolock, retAttrs=[passwordExpirationTime, loginGraceRemaining]]

2018-06-26 18:22:34,360 - INFO [org.ldaptive.auth.Authenticator:259] - Authentication failed for dn:

2018-06-26 18:22:34,360 - DEBUG [org.ldaptive.auth.Authenticator:284] - authenticate response=[org.ldaptive.auth.AuthenticationHandlerResponse@729642348::connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@1010890713::config=[org.ldaptive.ConnectionConfig@2139568793::ldapUrl=ldap://captain.uncp.edu:389, connectTimeout=3000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@681334126::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig@6c2174c8, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=null], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1742175146::metadata=[ldapUrl=ldap://ldap.****.edu:389, count=1], environment={com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1188928125::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, [hidden email], [hidden email], environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], [hidden email]], result=false, resultCode=INVALID_CREDENTIALS, message=javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042F, comment: AcceptSecurityContext error, data 52e, v2580], controls=null] for dn= with request=[org.ldaptive.auth.AuthenticationRequest@1887069008::user=*****, retAttrs=[passwordExpirationTime, loginGraceRemaining]]

2018-06-26 18:22:34,361 - INFO [net.shibboleth.idp.authn.impl.ValidateUsernamePasswordAgainstLDAP:152] - Profile Action ValidateUsernamePasswordAgainstLDAP: Login by '*****' failed

2018-06-26 18:22:34,383 - DEBUG [net.shibboleth.idp.ui.context.RelyingPartyUIContext:360] - Found matching scheme, returning name of 'federation.northcarolina.edu'

2018-06-26 18:22:34,384 - DEBUG [net.shibboleth.idp.ui.context.RelyingPartyUIContext:783] - No UIInfo or logos returning null

2018-06-26 18:22:34,384 - DEBUG [net.shibboleth.idp.ui.context.RelyingPartyUIContext:529] - No description matching the languages found, returning null

 

 

 

configuration from

 

Relying-party.xml

<resolver:DataConnector id="myAD" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"

ldapURL="ldap://ldap.****.edu ldap" baseDN="dc=****,dc=local"

principal="cn=CGI PCA,ou=Service Accounts,dc=****,dc=local" principalCredential="**************"

searchScope="SUBTREE">

<dc:FilterTemplate>

            <![CDATA[

                (&(sAMAccountName=$requestContext.principalName)(objectClass=user))

            ]]>

        </dc:FilterTemplate>

        <LDAPProperty name="java.naming.referral" value="follow"/>

        <LDAPProperty name="com.sun.jndi.ldap.connect.timeout" value="3000"/>

    </resolver:DataConnector>

 

 

 

Ldap.properties

 

# LDAP authentication configuration, see authn/ldap-authn-config.xml

# Note, this doesn't apply to the use of JAAS

 

## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator

idp.authn.LDAP.authenticator = adAuthenticator

 

## Connection properties ##

idp.authn.LDAP.ldapURL = ldap://ldap.****.edu:389

idp.authn.LDAP.useStartTLS = false

idp.authn.LDAP.useSSL = false

idp.authn.LDAP.connectTimeout = 3000

 

## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust

#idp.authn.LDAP.sslConfig = certificateTrust

## If using certificateTrust above, set to the trusted certificate's path

#idp.authn.LDAP.trustCertificates = %{idp.home}/credentials/ldap-server.crt

## If using keyStoreTrust above, set to the truststore path

#idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-server.truststore

 

## Return attributes during authentication

## NOTE: there is a separate property used for attribute resolution

idp.authn.LDAP.returnAttributes = passwordExpirationTime,loginGraceRemaining

 

## DN resolution properties ##

 

# Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator

# for AD: CN=Users,DC=example,DC=org

idp.authn.LDAP.baseDN = dc=****,dc=local

idp.authn.LDAP.subtreeSearch = true

idp.authn.LDAP.userFilter = (uid={sAMAccountName})

# bind search configuration

# for AD: [hidden email]

idp.authn.LDAP.bindDN = uid=******,cn=CGI PCA,ou=Service Accounts,dc=****,dc=local

idp.authn.LDAP.bindDNCredential = **********

 

# Format DN resolution, used by directAuthenticator, adAuthenticator

# for AD use [hidden email]

idp.authn.LDAP.dnFormat =

 

 

Tabitha O. Locklear

MS Information Technology

Operations & Systems Analyst

Division of Information Technology

University of North Carolina at Pembroke

[hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Tabitha O. Locklear
MS Information Technology
Operations & Systems Analyst
Division of Information Technology
University of North Carolina at Pembroke
tabithao.locklear@uncp.edu
Reply | Threaded
Open this post in threaded view
|

RE: LDAP AUTHENTICATION FAILED UPGRADE SHIBBOLETH V2.3 TO V3.3

Rod Widdowson
Some brief observations - I have forgotten much of what I ever knew about V2 to V3 upgrades.

> Relying-party.xml
> <resolver:DataConnector id="myAD" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"

That doesn’t look right.  That is a line from the attribute resolver.
Further this doesn't have anything to do with attribute resolution (which you can and should test right now using aacli).

This is to do with authentication (login).  IIRC the only authentication was via jaas - there was no native LDAP authentication.

So, if you did the recommended thing of letting the install do the upgrade you probably need to be poking at your JAAS
configuration.

> # LDAP authentication configuration, see authn/ldap-authn-config.xml
> # Note, this doesn't apply to the use of JAAS

Start by reviewing [1] if you are not working from it.

[1] https://wiki.shibboleth.net/confluence/display/IDP30/UpgradingFromV2#UpgradingFromV2-Authentication

R

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: LDAP AUTHENTICATION FAILED UPGRADE SHIBBOLETH V2.3 TO V3.3

tolock
I didn't do an upgrade I did a fresh install.
I am using the V2.3 files to compare against what I have in the ldap.properties file.



-----Original Message-----
From: users <[hidden email]> On Behalf Of Rod Widdowson
Sent: Wednesday, June 27, 2018 3:48 AM
To: 'Shib Users' <[hidden email]>
Subject: RE: LDAP AUTHENTICATION FAILED UPGRADE SHIBBOLETH V2.3 TO V3.3

Some brief observations - I have forgotten much of what I ever knew about V2 to V3 upgrades.

> Relying-party.xml
> <resolver:DataConnector id="myAD" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"

That doesn't look right.  That is a line from the attribute resolver.
Further this doesn't have anything to do with attribute resolution (which you can and should test right now using aacli).

This is to do with authentication (login).  IIRC the only authentication was via jaas - there was no native LDAP authentication.

So, if you did the recommended thing of letting the install do the upgrade you probably need to be poking at your JAAS configuration.

> # LDAP authentication configuration, see authn/ldap-authn-config.xml #
> Note, this doesn't apply to the use of JAAS

Start by reviewing [1] if you are not working from it.

[1] https://wiki.shibboleth.net/confluence/display/IDP30/UpgradingFromV2#UpgradingFromV2-Authentication

R

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Tabitha O. Locklear
MS Information Technology
Operations & Systems Analyst
Division of Information Technology
University of North Carolina at Pembroke
tabithao.locklear@uncp.edu
Reply | Threaded
Open this post in threaded view
|

Re: LDAP AUTHENTICATION FAILED UPGRADE SHIBBOLETH V2.3 TO V3.3

Daniel Fisher-2
In reply to this post by tolock
On Tue, Jun 26, 2018 at 3:14 PM Tabitha O. Locklear <[hidden email]> wrote:

# Format DN resolution, used by directAuthenticator, adAuthenticator

# for AD use [hidden email]

idp.authn.LDAP.dnFormat =


This property is required by the adAuthenticator.
Note that the bindDN properties are not used by this authenticator type, as the DN should always resolve to something like '[hidden email]'.

--Daniel Fisher


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

smime.p7s (8K) Download Attachment