Shibboleth Native LDAP Authentication and Binding with User Credentials

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Shibboleth Native LDAP Authentication and Binding with User Credentials

Ullfig, Roberto Alfredo

I’m looking at configuring the native shibboleth authentication service but historically we bind to ldap using the user’s credentials (not root or admin). Are those stored in some variable that can be accessed in the bean in authn/ldap-authn-config.xml? Thanks!

 

---

Roberto Ullfig - [hidden email]

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Shibboleth Native LDAP Authentication and Binding with User Credentials

Nate Klingenstein-2
Roberto,

I assume that by "bind to LDAP using the user's credentials", that you mean you do anonymous BINDs.  If so, you can probably use the anonSearchAuthenticator, for which there is indeed a property.


I don't believe that you'd want to store the user's credentials anywhere if you can avoid it.

Hope this helps,
Nate.

On Wed, May 9, 2018 at 11:59 AM, Ullfig, Roberto Alfredo <[hidden email]> wrote:

I’m looking at configuring the native shibboleth authentication service but historically we bind to ldap using the user’s credentials (not root or admin). Are those stored in some variable that can be accessed in the bean in authn/ldap-authn-config.xml? Thanks!

 

---

Roberto Ullfig - [hidden email]

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth Native LDAP Authentication and Binding with User Credentials

Losen, Stephen C. (scl)-2

Hi,

 

I was recently doing this very thing myself.  You want to use the “directAuthenticator”, and also set the property  idp.authn.LDAP.dnFormat see the wiki for details:

 

https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration

 

Stephen C. Losen

ITS - Systems and Storage

University of Virginia

[hidden email]    434-924-0640

 

From: users [mailto:[hidden email]] On Behalf Of Nate Klingenstein
Sent: Wednesday, May 09, 2018 3:19 PM
To: Shib Users <[hidden email]>
Subject: Re: Shibboleth Native LDAP Authentication and Binding with User Credentials

 

Roberto,

 

I assume that by "bind to LDAP using the user's credentials", that you mean you do anonymous BINDs.  If so, you can probably use the anonSearchAuthenticator, for which there is indeed a property.

 

 

I don't believe that you'd want to store the user's credentials anywhere if you can avoid it.

 

Hope this helps,

Nate.

 

On Wed, May 9, 2018 at 11:59 AM, Ullfig, Roberto Alfredo <[hidden email]> wrote:

I’m looking at configuring the native shibboleth authentication service but historically we bind to ldap using the user’s credentials (not root or admin). Are those stored in some variable that can be accessed in the bean in authn/ldap-authn-config.xml? Thanks!

 

---

Roberto Ullfig - [hidden email]

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth Native LDAP Authentication and Binding with User Credentials

Ullfig, Roberto Alfredo
In reply to this post by Nate Klingenstein-2

No, not anonymous bind. Non-anonymous simple authentication bind.

 

---

Roberto Ullfig - [hidden email]

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 

From: users <[hidden email]> On Behalf Of Nate Klingenstein
Sent: Wednesday, May 09, 2018 2:19 PM
To: Shib Users <[hidden email]>
Subject: Re: Shibboleth Native LDAP Authentication and Binding with User Credentials

 

Roberto,

 

I assume that by "bind to LDAP using the user's credentials", that you mean you do anonymous BINDs.  If so, you can probably use the anonSearchAuthenticator, for which there is indeed a property.

 

 

I don't believe that you'd want to store the user's credentials anywhere if you can avoid it.

 

Hope this helps,

Nate.

 

On Wed, May 9, 2018 at 11:59 AM, Ullfig, Roberto Alfredo <[hidden email]> wrote:

I’m looking at configuring the native shibboleth authentication service but historically we bind to ldap using the user’s credentials (not root or admin). Are those stored in some variable that can be accessed in the bean in authn/ldap-authn-config.xml? Thanks!

 

---

Roberto Ullfig - [hidden email]

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth Native LDAP Authentication and Binding with User Credentials

Ullfig, Roberto Alfredo
In reply to this post by Losen, Stephen C. (scl)-2

Thanks, that worked! On a related note, we have an ldap server (port 636) that has “LDAPTLS_REQCERT=never” set but it appears that the shibboleth IDP always requires a certificate for SSL. Is there any way around that?

 

---

Roberto Ullfig - [hidden email]

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 

From: users <[hidden email]> On Behalf Of Losen, Stephen C. (scl)
Sent: Wednesday, May 09, 2018 2:59 PM
To: Shib Users <[hidden email]>
Subject: RE: Shibboleth Native LDAP Authentication and Binding with User Credentials

 

Hi,

 

I was recently doing this very thing myself.  You want to use the “directAuthenticator”, and also set the property  idp.authn.LDAP.dnFormat see the wiki for details:

 

https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration

 

Stephen C. Losen

ITS - Systems and Storage

University of Virginia

[hidden email]    434-924-0640

 

From: users [[hidden email]] On Behalf Of Nate Klingenstein
Sent: Wednesday, May 09, 2018 3:19 PM
To: Shib Users <[hidden email]>
Subject: Re: Shibboleth Native LDAP Authentication and Binding with User Credentials

 

Roberto,

 

I assume that by "bind to LDAP using the user's credentials", that you mean you do anonymous BINDs.  If so, you can probably use the anonSearchAuthenticator, for which there is indeed a property.

 

 

I don't believe that you'd want to store the user's credentials anywhere if you can avoid it.

 

Hope this helps,

Nate.

 

On Wed, May 9, 2018 at 11:59 AM, Ullfig, Roberto Alfredo <[hidden email]> wrote:

I’m looking at configuring the native shibboleth authentication service but historically we bind to ldap using the user’s credentials (not root or admin). Are those stored in some variable that can be accessed in the bean in authn/ldap-authn-config.xml? Thanks!

 

---

Roberto Ullfig - [hidden email]

Systems Administrator

Enterprise Architecture and Development | ACCC

University of Illinois - Chicago

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: Shibboleth Native LDAP Authentication and Binding with User Credentials

Cantor, Scott E.
> Thanks, that worked! On a related note, we have an ldap server (port 636) that
> has “LDAPTLS_REQCERT=never” set but it appears that the shibboleth IDP
> always requires a certificate for SSL. Is there any way around that?

All clients of a TLS system have to evaluate its certificate, the server's decisions about the client don't really enter into that. There are some pathological cases I guess where a TLS server might not have one, but they don't apply here.

-- Scott

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]