using multiple DN resolvers?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

using multiple DN resolvers?

luciano.rocha
Hi,

I am setting my idp to authenticate to more than one base DN (https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration).


ldap-authn-config.xml

<bean name="aggregateAuthenticator" class="org.ldaptive.auth.Authenticator">
    <constructor-arg index="0" ref="aggregateDnResolver" />
    <constructor-arg index="1" ref="aggregateAuthHandler" />
</bean>
<bean id="aggregateDnResolver" class="org.ldaptive.auth.AggregateDnResolver">
    <constructor-arg index="0" ref="dnResolvers" />
</bean>
<bean id="aggregateAuthHandler" class="org.ldaptive.auth.AggregateDnResolver$AuthenticationHandler" p:authenticationHandlers-ref="authHandlers" />
<util:map id="dnResolvers">
    <entry key="filter1" value-ref="dnResolver1" />
    <entry key="filter2" value-ref="dnResolver2" />
</util:map>

<bean id="dnResolver1" class="org.ldaptive.auth.PooledSearchDnResolver" p:baseDn="%{idp.authn.LDAP.baseDN1}"
      p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" p:userFilter="%{idp.authn.LDAP.userFilter1}"
      p:connectionFactory-ref="anonSearchPooledConnectionFactory" />
<bean id="dnResolver2" class="org.ldaptive.auth.PooledSearchDnResolver" p:baseDn="%{idp.authn.LDAP.baseDN2}"
      p:subtreeSearch="%{idp.authn.LDAP.subtreeSearch:false}" p:userFilter="%{idp.authn.LDAP.userFilter2}"
      p:connectionFactory-ref="anonSearchPooledConnectionFactory" />

<util:map id="authHandlers">
    <entry key="filter1" value-ref="authHandler" />
    <entry key="filter2" value-ref="authHandler" />
</util:map>

ldap.properties

# for AD: CN=Users,DC=example,DC=org
idp.authn.LDAP.baseDN1                          = CN=Users,DC=ifto,DC=local
idp.authn.LDAP.baseDN2                          = OU=ALUNOS,DC=ifto,DC=local
idp.authn.LDAP.subtreeSearch                    = true
idp.authn.LDAP.userFilter1                      = (sAMAccountName={user})
idp.authn.LDAP.userFilter2                      = (sAMAccountName={user})
# bind search configuration
# for AD: idp.authn.LDAP.bindDN=adminuser@domain.com
idp.authn.LDAP.bindDN                           = CN=pesquisacafe,OU=IFTO,DC=ifto,DC=local
idp.authn.LDAP.bindDNCredential              =
# Format DN resolution, used by directAuthenticator, adAuthenticator
# for AD use idp.authn.LDAP.dnFormat=%s@domain.com
idp.authn.LDAP.dnFormat                         = %s@dc001.ifto.local
# LDAP attribute configuration, see attribute-resolver.xml
idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN1}
idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN2}
idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN}
idp.attribute.resolver.LDAP.bindDNCredential    = %{idp.authn.LDAP.bindDNCredential}
idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates}
idp.attribute.resolver.LDAP.searchFilter        = (sAMAccountName=$requestContext.principalName)

I'm getting the error:

2016-07-11 17:06:41,322 - ERROR [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator:95] - Connection factory validation failedorg.ldaptive.provider.ConnectionException: javax.naming.CommunicationException: dc001.ifto.local:389 [Root exception is java.net.SocketException: Network is unreachable]

2016-07-11 17:06:41,326 - ERROR [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector:143] - Data Connector 'myLDAP': Invalid connector configurationnet.shibboleth.idp.attribute.resolver.dc.ValidationException: [org.ldaptive.provider.ConnectionException@2068111740::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: dc001.ifto.local:389 [Root exception is java.net.SocketException: Network is unreachable], providerException=javax.naming.CommunicationException: dc001.ifto.local:389 [Root exception is java.net.SocketException: Network is unreachable]]        at net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator.validate(ConnectionFactoryValidator.java:97)Caused by: org.ldaptive.provider.ConnectionException: javax.naming.CommunicationException: dc001.ifto.local:389 [Root exception is java.net.SocketException: Network is unreachable]


2016-07-11 17:07:24,212 - ERROR [org.ldaptive.pool.BlockingConnectionPool:484] - [org.ldaptive.pool.BlockingConnectionPool@615281004::name=search-pool, poolConfig=[org.ldaptive.pool.PoolConfig@1825484425::minPoolSize=3, maxPoolSize=10, validateOnCheckIn=false, validateOnCheckOut=false, validatePeriodically=true, validatePeriod=300], activator=null, passivator=null, validator=[org.ldaptive.pool.SearchValidator@592508166::searchRequest=[org.ldaptive.SearchRequest@-1849831859::baseDn=, searchFilter=[org.ldaptive.SearchFilter@1642584434::filter=(objectClass=*), parameters={}], returnAttributes=[1.1], searchScope=OBJECT, timeLimit=0, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=null, searchReferenceHandlers=null, controls=null, followReferrals=false, intermediateResponseHandlers=null]] pruneStrategy=[org.ldaptive.pool.IdlePruneStrategy@1873173935::prunePeriod=300, idleTime=600], connectOnCreate=true, connectionFactory=[org.ldaptive.DefaultConnectionFactory@840811973::provider=org.ldaptive.provider.jndi.JndiProvider@29a6e436, config=[org.ldaptive.ConnectionConfig@831271664::ldapUrl=ldap://dc001.ifto.local:389, connectTimeout=3000, responseTimeout=-1, sslConfig=[org.ldaptive.ssl.SslConfig@1822054987::credentialConfig=net.shibboleth.idp.authn.impl.X509ResourceCredentialConfig@307589f0, trustManagers=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@787238044::bindDn=CN=pesquisacafe,OU=IFTO,DC=ifto,DC=local, bindSaslConfig=null, bindControls=null]]], initialized=false, availableCount=0, activeCount=0] unable to connect to the ldaporg.ldaptive.provider.ConnectionException: javax.naming.CommunicationException: dc001.ifto.local:389 [Root exception is java.net.SocketTimeoutException: connect timed out]
        at org.ldaptive.provider.jndi.JndiConnectionFactory.createInternal(JndiConnectionFactory.java:104)Caused by: javax.naming.CommunicationException: dc001.ifto.local:389
        at com.sun.jndi.ldap.Connection.<init>(Connection.java:216)Caused by: java.net.SocketTimeoutException: connect timed out
        at java.net.PlainSocketImpl.socketConnect(Native Method)



You could send me a file configuration example ldap.properties


Thanks