AD Bind Credentials

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

AD Bind Credentials

Christopher Bland

Hi All,

 

My AD guys are restructuring OUs and user placement which is going to affect my AD service account.  At present I am running IDP v3.4.4 using a JAAS config going against AD.  Following the directions when I set this up earlier in the year I set the following values

 

jaas.config

bindDn = ”Service Account DistinquishedName”

 

ldap.properties

idp.authn.LDAP.bindDN = ”Service Account DistinquishedName”

 

idp.authn.LDAP.bindDN

idp.authn.LDAP.bindDN = ”Service Account DistinquishedName”

 

In an effort not to have to make these changes in the future I switched the bindDN value to the UPN value of my AD service account and things seem to work during testing on my dev IDP.  Since the value is supposed to be a DN, I am wondering what other admins have done?

 

My second question -  In my ldap.properties and ldap.properties.pool I have configure “idp.authn.LDAP.authenticator = adAuthenticator”.  As such my understanding is that there is no need to search for the user’s DN because the IDP accepts the user@domain format for authentication.  Is it necessary to have credentials configured in the bindDN and bindCredential for authentication?  Also can my AD DataConnector in my attribute-resolver.xml file resolve attributes based on the user that it has authenticated?

 

-Chris


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AD Bind Credentials

Cantor, Scott E.
On 11/14/19, 1:57 PM, "users on behalf of Christopher Bland" <[hidden email] on behalf of [hidden email]> wrote:

>  Since the value is supposed to be a DN, I am wondering what other admins have done?

I believe that breaks with UnboundID as the LDAP provider, it only works with JNDI. That's a vague recollection.

 > Also can my AD DataConnector in my attribute-resolver.xml file resolve attributes based on the user that it has
> authenticated?

No.

-- Scott



--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AD Bind Credentials

Peter Schober
In reply to this post by Christopher Bland
* Christopher Bland <[hidden email]> [2019-11-14 19:57]:
> My AD guys are restructuring OUs and user placement which is going
> to affect my AD service account.  At present I am running IDP v3.4.4
> using a JAAS config

Any specific reason to be using JAAS?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: AD Bind Credentials

Cantor, Scott E.
On 11/14/19, 3:13 PM, "users on behalf of Peter Schober" <[hidden email] on behalf of [hidden email]> wrote:

> Any specific reason to be using JAAS?

I would encourage it, generally. It's much more insulated from the low level LDAP configuration settings, which is going to be the biggest challenge for people upgrading in the future.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]