Handling account state with OpenLDAP/AD for Shibboleth IdP v4.x

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Handling account state with OpenLDAP/AD for Shibboleth IdP v4.x

Marco Malavolti
Hi to all,

could someone helps me to understand how to configure
"ldap-authn-config.xml" of my new Shibboleth IdP v4.0.1 to handle the
OpenLDAP Account State/Password Policy for the
bindAndSearchAuthenticator and adAuthenticator?

I have seen the property "idp.authn.LDAP.usePasswordPolicy" on
https://wiki.shibboleth.net/confluence/display/IDP4/LDAPAuthnConfiguration#LDAPAuthnConfiguration-Reference
and I have read that "The ldap-authn-config.xml file has changed
dramatically since V3 and is now very short, relying primarily on a
special bean with a hidden parent definition taking a large set of
properties that will generally auto-configure the proper objects."

If the "special bean" is the "shibboleth.LDAPAuthenticationFactory", is
it enough to set it to "true" to enable the password policy overlay
(ppolicy) for my LDAP or I need to do other changes?

I attach also the previous "ldap-authn-config-v3.xml" of my IdP v3.4.8
and the new "ldap-authn-config-v4.xml" provided by the Shibboleth IdP
v4.0.1.

Thank you so much for all your help!

--
Marco Malavolti
Consortium GARR - Servizio IDEM GARR AAI
Via dei Tizii, 6 - I-00185 (ROMA)
CF: 97284570583 - PI:07577141000
Mobile: +39 331 608 3639
Skype: marco.mala
PGP KEY: https://keys.openpgp.org/search?q=marco.malavolti@...


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

ldap-authn-config-v3.xml (9K) Download Attachment
ldap-authn-config-v4.xml (1K) Download Attachment
smime.p7s (5K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Handling account state with OpenLDAP/AD for Shibboleth IdP v4.x

Cantor, Scott E.
A person on Slack indicated the V3 wiring isn't working for this for reasons unknown at this point, but the V4 property and configuration files do.

In either case, please do not use this for expiring password notification, that's just a bad idea. Use the expiring password flow, it's orders of magnitude simpler and more reliable to maintain. If you need it for some other function, that's about the only justification for using it.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]