authentication with ldap Active Directory

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

authentication with ldap Active Directory

paul
Hi all
i'm sorry for you because my english is not perfect, but i've got a problem

I’ve installed Shibboleth 2.3.8 on Ubuntu Server and i'm trying to join my ldap for user authentication. My ldap is Windows Active Directory (R2).

this is my login.config:
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
        host="ldap://ldap.myDomain.eu"
        port="389"
        base="dc=my,dc=Domain,dc=eu"
        ssl="false"
        tls="false"
   /*  serviceUser="cn=idp,cn=Users,dc=my,dc=Domain,dc=eu"  */ 
        serviceUser="idp@myDomain.eu"                                   
        serviceCredential="myCredential" 
        subtreeSearch="true"
        userField="userPrincipalName"         (i tried 'sAMAccountName' too)
        referral="follow"
        userRoleAttribute="userPrincipalName";
};

I tried the two for 'serviceUser') (like cn= dc=  .. and like idp@mydomain) and for 'userField', i tried 'sAMAccountName' value too
-> refer this topic: http://marc.info/?l=shibboleth-users&m=135308654821414&w=2

this is my attribute-resolver.xml:
 <resolver:DataConnector id="CRA-LDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
        ldapURL="ldap://ldap.myDomain.eu:389/"
        baseDN="dc=my,dc=Domain,dc=eu"
        principal="idp@myDomain.eu"
        principalCredential="myCredential"
        searchScope="SUBTREE">
        <dc:FilterTemplate>
            <![CDATA[
                (&(userPrincipalName=$requestContext.principalName)(objectclass=person))
            ]]>
        </dc:FilterTemplate>
 </resolver:DataConnector>
i tried with [CDATA[ userPrincipalName=$requestContext.principalName ]  too

I access the login page, but the user can not identify

this is my errors into the logs:
13:30:28.814 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:108] - Looking up DN using userField
13:30:28.814 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the following parameters:
13:30:28.814 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:194] -   dn = dc=my,dc=Domain,dc=eu
13:30:28.815 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:195] -   filter = (userPrincipalName={0})
13:30:28.815 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:196] -   filterArgs = [john@myDomain.eu]
13:30:28.815 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:197] -   searchControls = javax.naming.directory.SearchControls@1ec59df
13:30:28.816 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:198] -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@6d98]
13:30:28.816 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
13:30:28.816 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   authtype = simple
13:30:28.816 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] -   dn = null  /* WHY ?*/
13:30:28.817 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] -   credential = <suppressed>
13:30:28.832 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:164] - Error occured attempting authentication
javax.naming.PartialResultException: null
      
...

Caused by: javax.naming.CommunicationException: myDomain.eu:389
/* why he trying to solve myDomain.eu:389 */
  
...

Caused by: java.net.UnknownHostException: myDomain.eu.be
 ...
13:30:28.901 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:194] - User authentication for john@myDomain.eu failed
javax.security.auth.login.LoginException: null
13:30:28.904 - DEBUG [edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:150] - Redirecting to login page /login.jsp



I hope my problem is clear,
Thank you for your help
Reply | Threaded
Open this post in threaded view
|

Re: authentication with ldap Active Directory

paul
hi,
I forgot to give the result of the command 'ldapsearch'

ldapsearch -x -L -b "dc=my,dc=Domain,dc=eu" -H "ldap://ldap.myDomain.eu:389" -D "idp@myDomain.eu" -W "userPrincipalName=john@myDomain.eu"

i can see all information about my user with this command

i don't understand ...
Reply | Threaded
Open this post in threaded view
|

Re: authentication with ldap Active Directory

paul
In reply to this post by paul
hi,

since I added the line:
<LDAPProperty name="java.naming.referral" value="follow"/>

the error is now as follows:
14:52:02.797 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver resolving attributes for principal john
14:52:02.798 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes for principal john were not requested, resolving all attributes.
14:52:02.798 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute uid for principal john
14:52:02.799 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:354] - Resolving data connector CRA-LDAP for principal john
14:52:02.812 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter: (&(sAMAccountName=john)(objectclass=person));
14:52:02.812 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:363] - LDAP data connector CRA-LDAP - Retrieving attributes from LDAP
14:52:02.812 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] - Bind with the following parameters:
14:52:02.812 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   authtype = simple
14:52:02.813 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:76] -   dn = idp@mydomain.eu
14:52:02.813 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:83] -   credential = <suppressed>
14:52:02.821 - DEBUG [edu.vt.middleware.ldap.Ldap:193] - Search with the following parameters:
14:52:02.821 - DEBUG [edu.vt.middleware.ldap.Ldap:194] -   dn = dc=my,dc=funny,dc=domain,dc=eu
14:52:02.821 - DEBUG [edu.vt.middleware.ldap.Ldap:195] -   filter = (&(sAMAccountName=john)(objectclass=person));
14:52:02.821 - DEBUG [edu.vt.middleware.ldap.Ldap:196] -   filterArgs = []
14:52:02.822 - DEBUG [edu.vt.middleware.ldap.Ldap:197] -   searchControls = javax.naming.directory.SearchControls@c44aaf
14:52:02.822 - DEBUG [edu.vt.middleware.ldap.Ldap:198] -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@1035ff9, edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler@91e143, edu.vt.middleware.ldap.handler.BinarySearchResultHandler@15c0c91]
14:52:02.848 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:370] - LDAP data connector CRA-LDAP - An error occured when attempting to search the LDAP: {java.naming.provider.url=ldap://ldap.mydomain.eu:389/, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, java.naming.referral=follow}
javax.naming.PartialResultException: null

...

Caused by: javax.naming.CommunicationException: mydomain.eu:389

...

Caused by: java.net.UnknownHostException: mydomain.eu


someone has an idea?
please help me