Andy,
Sorry for coming in so late onto this one... My first thought (and I was not alone) was that this might have been a nice site for the quick installer...
As to your questions, well I see that they are answered. FWIW I have always used JAAS to do the login bit. I originally used Kerberos, but I have in some cases had to use LDAP, so that we could login against forests of AD domains (which seems quite common in FE). For Kerberos I used the JAAS provider which comes with the quick installer and for LDAP the Virgina Tech one. This comes with Shib 2 so you can use the documentation for that as well.
If you have had to use the GC (3268) this argues that you have a forest of domains. There are a few other things you need to be careful of - mostly in the area of dealing with referrals (see below). I also ran into a case where the GC was only one of the domain servers (I believe that you have to have only one) but the DNS name I used would round robin to several servers - this means that LDAP lookup failed one time in two.
> I googled [...]
Always start by specifying "site:spaces.internet2.edu" !!!! I got this first up:
https://spaces.internet2.edu/display/SHIB/JNDIDataConnector
Which pretty well matches what you said - with the extra details of java.naming.referral property = "ignore"
Rod
|