 |
 |
Unless you are using the GC port for your queries (3268 or 3269) OR you set the basename for searches to an OU rather than the domain level, you will always get referrals from AD. Using the GC is the simple way to avoid referrals, but not all attributes are copied to the GC database (you can use ADSIEDIT to find out). Using a non-top-level basename is the better way, but unless all your users are under at least one level of OU, you can't do it > -----Original Message----- > From: Discussion list for Shibboleth developments > [mailto:[log in to unmask]] On Behalf Of Colin Farrow > Sent: 09 October 2008 16:41 > To: [log in to unmask] > Subject: Re: [JISC-SHIBBOLETH] Shibboleth and AD - Help!! > > Have you tried googling for the error "Unprocessed Continuation > Reference" ? > > > > On 9 Oct, Ian Fogarty wrote: > > I have been looking through the archives and I can see that > AD issues > > have been posted a few times before but I am about to fling our Shib > > server out of the rack - the AD link up is driving me crazy. > > > > > > > > I have followed Nottingham Trent's instructions on getting Shib > > installed on 2003 (they are extremely good if NTU people > read this) and > > using CAS to do the SSO. We are in the Federation and for > basic sites > > everything works fine. I am now trying to link into our AD > to provide > > some of the more specific bits of data - e.g. mail, cn, > given name, sn, > > etc etc for the EDINA-type sites. I have got a MySQL link > working and if > > all else fails, I will create a DB and use that for the > lookups but I > > would really like to use AD directly from shib. > > > > > > > > This is the JNDI extract of my config.... > > > > > > > > <JNDIDirectoryDataConnector id="activeDirectory"> > > > > <Search filter="cn=%PRINCIPAL%"> > > > > <Controls > > searchScope="SUBTREE_SCOPE" returningObjects="false" /> > > > > </Search> > > > > <Property > > name="java.naming.factory.initial" > > value="com.sun.jndi.ldap.LdapCtxFactory" /> > > > > <Property > > name="java.naming.provider.url" > > value="ldap://172.X.X.X/dc=DNS,dc=DOMAIN" /> > > > > <Property > > name="java.naming.security.principal" value="[log in to unmask]" /> > > > > <Property > > name="java.naming.security.credentials" value="PASSWORD" /> > > > > </JNDIDirectoryDataConnector> > > > > > > > > <SimpleAttributeDefinition > > id="urn:mace:dir:attribute-def:givenName"> > > > > <DataConnectorDependency > > requires="activeDirectory"/> > > > > </SimpleAttributeDefinition> > > > > > > > > Usernames/Passwords/Servers have been hidden but I am > certain they work. > > I have used LDAPBrowser to connect to AD using the same > credentials and > > that works. Also the CAS part works fine and that uses the same bind > > user and password. > > > > > > > > I have listed in arp.site.xml to release the following > attributes (this > > is only until I get it working - I will do SP specific release > > statements eventually) > > > > > > > > <Attribute > > name="urn:mace:dir:attribute-def:eduPersonAffiliation"> > > > > <AnyValue > > release="permit"/> > > > > </Attribute> > > > > <Attribute > > name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"> > > > > <AnyValue > > release="permit"/> > > > > </Attribute> > > > > > > > > <Attribute > > name="urn:mace:dir:attribute-def:eduPersonTargetedID"> > > > > <AnyValue > > release="permit"/> > > > > </Attribute> > > > > > > > > <Attribute > > name="urn:mace:dir:attribute-def:givenName"> > > > > <AnyValue > > release="permit"/> > > > > </Attribute> > > > > > > > > ...and the output I get from resolvertest.bat for my username is.... > > > > > > > > 0 [main] INFO > > > edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystem > ArpReposit > > ory - Initializing File System Arp Repository with a root of > > (file:/c:/shibboleth-idp/etc/arps/). > > > > > > > > 1359 [main] ERROR > > > edu.internet2.middleware.shibboleth.aa.attrresolv.provider.JND > IDirectory > > DataConnector - An error occurred while retieving data for > principal > > (ian fogarty) :Unprocessed Continuation Reference(s) > > > > > > > > 1359 [main] ERROR > > > edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver - > > Problem encountered while resolving attribute: > > (urn:mace:dir:attribute-def:givenName): > > > edu.internet2.middleware.shibboleth.aa.attrresolv.ResolutionPl > ugInExcept > > ion: Error retrieving data for principal. > > > > > > > > 1421 [main] INFO > edu.internet2.middleware.shibboleth.aa.arp.ArpEngine - > > Applying Attribute Release Policies. > > > > Received the following from the Attribute Resolver: > > > > > > > > <Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion" > > xmlns:xsd="http://www.w3.org/2001/XMLSchema" > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID" > > > AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace > :uri"><Att > > ributeValue > > > Scope="wmc.ac.uk">kc9NtorOicJU8wcXCiqG3BF/9Fo=</AttributeValue > ></Attribu > > te> > > > > > > > > <Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion" > > xmlns:xsd="http://www.w3.org/2001/XMLSchema" > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > > AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" > > > AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace > :uri"><Att > > ributeValue Scope="wmc.ac.uk">member</AttributeValue></Attribute> > > > > > > > > <Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion" > > xmlns:xsd="http://www.w3.org/2001/XMLSchema" > > xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" > > AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" > > > AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace > :uri"><Att > > ributeValue>member</AttributeValue></Attribute> > > > > > > > > I am presuming that the JNDI is working as 1: CAS is > working and 2: I > > changed the IP of the lookup and ran a packet trace and I > could see the > > requests trying to connect to the alternative DC. I am using IP > > addresses and not names as the server is in our DMZ and > only LDAP ports > > are open going back into our internal network. > > > > > > > > I was wondering if anyone has seen this sort of error > before and if it > > is a quick fix to resolve? > > > > > > > > Many thanks > > > > > > > > Ian > > > > > > > > Ian Fogarty > > > > Senior IT Technician, IT Networks > > > > Wirral Metropolitan College, > > > > Carlett Park Campus, NW110 > > > > Eastham > > > > Wirral > > > > CH62 0AY > > > > t: +44 (0) 151 551 7764 e: [log in to unmask] > > <mailto:[log in to unmask]> w: www.wmc.ac.uk > <http://www.wmc.ac.uk> > > > > -- > Colin Farrow > Computing Service, University of Glasgow, Glasgow G12 8QQ > Tel: 0141 330 4862, Email: [log in to unmask] > --- >