Hi We were part of the NTU pilot project following the instructions you have found. We use active directory for the authentication, but have created a database separately for releasing the attributes. There were a variety of reasons for that decision. One of which is I just gave up in the end trying to get the attributes out of it in a format usable for shib. I think there are scripts you can use to change the out put names or something on the fly, but I was beginning to lose my way with it by that point and just went for stick an SQL database on instead. Heather Peake VLE Development Co-ordinator Tel 01623 627191 ext 2292 -----Original Message----- From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Ian Fogarty Sent: 09 October 2008 15:42 To: [log in to unmask] Subject: Shibboleth and AD - Help!! I have been looking through the archives and I can see that AD issues have been posted a few times before but I am about to fling our Shib server out of the rack - the AD link up is driving me crazy. I have followed Nottingham Trent's instructions on getting Shib installed on 2003 (they are extremely good if NTU people read this) and using CAS to do the SSO. We are in the Federation and for basic sites everything works fine. I am now trying to link into our AD to provide some of the more specific bits of data - e.g. mail, cn, given name, sn, etc etc for the EDINA-type sites. I have got a MySQL link working and if all else fails, I will create a DB and use that for the lookups but I would really like to use AD directly from shib. This is the JNDI extract of my config.... <JNDIDirectoryDataConnector id="activeDirectory"> <Search filter="cn=%PRINCIPAL%"> <Controls searchScope="SUBTREE_SCOPE" returningObjects="false" /> </Search> <Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" /> <Property name="java.naming.provider.url" value="ldap://172.X.X.X/dc=DNS,dc=DOMAIN" /> <Property name="java.naming.security.principal" value="[log in to unmask]" /> <Property name="java.naming.security.credentials" value="PASSWORD" /> </JNDIDirectoryDataConnector> <SimpleAttributeDefinition id="urn:mace:dir:attribute-def:givenName"> <DataConnectorDependency requires="activeDirectory"/> </SimpleAttributeDefinition> Usernames/Passwords/Servers have been hidden but I am certain they work. I have used LDAPBrowser to connect to AD using the same credentials and that works. Also the CAS part works fine and that uses the same bind user and password. I have listed in arp.site.xml to release the following attributes (this is only until I get it working - I will do SP specific release statements eventually) <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:eduPersonTargetedID"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:givenName"> <AnyValue release="permit"/> </Attribute> ...and the output I get from resolvertest.bat for my username is.... 0 [main] INFO edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpReposit ory - Initializing File System Arp Repository with a root of (file:/c:/shibboleth-idp/etc/arps/). 1359 [main] ERROR edu.internet2.middleware.shibboleth.aa.attrresolv.provider.JNDIDirectory DataConnector - An error occurred while retieving data for principal (ian fogarty) :Unprocessed Continuation Reference(s) 1359 [main] ERROR edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver - Problem encountered while resolving attribute: (urn:mace:dir:attribute-def:givenName): edu.internet2.middleware.shibboleth.aa.attrresolv.ResolutionPlugInExcept ion: Error retrieving data for principal. 1421 [main] INFO edu.internet2.middleware.shibboleth.aa.arp.ArpEngine - Applying Attribute Release Policies. Received the following from the Attribute Resolver: <Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att ributeValue Scope="wmc.ac.uk">kc9NtorOicJU8wcXCiqG3BF/9Fo=</AttributeValue></Attribu te> <Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att ributeValue Scope="wmc.ac.uk">member</AttributeValue></Attribute> <Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation" AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att ributeValue>member</AttributeValue></Attribute> I am presuming that the JNDI is working as 1: CAS is working and 2: I changed the IP of the lookup and ran a packet trace and I could see the requests trying to connect to the alternative DC. I am using IP addresses and not names as the server is in our DMZ and only LDAP ports are open going back into our internal network. I was wondering if anyone has seen this sort of error before and if it is a quick fix to resolve? Many thanks Ian Ian Fogarty Senior IT Technician, IT Networks Wirral Metropolitan College, Carlett Park Campus, NW110 Eastham Wirral CH62 0AY t: +44 (0) 151 551 7764 e: [log in to unmask] <mailto:[log in to unmask]> w: www.wmc.ac.uk <http://www.wmc.ac.uk> -.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.- Awarded Outstanding (Grade 1) in all categories by OFSTED July 2008. "Excellent employer engagement... Imaginative and highly effective approach to social inclusion... Excellent communication, high staff morale and visionary leadership". This email and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed. If you have received this email in error please notify the originator of the message. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of West Nottinghamshire College. This message has been scanned for viruses and malware by McAfee and checked for any inappropriateness by SurfControl Email Filter, which also added this footer. West Nottinghamshire College, Derby Road, Mansfield, Nottinghamshire, NG18 5BH. Tel: 01623 627191 URL: http://www.wnc.ac.uk VAT No: 593 475 93