Hi
We were part of the NTU pilot project following the instructions you
have found.
We use active directory for the authentication, but have created a
database separately for releasing the attributes. There were a variety
of reasons for that decision. One of which is I just gave up in the end
trying to get the attributes out of it in a format usable for shib. I
think there are scripts you can use to change the out put names or
something on the fly, but I was beginning to lose my way with it by that
point and just went for stick an SQL database on instead.
Heather Peake
VLE Development Co-ordinator
Tel 01623 627191 ext 2292
-----Original Message-----
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Ian Fogarty
Sent: 09 October 2008 15:42
To: [log in to unmask]
Subject: Shibboleth and AD - Help!!
I have been looking through the archives and I can see that AD issues
have been posted a few times before but I am about to fling our Shib
server out of the rack - the AD link up is driving me crazy.
I have followed Nottingham Trent's instructions on getting Shib
installed on 2003 (they are extremely good if NTU people read this) and
using CAS to do the SSO. We are in the Federation and for basic sites
everything works fine. I am now trying to link into our AD to provide
some of the more specific bits of data - e.g. mail, cn, given name, sn,
etc etc for the EDINA-type sites. I have got a MySQL link working and if
all else fails, I will create a DB and use that for the lookups but I
would really like to use AD directly from shib.
This is the JNDI extract of my config....
<JNDIDirectoryDataConnector id="activeDirectory">
<Search filter="cn=%PRINCIPAL%">
<Controls
searchScope="SUBTREE_SCOPE" returningObjects="false" />
</Search>
<Property
name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory" />
<Property
name="java.naming.provider.url"
value="ldap://172.X.X.X/dc=DNS,dc=DOMAIN" />
<Property
name="java.naming.security.principal" value="[log in to unmask]" />
<Property
name="java.naming.security.credentials" value="PASSWORD" />
</JNDIDirectoryDataConnector>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:givenName">
<DataConnectorDependency
requires="activeDirectory"/>
</SimpleAttributeDefinition>
Usernames/Passwords/Servers have been hidden but I am certain they work.
I have used LDAPBrowser to connect to AD using the same credentials and
that works. Also the CAS part works fine and that uses the same bind
user and password.
I have listed in arp.site.xml to release the following attributes (this
is only until I get it working - I will do SP specific release
statements eventually)
<Attribute
name="urn:mace:dir:attribute-def:eduPersonAffiliation">
<AnyValue
release="permit"/>
</Attribute>
<Attribute
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
<AnyValue
release="permit"/>
</Attribute>
<Attribute
name="urn:mace:dir:attribute-def:eduPersonTargetedID">
<AnyValue
release="permit"/>
</Attribute>
<Attribute
name="urn:mace:dir:attribute-def:givenName">
<AnyValue
release="permit"/>
</Attribute>
...and the output I get from resolvertest.bat for my username is....
0 [main] INFO
edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpReposit
ory - Initializing File System Arp Repository with a root of
(file:/c:/shibboleth-idp/etc/arps/).
1359 [main] ERROR
edu.internet2.middleware.shibboleth.aa.attrresolv.provider.JNDIDirectory
DataConnector - An error occurred while retieving data for principal
(ian fogarty) :Unprocessed Continuation Reference(s)
1359 [main] ERROR
edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver -
Problem encountered while resolving attribute:
(urn:mace:dir:attribute-def:givenName):
edu.internet2.middleware.shibboleth.aa.attrresolv.ResolutionPlugInExcept
ion: Error retrieving data for principal.
1421 [main] INFO edu.internet2.middleware.shibboleth.aa.arp.ArpEngine -
Applying Attribute Release Policies.
Received the following from the Attribute Resolver:
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att
ributeValue
Scope="wmc.ac.uk">kc9NtorOicJU8wcXCiqG3BF/9Fo=</AttributeValue></Attribu
te>
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att
ributeValue Scope="wmc.ac.uk">member</AttributeValue></Attribute>
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att
ributeValue>member</AttributeValue></Attribute>
I am presuming that the JNDI is working as 1: CAS is working and 2: I
changed the IP of the lookup and ran a packet trace and I could see the
requests trying to connect to the alternative DC. I am using IP
addresses and not names as the server is in our DMZ and only LDAP ports
are open going back into our internal network.
I was wondering if anyone has seen this sort of error before and if it
is a quick fix to resolve?
Many thanks
Ian
Ian Fogarty
Senior IT Technician, IT Networks
Wirral Metropolitan College,
Carlett Park Campus, NW110
Eastham
Wirral
CH62 0AY
t: +44 (0) 151 551 7764 e: [log in to unmask]
<mailto:[log in to unmask]> w: www.wmc.ac.uk <http://www.wmc.ac.uk>
-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-
Awarded Outstanding (Grade 1) in all categories by OFSTED July 2008.
"Excellent employer engagement... Imaginative and highly effective approach to social inclusion... Excellent communication, high staff morale and visionary leadership".
This email and any files transmitted with it are confidential and intended solely for the individual or entity to whom they are addressed.
If you have received this email in error please notify the originator of the message.
Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of
West Nottinghamshire College.
This message has been scanned for viruses and malware by McAfee and checked for any inappropriateness by SurfControl Email Filter, which also added this footer.
West Nottinghamshire College, Derby Road, Mansfield, Nottinghamshire, NG18 5BH.
Tel: 01623 627191 URL: http://www.wnc.ac.uk VAT No: 593 475 93
