In that case change your web.xml to "person", "account" doesn't exist on the user object therefore the user is not in the correct role, hence the 403.
All users in AD will have "person" in the objectclass attribute so all users in your AD will have access. :)
Matt
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Paul Cheyne
Sent: 01 May 2009 14:17
To: [log in to unmask]
Subject: Re: Ldap Authentication problem
Hi all, think I am more confused now. Can you tell this is not my daily job lol
I have checked my entry in ldp.exe and this is the result. So that looks correct to me. See below
Matched DNs:
Getting 1 entries:
>> Dn: CN=shib,CN=Users,DC=abcol,DC=ac,DC=uk
4> objectClass: top; person; organizationalPerson; user;
1> cn: shib;
1> distinguishedName: CN=shib,CN=Users,DC=abcol,DC=ac,DC=uk;
1> name: shib;
1> canonicalName: abcol.ac.uk/Users/shib;
Andy: My web XML file does have this part: <security-role>
<description>All Users</description>
<role-name>person</role-name>
</security-role>
But mine has account instead of person. My web.xml file is below. My shibboleth log shows no errors either.
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE web-app
PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
"http://java.sun.com/dtd/web-app_2_3.dtd">
<web-app>
<context-param>
<param-name>IdPConfigFile</param-name>
<param-value>file:/C:/shibboleth-idp/etc/idp.xml</param-value>
</context-param>
<servlet>
<servlet-name>IdP</servlet-name>
<display-name>Shibboleth Identity Provider</display-name>
<servlet-class>edu.internet2.middleware.shibboleth.idp.IdPResponder</servlet-class>
</servlet>
<servlet-mapping>
<servlet-name>IdP</servlet-name>
<url-pattern>/SSO</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>IdP</servlet-name>
<url-pattern>/AA</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>IdP</servlet-name>
<url-pattern>/Artifact</url-pattern>
</servlet-mapping>
<servlet-mapping>
<servlet-name>IdP</servlet-name>
<url-pattern>/Status</url-pattern>
</servlet-mapping>
<mime-mapping>
<extension>css</extension>
<mime-type>text/css</mime-type>
</mime-mapping>
<security-constraint>
<!-- the list of URL patterns that needs to be protected -->
<web-resource-collection>
<web-resource-name>SSO servlet</web-resource-name>
<url-pattern>/SSO</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>account</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>FORM</auth-method>
<realm-name>Shibboleth form-based authentication</realm-name>
<form-login-config>
<form-login-page>/login.jsp</form-login-page>
<form-error-page>/login-error.jsp</form-error-page>
</form-login-config>
</login-config>
<security-role>
<description>ALL users</description>
<role-name>account</role-name>
</security-role>
</web-app>
Paul Cheyne
Support Consultant
RM (Aberdeen College)
Tel: 01224 (61)2550
Email: [log in to unmask]
-----Original Message-----
From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Andy Swiffin
Sent: 01 May 2009 13:28
To: [log in to unmask]
Subject: Re: Ldap Authentication problem
>>> On 01/05/2009 at 11:46, in message
<3EF77B326C82B84C95EE7A8BF39E872F0612A857@ad-bellshill>, Paul Cheyne
<[log in to unmask]> wrote:
> HI Matt
> Thanks for the info. I changed the userSearch value but it throws up a
> 403 access denied error. Full error below
> HTTP Status 403 - Access to the requested resource has been denied
> ________________________________
> type Status report
> message Access to the requested resource has been denied
> description Access to the specified resource (Access to the requested
> resource has been denied) has been forbidden.
>
> ________________________________
>
Sorry, I missed that there had been more traffic on the list about this, my earlier reply may be outdated. The 403 error I know only too well (don't I Jillian ;-) This could be it not getting through the tomcat authorisation, I expect you're not getting anything in your shibboleth logs either? What have you got at the bottom of your web.xml? It should look like:
<... Some other stuff above this....
<security-role>
<description>All Users</description>
<role-name>person</role-name>
</security-role>
If you don't have this bit let me know and I'll send you my web.xml (which we know works!).
Yesterday the realm config we used looked just like yours (except with samaccountname instead of uid) so that should be OK.
Cheers
Andy
p.s. hopefully you'll get this before it goes too stale, "Janet" seems to be down at the mo :-(
The University of Dundee is a registered Scottish charity, No: SC015096
_________________________________________________________________
You might be interested in this...
RM ICT Tour 2009
With all the pressures placed on teaching staff today, it's increasingly difficult to
justify a full day out to research developments for the classroom. So you don't
miss out, we've teamed up with schools and local authorities to bring the latest
in ICT to a venue near you.
Visit http://www.rm.com/bus for more information and a full list of venues.
_________________________________________________________________
P.S. Think Green - don't print this email unless you really need to.
This message is confidential, so please treat it appropriately and for its intended purpose only. In particular, if it refers to any technical data, terms or prices not generally available or known, such items are "commercially sensitive information" within the terms of the Freedom of Information Act 2000 and related laws. As it would be prejudicial to RM's commercial interests if these were disclosed, please refrain from doing so.
As Internet communications are not secure, please be aware that RM cannot accept responsibility for its contents. Any views or opinions presented are those of the author only and not of RM. If you are not the intended recipient of this e-mail, please accept our apologies and arrange for copies of it to be deleted. For your information, RM may intercept incoming and outgoing email communications.
RM Education plc
Registered Office: New Mill House, 183 Milton Park, Abingdon, Oxfordshire, OX14 4SE, England
Registered Number: 1148594
