Russell,
Whilst I don't have the answer I
believe we have deployed Shibboleth 2 in this scenario. Both the
authentication piece of Shib 2and the attribute resolver can be configured with
two different LDAP sources. It searches one and then the other assuming the
usernames are different.
Hopefully, it's just a case of
hunting for it in the documentation. In the meantime I'll see if one of our
consultants has any notes he can share.
Matt
Matt
Dunkin Technology Specialist Salford
Software Ltd Lancastrian
Office Centre, Talbot Road, Old
Trafford, Manchester M32 0FP, UK |
|
Tel:
+44 (0) 161 906 2233
Mobile:
+44 07884 432227
Fax: +44 (0) 161 906 1003
www.salfordsoftware.co.uk
( http://www.salfordsoftware.co.uk/ )
The
leader in Identity Management Solutions
This email is confidential and may contain privileged material.
If you are not the intended recipient then you must not copy it, forward it,
use it for any purpose, or disclose it to another person. Instead please return
it to the sender immediately. Please then delete your copy from your system.
Please also note that the author of this email cannot conclude any contract on
behalf of Salford Software Ltd by email.
Company Registered in England No. 2252625. VAT Reg. No. 519613442
Academic Enterprises. University of Salford, Salford. M5 4WT
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Russell Morriss
Sent: 15 March 2010 09:17
To: [log in to unmask]
Subject: Re: Multiple domain LDAP querying - JASIG CAS Shib 2.0 idp
Hi Rod,
I believe we have two separate
forests, i.e. two different sets of domain admin accounts, two domain
controllers
There is some kind of one way
trust setup between them but the global catalogue on either LDAP server doesn’t
include user details from the other.
The IT Network team looked into
the possibility of a middleware LDAP server to combine the account details but
this proved problematic.
Thanks,
Russell
Morriss
Web
Services Manager
Redbridge
College
Little
Heath, Barley Lane, Romford, RM6 4XT
Tel: 020 8548 7420
Email: [log in to unmask]
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Rod Widdowson
Sent: 12 March 2010 11:55
To: [log in to unmask]
Subject: Re: Multiple domain LDAP querying - JASIG CAS Shib 2.0 idp
Importance: High
Are your usernames distinct in the two trees?
From: Discussion list for Shibboleth developments
[mailto:[log in to unmask]] On Behalf Of Russell Morriss
Sent: 12 March 2010 11:18
To: [log in to unmask]
Subject: Multiple domain LDAP querying - JASIG CAS Shib 2.0 idp
Hello everyone,
I have searched the so far discussed aspects of LDAP (Active
Directory) authentication for shibboleth but haven’t encountered the same issue
we appear to be having.
We have two separate domains for staff and student, we too
have followed the excellent installation instructions from Nottingham trent
utilising JASIG CAS and a separate SQL server database for attribute storage.
(Shib 2.0 idp)
http://shibsp.ntu.ac.uk/confluence/display/SHIB2/Windows+IdP+installation
The problem I have encountered is that for one reason or
another outside of my control we don’t have a global catalogue (:3268) that I
can query using one account for binding. At the moment I can only configure it
to bind to one or the other, also by querying on userPrincipalName we either
have a .staff.x or a .student.x
Could anyone suggest how I could query two different LDAP
servers with a common set of credentials in such a case, or alternatively how
the JASIG CAS configuration could be amended to use two sets of credentials to
query two LDAP servers?
I appreciate this may be a network configuration issue so
any guidance on adjusting our current setup to accommodate Shib would also be
welcomed as I can forward these recommendations on to our network
administrator.
Any responses on or off list appreciated.
Thanks,
Russell
Morriss
Web Services
Manager
Redbridge
College
Little Heath,
Barley Lane, Romford, RM6 4XT
Tel: 020 8548 7420
Email: [log in to unmask]
______________________________________________________________________
The views expressed in this e-mail are those of the individual and not
necessarily of Redbridge College. The information contained in this message or
any of its attachments may be privileged and confidential and intended for the
exclusive use of the addressee.
If you are not the intended addressee any disclosure, reproduction,
distribution or other dissemination or use of this communication is strictly
prohibited. Please notify the sender immediately by replying to the message and
deleting it from your computer. Messages sent to and from Redbridge College may
be monitored. Internet communications cannot be guaranteed to be secured or
error-free as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. Please rely on your own virus
checker and procedures with regard to any attachment to this message.
______________________________________________________________________
This email has been scanned for viruses by the Email Protection Agency.
For more information please visit http://www.epagency.net
______________________________________________________________________
______________________________________________________________________
This email has been scanned for viruses by Redbridge College Network Services
______________________________________________________________________
______________________________________________________________________
The views expressed in this e-mail are those of the individual and not
necessarily of Redbridge College. The information contained in this message or
any of its attachments may be privileged and confidential and intended for the
exclusive use of the addressee.
If you are not the intended addressee any disclosure, reproduction,
distribution or other dissemination or use of this communication is strictly
prohibited. Please notify the sender immediately by replying to the message and
deleting it from your computer. Messages sent to and from Redbridge College may
be monitored. Internet communications cannot be guaranteed to be secured or
error-free as information could be intercepted, corrupted, lost, destroyed,
arrive late or incomplete, or contain viruses. Please rely on your own virus
checker and procedures with regard to any attachment to this message.
______________________________________________________________________
This email has been scanned for viruses by the Email Protection Agency.
For more information please visit http://www.epagency.net
______________________________________________________________________