Russell,

Whilst I don't have the answer I believe we have deployed Shibboleth 2 in this scenario. Both the authentication piece of Shib 2and the attribute resolver can be configured with two different LDAP sources. It searches one and then the other assuming the usernames are different.

Hopefully, it's just a case of hunting for it in the documentation. In the meantime I'll see if one of our consultants has any notes he can share.

Matt

Matt Dunkin

Technology Specialist

Salford Software Ltd

Lancastrian Office Centre, Talbot Road,

Old Trafford, Manchester M32 0FP, UK

Tel: +44 (0) 161 906 2233

Mobile: +44 07884 432227

Fax: +44 (0) 161 906 1003

www.salfordsoftware.co.uk ( http://www.salfordsoftware.co.uk/ )

The leader in Identity Management Solutions

This email is confidential and may contain privileged material. If you are not the intended recipient then you must not copy it, forward it, use it for any purpose, or disclose it to another person. Instead please return it to the sender immediately. Please then delete your copy from your system.

Please also note that the author of this email cannot conclude any contract on behalf of Salford Software Ltd by email.

Company Registered in England No. 2252625. VAT Reg. No. 519613442
Academic Enterprises. University of Salford, Salford. M5 4WT

From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Russell Morriss
Sent: 15 March 2010 09:17
To: [log in to unmask]
Subject: Re: Multiple domain LDAP querying - JASIG CAS Shib 2.0 idp

Hi Rod,

I believe we have two separate forests, i.e. two different sets of domain admin accounts, two domain controllers

There is some kind of one way trust setup between them but the global catalogue on either LDAP server doesn’t include user details from the other.

The IT Network team looked into the possibility of a middleware LDAP server to combine the account details but this proved problematic.

Thanks,

Russell Morriss

Web Services Manager

Redbridge College

Little Heath, Barley Lane, Romford, RM6 4XT

Tel: 020 8548 7420

Email: [log in to unmask]

Web: www.redbridge-college.ac.uk

From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Rod Widdowson
Sent: 12 March 2010 11:55
To: [log in to unmask]
Subject: Re: Multiple domain LDAP querying - JASIG CAS Shib 2.0 idp
Importance: High

Are your usernames distinct in the two trees?

From: Discussion list for Shibboleth developments [mailto:[log in to unmask]] On Behalf Of Russell Morriss
Sent: 12 March 2010 11:18
To: [log in to unmask]
Subject: Multiple domain LDAP querying - JASIG CAS Shib 2.0 idp

Hello everyone,

I have searched the so far discussed aspects of LDAP (Active Directory) authentication for shibboleth but haven’t encountered the same issue we appear to be having.

We have two separate domains for staff and student, we too have followed the excellent installation instructions from Nottingham trent utilising JASIG CAS and a separate SQL server database for attribute storage. (Shib 2.0 idp)

http://shibsp.ntu.ac.uk/confluence/display/SHIB2/Windows+IdP+installation

The problem I have encountered is that for one reason or another outside of my control we don’t have a global catalogue (:3268) that I can query using one account for binding. At the moment I can only configure it to bind to one or the other, also by querying on userPrincipalName we either have a .staff.x or a .student.x

Could anyone suggest how I could query two different LDAP servers with a common set of credentials in such a case, or alternatively how the JASIG CAS configuration could be amended to use two sets of credentials to query two LDAP servers?

I appreciate this may be a network configuration issue so any guidance on adjusting our current setup to accommodate Shib would also be welcomed as I can forward these recommendations on to our network administrator.

Any responses on or off list appreciated.

Thanks,

Russell Morriss

Web Services Manager

Redbridge College

Little Heath, Barley Lane, Romford, RM6 4XT

Tel: 020 8548 7420

Email: [log in to unmask]

Web: www.redbridge-college.ac.uk

______________________________________________________________________
The views expressed in this e-mail are those of the individual and not necessarily of Redbridge College. The information contained in this message or any of its attachments may be privileged and confidential and intended for the exclusive use of the addressee.
If you are not the intended addressee any disclosure, reproduction, distribution or other dissemination or use of this communication is strictly prohibited. Please notify the sender immediately by replying to the message and deleting it from your computer. Messages sent to and from Redbridge College may be monitored. Internet communications cannot be guaranteed to be secured or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. Please rely on your own virus checker and procedures with regard to any attachment to this message.

______________________________________________________________________
This email has been scanned for viruses by the Email Protection Agency.
For more information please visit http://www.epagency.net
______________________________________________________________________

______________________________________________________________________
This email has been scanned for viruses by Redbridge College Network Services
______________________________________________________________________