Ian,
You may find it easier to start with something which works. Included is the termplate that the quick intaller uses to connect to AD.
NOTES:
- Most of the macros are self explanatory - but $IDP_EXPANDED_NAME$ is not obvious for you it will be something like
DC=WMC,DC=AC,DC=UK
- JeXplorer is a great way of working out what the IdP is seeing and helping with the connection URL
- YMMV if you have forests (if so try the 3268 port).
- The principal should be established without any "@" or "\" grammar.
- Come back (in this group) if you have further questions. It usually takes a couple of iterations to get going.
> I have got a MySQL link
Depending on where your comfort lies - SQLServer is free and the jdbc link works a treat. I can post details of how I did that if people need to know the precise "inkantation and magicke".
----- Original Message -----
From: "Ian Fogarty" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Thursday, October 09, 2008 3:41 PM
Subject: Shibboleth and AD - Help!!
I have been looking through the archives and I can see that AD issues
have been posted a few times before but I am about to fling our Shib
server out of the rack - the AD link up is driving me crazy.
I have followed Nottingham Trent's instructions on getting Shib
installed on 2003 (they are extremely good if NTU people read this) and
using CAS to do the SSO. We are in the Federation and for basic sites
everything works fine. I am now trying to link into our AD to provide
some of the more specific bits of data - e.g. mail, cn, given name, sn,
etc etc for the EDINA-type sites. I have got a MySQL link working and if
all else fails, I will create a DB and use that for the lookups but I
would really like to use AD directly from shib.
This is the JNDI extract of my config....
<JNDIDirectoryDataConnector id="activeDirectory">
<Search filter="cn=%PRINCIPAL%">
<Controls
searchScope="SUBTREE_SCOPE" returningObjects="false" />
</Search>
<Property
name="java.naming.factory.initial"
value="com.sun.jndi.ldap.LdapCtxFactory" />
<Property
name="java.naming.provider.url"
value="ldap://172.X.X.X/dc=DNS,dc=DOMAIN" />
<Property
name="java.naming.security.principal" value="[log in to unmask]" />
<Property
name="java.naming.security.credentials" value="PASSWORD" />
</JNDIDirectoryDataConnector>
<SimpleAttributeDefinition
id="urn:mace:dir:attribute-def:givenName">
<DataConnectorDependency
requires="activeDirectory"/>
</SimpleAttributeDefinition>
Usernames/Passwords/Servers have been hidden but I am certain they work.
I have used LDAPBrowser to connect to AD using the same credentials and
that works. Also the CAS part works fine and that uses the same bind
user and password.
I have listed in arp.site.xml to release the following attributes (this
is only until I get it working - I will do SP specific release
statements eventually)
<Attribute
name="urn:mace:dir:attribute-def:eduPersonAffiliation">
<AnyValue
release="permit"/>
</Attribute>
<Attribute
name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
<AnyValue
release="permit"/>
</Attribute>
<Attribute
name="urn:mace:dir:attribute-def:eduPersonTargetedID">
<AnyValue
release="permit"/>
</Attribute>
<Attribute
name="urn:mace:dir:attribute-def:givenName">
<AnyValue
release="permit"/>
</Attribute>
...and the output I get from resolvertest.bat for my username is....
0 [main] INFO
edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpReposit
ory - Initializing File System Arp Repository with a root of
(file:/c:/shibboleth-idp/etc/arps/).
1359 [main] ERROR
edu.internet2.middleware.shibboleth.aa.attrresolv.provider.JNDIDirectory
DataConnector - An error occurred while retieving data for principal
(ian fogarty) :Unprocessed Continuation Reference(s)
1359 [main] ERROR
edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver -
Problem encountered while resolving attribute:
(urn:mace:dir:attribute-def:givenName):
edu.internet2.middleware.shibboleth.aa.attrresolv.ResolutionPlugInExcept
ion: Error retrieving data for principal.
1421 [main] INFO edu.internet2.middleware.shibboleth.aa.arp.ArpEngine -
Applying Attribute Release Policies.
Received the following from the Attribute Resolver:
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att
ributeValue
Scope="wmc.ac.uk">kc9NtorOicJU8wcXCiqG3BF/9Fo=</AttributeValue></Attribu
te>
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att
ributeValue Scope="wmc.ac.uk">member</AttributeValue></Attribute>
<Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att
ributeValue>member</AttributeValue></Attribute>
I am presuming that the JNDI is working as 1: CAS is working and 2: I
changed the IP of the lookup and ran a packet trace and I could see the
requests trying to connect to the alternative DC. I am using IP
addresses and not names as the server is in our DMZ and only LDAP ports
are open going back into our internal network.
I was wondering if anyone has seen this sort of error before and if it
is a quick fix to resolve?
Many thanks
Ian
Ian Fogarty
Senior IT Technician, IT Networks
Wirral Metropolitan College,
Carlett Park Campus, NW110
Eastham
Wirral
CH62 0AY
t: +44 (0) 151 551 7764 e: [log in to unmask]
<mailto:[log in to unmask]> w: www.wmc.ac.uk <http://www.wmc.ac.uk>
|