Have you tried googling for the error "Unprocessed Continuation
Reference" ?
On 9 Oct, Ian Fogarty wrote:
> I have been looking through the archives and I can see that AD issues
> have been posted a few times before but I am about to fling our Shib
> server out of the rack - the AD link up is driving me crazy.
>
>
>
> I have followed Nottingham Trent's instructions on getting Shib
> installed on 2003 (they are extremely good if NTU people read this) and
> using CAS to do the SSO. We are in the Federation and for basic sites
> everything works fine. I am now trying to link into our AD to provide
> some of the more specific bits of data - e.g. mail, cn, given name, sn,
> etc etc for the EDINA-type sites. I have got a MySQL link working and if
> all else fails, I will create a DB and use that for the lookups but I
> would really like to use AD directly from shib.
>
>
>
> This is the JNDI extract of my config....
>
>
>
> <JNDIDirectoryDataConnector id="activeDirectory">
>
> <Search filter="cn=%PRINCIPAL%">
>
> <Controls
> searchScope="SUBTREE_SCOPE" returningObjects="false" />
>
> </Search>
>
> <Property
> name="java.naming.factory.initial"
> value="com.sun.jndi.ldap.LdapCtxFactory" />
>
> <Property
> name="java.naming.provider.url"
> value="ldap://172.X.X.X/dc=DNS,dc=DOMAIN" />
>
> <Property
> name="java.naming.security.principal" value="[log in to unmask]" />
>
> <Property
> name="java.naming.security.credentials" value="PASSWORD" />
>
> </JNDIDirectoryDataConnector>
>
>
>
> <SimpleAttributeDefinition
> id="urn:mace:dir:attribute-def:givenName">
>
> <DataConnectorDependency
> requires="activeDirectory"/>
>
> </SimpleAttributeDefinition>
>
>
>
> Usernames/Passwords/Servers have been hidden but I am certain they work.
> I have used LDAPBrowser to connect to AD using the same credentials and
> that works. Also the CAS part works fine and that uses the same bind
> user and password.
>
>
>
> I have listed in arp.site.xml to release the following attributes (this
> is only until I get it working - I will do SP specific release
> statements eventually)
>
>
>
> <Attribute
> name="urn:mace:dir:attribute-def:eduPersonAffiliation">
>
> <AnyValue
> release="permit"/>
>
> </Attribute>
>
> <Attribute
> name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
>
> <AnyValue
> release="permit"/>
>
> </Attribute>
>
>
>
> <Attribute
> name="urn:mace:dir:attribute-def:eduPersonTargetedID">
>
> <AnyValue
> release="permit"/>
>
> </Attribute>
>
>
>
> <Attribute
> name="urn:mace:dir:attribute-def:givenName">
>
> <AnyValue
> release="permit"/>
>
> </Attribute>
>
>
>
> ...and the output I get from resolvertest.bat for my username is....
>
>
>
> 0 [main] INFO
> edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpReposit
> ory - Initializing File System Arp Repository with a root of
> (file:/c:/shibboleth-idp/etc/arps/).
>
>
>
> 1359 [main] ERROR
> edu.internet2.middleware.shibboleth.aa.attrresolv.provider.JNDIDirectory
> DataConnector - An error occurred while retieving data for principal
> (ian fogarty) :Unprocessed Continuation Reference(s)
>
>
>
> 1359 [main] ERROR
> edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver -
> Problem encountered while resolving attribute:
> (urn:mace:dir:attribute-def:givenName):
> edu.internet2.middleware.shibboleth.aa.attrresolv.ResolutionPlugInExcept
> ion: Error retrieving data for principal.
>
>
>
> 1421 [main] INFO edu.internet2.middleware.shibboleth.aa.arp.ArpEngine -
> Applying Attribute Release Policies.
>
> Received the following from the Attribute Resolver:
>
>
>
> <Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> AttributeName="urn:mace:dir:attribute-def:eduPersonTargetedID"
> AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att
> ributeValue
> Scope="wmc.ac.uk">kc9NtorOicJU8wcXCiqG3BF/9Fo=</AttributeValue></Attribu
> te>
>
>
>
> <Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> AttributeName="urn:mace:dir:attribute-def:eduPersonScopedAffiliation"
> AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att
> ributeValue Scope="wmc.ac.uk">member</AttributeValue></Attribute>
>
>
>
> <Attribute xmlns="urn:oasis:names:tc:SAML:1.0:assertion"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
> AttributeName="urn:mace:dir:attribute-def:eduPersonAffiliation"
> AttributeNamespace="urn:mace:shibboleth:1.0:attributeNamespace:uri"><Att
> ributeValue>member</AttributeValue></Attribute>
>
>
>
> I am presuming that the JNDI is working as 1: CAS is working and 2: I
> changed the IP of the lookup and ran a packet trace and I could see the
> requests trying to connect to the alternative DC. I am using IP
> addresses and not names as the server is in our DMZ and only LDAP ports
> are open going back into our internal network.
>
>
>
> I was wondering if anyone has seen this sort of error before and if it
> is a quick fix to resolve?
>
>
>
> Many thanks
>
>
>
> Ian
>
>
>
> Ian Fogarty
>
> Senior IT Technician, IT Networks
>
> Wirral Metropolitan College,
>
> Carlett Park Campus, NW110
>
> Eastham
>
> Wirral
>
> CH62 0AY
>
> t: +44 (0) 151 551 7764 e: [log in to unmask]
> <mailto:[log in to unmask]> w: www.wmc.ac.uk <http://www.wmc.ac.uk>
>
--
Colin Farrow
Computing Service, University of Glasgow, Glasgow G12 8QQ
Tel: 0141 330 4862, Email: [log in to unmask]
---
|