IdP 2.3.0 -> 2.3.1 lib changes
10 views
Skip to first unread message
Etienne Dysli
Jul 13, 2011, 6:53:31 AM7/13/11
to us...@shibboleth.net
Hi list,
I've just unpacked the new IdP 2.3.1 release and I've noticed that some
jars in the lib directory apparently had their versions /decreased/:
- esapi-2.0GA.jar -> esapi-2.0_rc10.jar
- xmltooling-1.3.2.jar -> xmltooling-1.3.1.jar
Is this an intended change?
Etienne
Cantor, Scott E.
Jul 13, 2011, 9:55:21 AM7/13/11
to us...@shibboleth.net
is depending on shib-common 1.3.0 instead of 1.3.1. That may be enough to
cause it.
-- Scott
--
To unsubscribe from this group, send email to
users+un...@shibboleth.net
Chad La Joie
Jul 13, 2011, 11:19:24 AM7/13/11
to us...@shibboleth.net
Yep, that's a mistake. This morning some one submitted a security issue
(very few people will be effected) too so there will be a 2.3.2 pretty
soon (early next week probably).
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
(very few people will be effected) too so there will be a 2.3.2 pretty
soon (early next week probably).
Chad La Joie
http://itumi.biz
trusted identities, delivered
Kevin Hall
Jul 19, 2011, 1:55:29 PM7/19/11
to us...@shibboleth.net, Chad La Joie
Chad,
What happened to 2.3.2? I grabbed it yesterday and now I see it is no longer
available on the site and 2.3.1 is listed as the latest version.
Our keytab based LDAP lookups broke with the move from 2.1.5 to 2.3.1 (and
2.3.2). Wondering if it is related to bugs or some subtle config change in the
newer version. We are running OpenLDAP 2.4.17.
-Kevin
On 07/13/2011 08:19 AM, Chad La Joie wrote:
> Yep, that's a mistake. This morning some one submitted a security issue
> (very few people will be effected) too so there will be a 2.3.2 pretty
> soon (early next week probably).
>
> On 7/13/11 6:53 AM, Etienne Dysli wrote:
>> Hi list,
>>
>> I've just unpacked the new IdP 2.3.1 release and I've noticed that some
>> jars in the lib directory apparently had their versions /decreased/:
>> - esapi-2.0GA.jar -> esapi-2.0_rc10.jar
>> - xmltooling-1.3.2.jar -> xmltooling-1.3.1.jar
>>
>> Is this an intended change?
>>
>> Etienne
>>
>
--
What happened to 2.3.2? I grabbed it yesterday and now I see it is no longer
available on the site and 2.3.1 is listed as the latest version.
Our keytab based LDAP lookups broke with the move from 2.1.5 to 2.3.1 (and
2.3.2). Wondering if it is related to bugs or some subtle config change in the
newer version. We are running OpenLDAP 2.4.17.
-Kevin
On 07/13/2011 08:19 AM, Chad La Joie wrote:
> Yep, that's a mistake. This morning some one submitted a security issue
> (very few people will be effected) too so there will be a 2.3.2 pretty
> soon (early next week probably).
>
> On 7/13/11 6:53 AM, Etienne Dysli wrote:
>> Hi list,
>>
>> I've just unpacked the new IdP 2.3.1 release and I've noticed that some
>> jars in the lib directory apparently had their versions /decreased/:
>> - esapi-2.0GA.jar -> esapi-2.0_rc10.jar
>> - xmltooling-1.3.2.jar -> xmltooling-1.3.1.jar
>>
>> Is this an intended change?
>>
>> Etienne
>>
>
--
Chad La Joie
Jul 19, 2011, 2:00:45 PM7/19/11
to us...@shibboleth.net
2.3.2 has not been released yet. What was up on the server for a couple
hours yesterday was pulled for a couple reasons.
Yesterday we had some one else submit another security issue that, under
some pretty limited conditions, affects the IdP and SP so once that gets
fixed I'll be releasing 2.3.2.
As far as your LDAP issues though, unless you were having problems with
the DN encoding issue nothing has changed with the LDAP library since 2.3.0.
hours yesterday was pulled for a couple reasons.
Yesterday we had some one else submit another security issue that, under
some pretty limited conditions, affects the IdP and SP so once that gets
fixed I'll be releasing 2.3.2.
As far as your LDAP issues though, unless you were having problems with
the DN encoding issue nothing has changed with the LDAP library since 2.3.0.
Cantor, Scott E.
Jul 19, 2011, 2:00:50 PM7/19/11
to us...@shibboleth.net
On 7/19/11 1:55 PM, "Kevin Hall" <ha...@stanford.edu> wrote:
>What happened to 2.3.2? I grabbed it yesterday and now I see it is no
>longer
>available on the site and 2.3.1 is listed as the latest version.
We pulled the patch release in order to address an issue that was reported
>What happened to 2.3.2? I grabbed it yesterday and now I see it is no
>longer
>available on the site and 2.3.1 is listed as the latest version.
at the last minute before the announcement had gone out.
-- Scott
Daniel Fisher
Jul 19, 2011, 2:03:02 PM7/19/11
to us...@shibboleth.net
What does your config look like and what error are you seeing?
--Daniel Fisher
Kevin Hall
Jul 19, 2011, 2:31:33 PM7/19/11
to us...@shibboleth.net, Daniel Fisher
I am now running 2.3.0 on our dev server with the same ldap issue. This is the
beginning of the error message:
11:22:32.134 - ERROR [edu.vt.middleware.ldap.pool.DefaultLdapFactory:109] -
unabled to connect to the ldap
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
I see the same thing in the ldap server's log (err=49).
Here is the connector from attribute-resolver:
<!-- LDAP Connector -->
<resolver:DataConnector id="suLDAP" xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:reso
lver:dc"
ldapURL="ldap://directory11.stanford.edu"
baseDN="cn=people,dc=stanford,dc=edu"
principal="cn=shibboleth,cn=service,cn=applications,dc=stanford,dc=edu"
principalCredential="UNUSED">
<FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</FilterTemplate>
<LDAPProperty name="java.security.auth.login.config"
value="/etc/shibboleth-idp/krb5_jaas.config" />
<LDAPProperty name="java.naming.security.authentication"
value="GSSAPI" />
<LDAPProperty name="javax.security.sasl.qop"
value="auth-conf" />
</resolver:DataConnector>
And the krb5_jaas.config file:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt="true"
principal="service/shibb...@stanford.edu"
useKeyTab="true"
keyTab="/etc/shibboleth-idp/shibboleth.keytab";
};
Thanks,
-Kevin
> users+unsubscribe@shibboleth.__net <mailto:users%2Bunsu...@shibboleth.net>
beginning of the error message:
11:22:32.134 - ERROR [edu.vt.middleware.ldap.pool.DefaultLdapFactory:109] -
unabled to connect to the ldap
javax.naming.AuthenticationException: [LDAP: error code 49 - Invalid Credentials]
I see the same thing in the ldap server's log (err=49).
Here is the connector from attribute-resolver:
<!-- LDAP Connector -->
<resolver:DataConnector id="suLDAP" xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:reso
lver:dc"
ldapURL="ldap://directory11.stanford.edu"
baseDN="cn=people,dc=stanford,dc=edu"
principal="cn=shibboleth,cn=service,cn=applications,dc=stanford,dc=edu"
principalCredential="UNUSED">
<FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</FilterTemplate>
<LDAPProperty name="java.security.auth.login.config"
value="/etc/shibboleth-idp/krb5_jaas.config" />
<LDAPProperty name="java.naming.security.authentication"
value="GSSAPI" />
<LDAPProperty name="javax.security.sasl.qop"
value="auth-conf" />
</resolver:DataConnector>
And the krb5_jaas.config file:
com.sun.security.jgss.initiate {
com.sun.security.auth.module.Krb5LoginModule required
doNotPrompt="true"
principal="service/shibb...@stanford.edu"
useKeyTab="true"
keyTab="/etc/shibboleth-idp/shibboleth.keytab";
};
Thanks,
-Kevin
Kevin Hall
Jul 19, 2011, 3:13:52 PM7/19/11
to us...@shibboleth.net, Daniel Fisher
good shape now.
Added authenticationType="GSSAPI" to the DataConnector options and removed the
GSSAPI/java.naming.security.authentication property.
Thank you much, Daniel!
-Kevin
Daniel Fisher
Jul 19, 2011, 3:21:35 PM7/19/11
to us...@shibboleth.net
For anyone else who happens upon this thread, upgrading to versions >=2.2.0 should use the authenticationType attribute rather than java.naming.security.authentication in an LDAPProperty element. That worked in earlier versions but was never intended.
--Daniel Fisher
Reply all
Reply to author
Forward
0 new messages