[Shib-Dev] IdP 2.2.0 Snapshot Release

1 view
Skip to first unread message

Chad La Joie

unread,
Feb 19, 2010, 11:31:22 AM2/19/10
to shibbol...@internet2.edu
I have placed a snapshot release of IdP 2.2.0 up on the Internet2 site.
Individuals who were having various LDAP issues should pull this
version and test it out.

http://shibboleth.internet2.edu/downloads/shibboleth/idp/2.2.0/shibboleth-identityprovider-2.2.0-SNAPSHOT-bin.zip

I'll highlight a few things changed, or bugs fixed, in this release.

- upgrade to vt-ldap 3 which should fix the connection pooling issues
some people were seeing as well as do some other nice things which you
can read about here:
https://spaces.internet2.edu/display/SHIB2/vtldap3Upgrade

- exposing of the actual LoginException to the login.jsp so that error
messages can be customized using information from the exception

- switch to ISO8601 duration notation for all time values with in the
IdP config. You'll see warning messages in your log when you start up
about the old numerical values being deprecated and what the
corresponding ISO8601 notation should be.

If you were having LDAP problems before, *please* test this release

--
Chad La Joie
www.itumi.biz
trusted identities, delivered

Jim Fox

unread,
Feb 23, 2010, 2:59:32 PM2/23/10
to shibbol...@internet2.edu

>
> I have placed a snapshot release of IdP 2.2.0 up on the Internet2 site.
> Individuals who were having various LDAP issues should pull this
> version and test it out.
>

API changes in version 2.2 require me to recode a plugin or two. My test
might be delayed a couple of days.

Jim

Chad La Joie

unread,
Feb 23, 2010, 3:48:10 PM2/23/10
to shibbol...@internet2.edu
There were no changes made to any public APIs, I don't think.

--

Jim Fox

unread,
Feb 23, 2010, 3:54:33 PM2/23/10
to shibbol...@internet2.edu

Sorry, I spoke too soon.

There is a new bean definition in internal.xml

<bean id="shibboleth.CacheMaager"
class="org.springframework.cache.ehcache.EhCacheManagerFactoryBean" />

that was missing in my previous config from 2.1.5.
(You might want to reconsider that bean name.)


Fixing that I got:

12:40:28.103 DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:490] - Loading 4 principal connectors
12:40:28.166 ERROR [edu.vt.middleware.ldap.pool.DefaultLdapFactory:109] - unabled to connect to the ldap
javax.naming.AuthenticationNotSupportedException: [LDAP: error code 7 - SASL(-4): no mechanism available: ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:2996)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
12:40:28.176 ERROR [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:274] - Could not retrieve Ldap object from pool
java.lang.NullPointerException: null
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector.validate(LdapDataConnector.java:266)
at edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver.validate(ShibbolethAttributeResolver.java:145)


when the ldap connector tried to start. Haven't investigated
further yet, but it seems to have missed something of my tls cert
authentication.

Jim


On Tue, 23 Feb 2010, Chad La Joie wrote:

> Date: Tue, 23 Feb 2010 12:48:10 -0800
> From: Chad La Joie <laj...@itumi.biz>
> To: "shibbol...@internet2.edu" <shibbol...@internet2.edu>
> Reply-To: "shibbol...@internet2.edu" <shibbol...@internet2.edu>
> Subject: Re: [Shib-Dev] IdP 2.2.0 Snapshot Release

Daniel Fisher

unread,
Feb 23, 2010, 4:24:36 PM2/23/10
to shibbol...@internet2.edu
Can you post your data connector config and the debug logs for it's
initialization?
Thanks.

Jim Fox

unread,
Feb 23, 2010, 4:45:55 PM2/23/10
to shibbol...@internet2.edu

the ldap config and log portions are attached.

Possibly the problem is that in version 3 the property name for external
anth is "edu.vt.middleware.ldap.authtype" and not
"java.naming.security.authentication"


Jim

ldap.cfg

Daniel Fisher

unread,
Feb 25, 2010, 2:37:10 PM2/25/10
to shibbol...@internet2.edu
There are actually two issues here.
First the vt-ldap 3.x library no longer attempts to map jndi properties
back into it's own property space.
So any unknown properties are simply placed into the context, and in
your case putting that specific property into the context and using
startTLS simply won't work. (unless you write your own connection
handler...)

The second problem I see here is shib specific and is what we should
address.
Attempting to set any properties in the LDAPProperties element that
override attributes in the LDAPDirectory schema has the potential to
cause problems.
The main reason for this is that most schema attributes have a default
value and the order in which these elements are processed will probably
never be guaranteed.
I'm not sure if we should attempt to throw an exception when this
occurs, log an error, or just document some of the properties that
should not be placed in LDAPProperties.

So in your case your config should use the authenticationType attribute:

<resolver:DataConnector id="personreg" xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://seneca02.u.washington.edu:389"
baseDN="dc=washington,dc=edu"
principal="cn=urizen3.cac.washington.edu"
poolInitialSize="2"
poolMaxIdleSize="5"
cacheResults="true"
useStartTLS="true"
authenticationType="EXTERNAL">
......

instead of:

<LDAPProperty name="java.naming.security.authentication" value="EXTERNAL" />

--Daniel

Reply all
Reply to author
Forward
0 new messages