[Shib-Users] how to follow referral during attribute resolving

45 views
Skip to first unread message

ascag...@units.it

unread,
Apr 30, 2011, 4:21:02 AM4/30/11
to shibbole...@internet2.edu
hi,

the question is simple, i need to tell to the attribute-resolver.xml
to follow the referral, how can i do that?

this setting of attribute-resolver.xml

===================

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://IPOFMYDC/"
baseDN="dc=mydomain,dc=it"
principal="acc...@mydomain.it"
principalCredential="password"
referral="follow">
<dc:FilterTemplate>
<![CDATA[(sAMAccountName=$requestContext.principalName)]]>
</dc:FilterTemplate>
</resolver:DataConnector>

=======================

gives this error

=======================

09:57:49.625 - INFO
[edu.internet2.middleware.shibboleth.common.config.BaseService:157] -
Loading new configuration for service shibboleth.AttributeResolver
09:57:49.743 - ERROR
[edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
Configuration was not loaded for shibboleth.AttributeResolver service,
error creating components. The root cause of this error was:
org.xml.sax.SAXParseException: cvc-complex-type.3.2.2: Attribute
'referral' is not allowed to appear in element 'resolver:DataConnector'.

========================

i've seen, using vt-ldap java libraries and their ldapsearch that
the following command fails

=========================

root@machine:/opt/Backup/JAAS/vt-ldap-3.3.3/bin# ./ldapsearch -ldapUrl
ldap://IPOFMYDC -baseDn dc=mydomain,dc=it -bindDn acc...@mydomain.it
-query cn=usertolookfor -bindCredential PASSWORD


[DEBUG] Ldap - Search with the following parameters:
[DEBUG] Ldap - dn = dc=mydomain,dc=it
[DEBUG] Ldap - filter = cn=usertolookfor
[DEBUG] Ldap - filterArgs = []
[DEBUG] Ldap - searchControls =
javax.naming.directory.SearchControls@ae94e92
[DEBUG] Ldap - handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@5b2558d6]
[DEBUG] DefaultConnectionHandler - Bind with the following parameters:
[DEBUG] DefaultConnectionHandler - authtype = simple
[DEBUG] DefaultConnectionHandler - dn = acc...@mydomain.it
[DEBUG] DefaultConnectionHandler - credential = <suppressed>
Operation failed:
javax.naming.PartialResultException: Unprocessed Continuation
Reference(s); remaining name 'dc=idemts,dc=units,dc=it'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2820)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
at
com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)
at
com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
at
edu.vt.middleware.ldap.handler.AbstractResultHandler.process(AbstractResultHandler.java:83)
at edu.vt.middleware.ldap.AbstractLdap.search(AbstractLdap.java:231)
at edu.vt.middleware.ldap.Ldap.search(Ldap.java:431)
at edu.vt.middleware.ldap.Ldap.search(Ldap.java:347)
at edu.vt.middleware.ldap.Ldap.search(Ldap.java:221)
at edu.vt.middleware.ldap.LdapCli.search(LdapCli.java:149)
at edu.vt.middleware.ldap.LdapCli.dispatch(LdapCli.java:118)
at
edu.vt.middleware.ldap.AbstractCli.performAction(AbstractCli.java:101)
at edu.vt.middleware.ldap.LdapCli.main(LdapCli.java:60)

=================

while if i specify to follow referral the command succesed

===================

root@machine:/opt/Backup/JAAS/vt-ldap-3.3.3/bin# ./ldapsearch -ldapUrl
ldap://IPOFMYDC -baseDn dc=mydomain,dc=it -bindDn acc...@mydomain.it
-query cn=usertolookfor -referral follow -bindCredential PASSWORD


[DEBUG] Ldap - Search with the following parameters:
[DEBUG] Ldap - dn = dc=mydomain,dc=it
[DEBUG] Ldap - filter = cn=usertolookfor
[DEBUG] Ldap - filterArgs = []
[DEBUG] Ldap - searchControls =
javax.naming.directory.SearchControls@ae94e92
[DEBUG] Ldap - handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@5b2558d6]
[DEBUG] DefaultConnectionHandler - Bind with the following parameters:
[DEBUG] DefaultConnectionHandler - authtype = simple
[DEBUG] DefaultConnectionHandler - dn = acc...@mydomain.it
[DEBUG] DefaultConnectionHandler - credential = <suppressed>
dn: CN=arjuna,OU=idp,dc=mydomain,dc=it
eduPersonPrincipalName: usertolookfor
eduPersonAffiliation: faculty
eduPersonScopedAffiliation: faculty
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 129485583710468750
sAMAccountType: 805306368
eduPersonNickname: arj
whenChanged: 20110429134611.0Z
logonCount: 0
sAMAccountName: usertolookfor
primaryGroupID: 513
name: usertolookfor
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=mydomain,DC=it
eduPersonEntitlement: maestro della ruota
distinguishedName: CN=usertolookfor,OU=idp,DC=mydomain,DC=it
uSNChanged: 16432
objectSid:: AQUAAAAAAAUVAAAA77+977+977+9AkgCNhzvv73vv73vv73vv71QBAAA
whenCreated: 20110429132925.0Z
badPasswordTime: 0
userAccountControl: 544
countryCode: 0
objectClass: organizationalPerson
objectClass: person
objectClass: user
objectClass: top
uSNCreated: 16410
badPwdCount: 0
instanceType: 4
lastLogoff: 0
pwdLastSet: 129485578781562500
accountExpires: 9223372036854775807
codePage: 0
cn: usertolookfor
lastLogon: 0
objectGUID:: xpTvv73vv71S77+977+9S++/vXbvv73vv70n77+977+977+9

thanks for helping
Arjuna Scagnetto

Servizi Informatici Facoltà di Medicina e Chirurgia
Università degli Studi di Trieste
Ospedale di Cattinara Via Strada Fiume 447
34149 Trieste - ITALY

voice: +39 040 912994
fax : +39 040 399 4679
email: ascag...@units.it
web : http://www.fmc.units.it/ServiziInformatici

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.

Daniel Fisher

unread,
Apr 30, 2011, 11:51:01 AM4/30/11
to shibbole...@internet2.edu
On Sat, Apr 30, 2011 at 4:21 AM, <ascag...@units.it> wrote:
>
> hi,
>
> the question is simple, i need to tell to the attribute-resolver.xml to follow the referral, how can i do that?
>
> this setting of attribute-resolver.xml
>
> ===================
>
> <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
>        ldapURL="ldap://IPOFMYDC/"
>        baseDN="dc=mydomain,dc=it"
>        principal="acc...@mydomain.it"
>        principalCredential="password"
>        referral="follow">
>        <dc:FilterTemplate>
>            <![CDATA[(sAMAccountName=$requestContext.principalName)]]>
>        </dc:FilterTemplate>
>    </resolver:DataConnector>
>

Try adding <LDAPProperty name="edu.vt.middleware.ldap.referral"
value="follow"/>

--Daniel Fisher

ascag...@units.it

unread,
Apr 30, 2011, 4:16:41 PM4/30/11
to shibbole...@internet2.edu
Daniel Fisher <dfi...@vt.edu> ha scritto:

that line gives me a parse error while this one works fine

<dc:LDAPProperty name="edu.vt.middleware.ldap.referral" value="follow"/>

thanks
Arjuna

Reply all
Reply to author
Forward
0 new messages