[Shib-Users] IDP 2.1.2 login.config to LDAPS (SSL)
Nuno Gonçalves
I'am trying to connect an Identity Provider Shibboleth 2.1.2 to an LDAP server that uses SSL.
I saw some examples even in the shibboleth wiki.
Anyway my question is very simple,
How to configure login.config in order to perform authentication in a LDAP that uses SSL on port 636 ?
The LDAP server uses certificates. Is there anyway of configuring the certificate (public key .crt) in login.config ?
Never saw a similar config using a certificate.
The usual config that I saw available are something like:
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
base="ou=OU,dc=DC,dc=pt"
host="ldaps://193.xxx.xxx.xxx"
port="636"
serviceCredential="XXXXXX"
serviceUser="cn=xxxxxx,ou=xxxxxx,dc=xxxxxxx,dc=pt"
subtreeSearch="true"
ssl="true"
userField="sAMAccountName";
referral="follow";
};
Isn't necessary to specify the certificate in order to connect ?
thanks for your time
best regards
Nuno
Chad La Joie
Nuno Gonçalves wrote:
> How to configure login.config in order to perform authentication in a
> LDAP that uses SSL on port 636 ?
What you have is correct.
> The LDAP server uses certificates. Is there anyway of configuring the
> certificate (public key .crt) in login.config ?
You have to add it to your JDK truststore, there is no way to specify it
in the login.config
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch
fabio....@unimib.it
> > certificate (public key .crt) in login.config ?
>
> You have to add it to your JDK truststore, there is no way to specify it
> in the login.config
Hello, please I have the same issue.
I created a .jks truststore with the LDAP client certificate AND the CA
certificate used to sign that certificate. Just to be redundant.
Now, I have to find a mean to specify to Shibboleth (2.X) to search for
certificates in that keystore. I edited /etc/tomcat5.5/server.xml adding
those lines to the <Connector> entry like this:
<Connector port="8009" address="127.0.0.1"
enableLookups="false"
redirectPort="443"
protocol="AJP/1.3"
tomcatAuthentication="false"
truststoreFile="/opt/shibboleth-idp/credentials/truststore.jks"
truststorePass="XXXXXXXXXXXXX" />
I still get TSL and SSL errors when I try to login (respectively
configuring login.config to use port 389 and TLS and port 636 and SSL).
Any help would be greatly appreciated. I could not find anything about
this in this documentation page:
https://spaces.internet2.edu/display/SHIB2/IdPJBossTomcatPrepare
nor anything else in the mailing list. I hope I searched it well :)
Thanks so much,
--
Fabio Spelta
Universita` degli Studi di Milano - Bicocca
Sistemi Informativi
Via R. Cozzi 53 - 20125 Milano
Tel. 02/64485533 - Fax 02/64485550
Scott Cantor
> > in the login.config
>
> Hello, please I have the same issue.
And it's the same solution.
> I created a .jks truststore with the LDAP client certificate AND the CA
> certificate used to sign that certificate. Just to be redundant.
>
> Now, I have to find a mean to specify to Shibboleth (2.X) to search for
> certificates in that keystore.
No, you don't. You have to add it to the *JDK* trust store, it has nothing
to do with Shibboleth.
-- Scott
Chad La Joie
--
fabio....@unimib.it
> the *JDK* trust store
Thank you so much Scott, I missed that. And that solved the issue.
For other's reference, that keystore for me (java 6 on Debian) was
in /etc/java-6-sun/security/cacerts (so don't search for a file with
a .jks extension). I just replaced that keystore with mine and it works
OK.
Thanks, ciao