[Shib-Users] Retrieve attributes from 2 different domains - attribute-resolver.xml
Cassell, Cliff
Hi
I am trying to get IDP 2.1 to authenticate to 2 different domains and have run into a bit of a snag.
I have configured the login.config file to have 2 different "edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient" settings in the "ShibUserPassAuth{}" and this actucally does authenticate to both domains.
Now the issuse is I can only retrieve attributes from one domain at a time. In the "attribute-resolver.xml", I can change the "resolver:DataConnector" to point to one domain or another but I need to set this up to try one then the other in a form of failover or referral. They both require different ldap, basedn, principal and principalcredential settings.
Can someone shed some light on how to specify 2 resovler dataconnectors or point me to the right direction of where to look?
Example:
Dataconnect 1: Resolves to domain1
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://SERVER1.DOMAIN1.LOCAL:389" baseDN="CN=users,DC=domain1,DC=local" principal="ld...@domain1.local"
principalCredential="password1">
Dataconnect 1: Resolves to domain2
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://SERVER2.DOMAIN2.LOCAL:389" baseDN="CN=users,DC=domain2,DC=local" principal="ld...@domain2.local"
principalCredential="password2">
Required: DataConnector 3 that combines the 2.
Thanx in advance
Kind Regards
Cliff Cassell
Onsite
Team Leader |
IT
Services (Getronics UK) | City Lit
Tel:
020 7492 2583 |
Mob:
07904 805 462 | www.citylit.ac.uk
DISCLAIMER:
****************************************************************************
For the latest City Lit news & information, please visit our website www.citylit.ac.uk
****************************************************************************
The City Literary Institute
Registered Office: 1-10 Keeley Street , London WC2B 4BA
Registered in England no: 2471686
Registered Charity no: 803007
****************************************************************************
PRIVACY AND CONFIDENTIALITY NOTICE.
****************************************************************************
This e-mail may contain privileged or confidential information. The message and any files transmitted with it are intended only for the use of the recipient or organisation to whom it is addressed. If you are not the intended recipient, no action may be taken on the information nor may it be copied or shown to a third party and you are asked to notify the sender named above. Views expressed in this message are those of the individual sender, except where specifically stated to be the views of The City Literary Institute.
Scott Cantor
time.
> In the "attribute-resolver.xml", I can change the "resolver:DataConnector"
> to point to one domain or another but I need to set this up to try one
then
> the other in a form of failover or referral. They both require different
> ldap, basedn, principal and principalcredential settings.
You can probably use a failover dependency to link the two (see wiki).
-- Scott
Cassell, Cliff
I have spent what feels like weeks on the Wiki trying to get this to work. I feel I have got so far but when it comes to the failover there just isn't enough info and no examples to help.
My dataconnectors currently look like this:
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://SERVER1.DOMAIN1.LOCAL:389" baseDN="CN=users,DC=domain1,DC=local" principal="ld...@domain1.local"
principalCredential="password">
<resolver:FailoverDataConnector ref="myLDAP2" />
....
</resolver:DataConnector>
<resolver:DataConnector id="myLDAP2" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://SERVER2.DOMAIN2.LOCAL:389" baseDN="CN=Users,DC=domain2,DC=local" principal="ld...@domain2.local"
principalCredential="password1">
....
</resolver:DataConnector>
I am sure that the resolver failover is in the right place but the logs show it only binds to the first domain, doesn't find the account and fails which is annoying as the logs state "Authentication succeeded for user:..." before the bind for attributes begin. I have tried every method I can determine from reading the wikis. I don't understand why it doesn't failover to the next bind.
Kind Regards
Cliff Cassell
Onsite Team Leader | IT Services (Getronics UK) | City Lit
Tel: 020 7492 2583 | Mob: 07904 805 462 | www.citylit.ac.uk
-- Scott
From: Cassell, Cliff
Sent: 14 July 2009 12:33
To: shibbole...@internet2.edu
Subject: [Shib-Users] Retrieve attributes from 2 different domains - attribute-resolver.xml
Hi
I am trying to get IDP 2.1 to authenticate to 2 different domains...
I have configured the login.config file to have 2 different "edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient" settings in the "ShibUserPassAuth{}" and this actually does authenticate to both domains.
Now the issue is I can only retrieve "attributes" from one domain at a time. In the "attribute-resolver.xml", I can change the "resolver:DataConnector" to point to one domain or another but I need to set this up to try one then the other in a form of failover or referral. They both require different ldap, basedn, principal and principalcredential settings.
Can someone shed some light on how to specify 2 resovler dataconnectors?
...
DISCLAIMER:
****************************************************************************
For the latest City Lit news & information, please visit our website www.citylit.ac.uk
****************************************************************************
The City Literary Institute
Registered Office: 1-10 Keeley Street, London WC2B 4A
Registered in England no: 2471686
Registered Charity no: 803007
***************************************************
PRIVACY AND CONFIDENTIALITY NOTICE.
Rod Widdowson
Scott Cantor
I
> feel I have got so far but when it comes to the failover there just isn't
> enough info and no examples to help.
I've never done it with 2.x. I just know the feature still exists.
> I am sure that the resolver failover is in the right place but the logs
show
> it only binds to the first domain, doesn't find the account and fails
which
> is annoying as the logs state "Authentication succeeded for user:..."
before
> the bind for attributes begin. I have tried every method I can determine
> from reading the wikis. I don't understand why it doesn't failover to the
> next bind.
Neither do I, but I haven't tried it. Maybe there's a bug.
-- Scott
Chad La Joie
configure the connector to treat it as such. You could try the
'noResultIsError' property. It's in the documentation.
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch
Cassell, Cliff
I had a look at https://spaces.internet2.edu/display/SHIB2/IdPMultipleLDAP at the beginnning but as far as I can tell, it refers to multiple ldap servers on the same domain / search base and I needed to search 2 different domains.
Chad, thank you so much. It was the 'noResultIsError' property. My first connector now looks like:
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://SERVER1.DOMAIN1.LOCAL:389" baseDN="CN=users,DC=domain1,DC=local" principal="ld...@domain1.local"
principalCredential="password" noResultIsError="true">
<resolver:FailoverDataConnector ref="myLDAP2" />
....
</resolver:DataConnector>
Considering the FailoverDataConnector doesn't work (failover) without noResultIsError being set to true, I wonder why I couldn't find any direct statements and especially examples of their relationship on the Wikis. Again, thanx everyone for your help. I can now sleep well for the first time in 2 weeks.
Kind Regards
Cliff Cassell
Onsite Team Leader | IT Services (Getronics UK) | City Lit
Tel: 020 7492 2583 | Mob: 07904 805 462 | www.citylit.ac.uk
DISCLAIMER:
Chad La Joie
being in the directory isn't a failure it's just the lack of an account.
--
Scott Cantor
> noResultIsError being set to true, I wonder why I couldn't find any direct
> statements and especially examples of their relationship on the Wikis.
Mainly because people complain a lot about the documentation and considerably fewer people do anything to help improve it.
-- Scott
Brewer, Edward L
This may be the wrong forum to ask this question... but Microsoft is running me around in circles. Does anyone know who you need to contact to gain access to Dreamspark via InCommon... I submitted a ticket to technical support and I keep getting the answer to read the FAQ and the FAQ states to contact technical support to register... so I have a nice little circle....
Lee Brewer
Scott Cantor
> To all,
>
> This may be the wrong forum to ask this question...
There's a dedicated list at inc-dre...@incommonfederation.org that might be more "monitored" by them.
(I was unaware there was any need to register at all, they were pretty open with it in the past.)
-- Scott
Brewer, Edward L
Thanks. When I wrote register I meant authorize. From their FAQ titled, University Administrator FAQ
And the section that starts with "Now that I have become and IdP…"
It states to contact DreamSpark technical support to “review and authorize” our IdP to be added to the list of authorized verification resources.
It asks for an access code instead of sending users to our IdP to authenticate. I submitted to the other group.
Thanks again,
Lee Brewer