I have set up and configured an SP & and IDP instance. The IDP is installed in
JBoss 5.01 and I have OpenDS as my LDAP server where I created a few entities
(userids/password).
I have configured the IdP's login handler as :
==========================================
<!----- handler.xml ---->
<LoginHandler xsi:type="UsernamePassword"
jaasConfigurationLocation="file:////c://SWInstalls//shibboleth-idp//conf//logi
n.config">
<AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtected
Transport</AuthenticationMethod>
</LoginHandler>
============================================
<!--- login.config --->
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="ldap.pictorsolutions.com"
base="ou=people,dc=pictor,dc=com"
port="389"
subtreesearch="true"
serviceUser="cn=Directory Manager"
serviceCredential="password"
ssl="false"
userField="uid"
};
==============================================
When I navigate to https://sp.pictorsolutions.com/secure, I am directed to the
Shibboleth Identity Provider Login Page. I enter the user id/password of one
of my test entities in LDAP, I get an "Authentication Failure" error. And when
I check the logs, I see the following. Looks like the UsernamePasswordLogin is
looking for a users.properties file locally instead of using the login.config
to authenticate against LDAP.
========================================
08:23:31.797 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginS
ervlet:138] - Redirecting to login page
https://idp.pictorsolutions.com:443/idp/login.jsp?actionUrl=%2Fidp%2FAuthn%2FU
serPassword
08:23:31.985 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:93] -
Attempting to retrieve IdP session cookie.
08:23:31.985 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:105] - No
IdP session cookie sent by the client.
08:23:32.219 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:93] -
Attempting to retrieve IdP session cookie.
08:23:32.219 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:105] - No
IdP session cookie sent by the client.
08:23:50.702 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:93] -
Attempting to retrieve IdP session cookie.
08:23:50.702 TRACE
[edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter:105] - No
IdP session cookie sent by the client.
08:23:50.802 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginS
ervlet:186] - User authentication failed
javax.security.auth.login.LoginException: Missing users.properties file.
at
org.jboss.security.auth.spi.UsersRolesLoginModule.login(UsersRolesLoginModule.
java:148)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.j
ava:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginSe
rvlet.authenticateUser(UsernamePasswordLoginServlet.java:165)
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginSe
rvlet.service(UsernamePasswordLoginServlet.java:100)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
lterChain.java:290)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
n.java:206)
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPS
essionFilter.java:72)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
lterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
n.java:206)
at
org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java
:96)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFi
lterChain.java:235)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChai
n.java:206)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve
=========================================
Can someone please verify I did not miss any configuration?
thanx in advance.
-ram
JBoss has its own JAAS configuration requirements that are specific to it,
you can't use the IdP's embedded config for it.
Search the list, if it's not in the wiki.
-- Scott
=========== login-config.xml===================
<application-policy name="ShibUserPassAuth">
<authentication>
<!--
<login-module code="org.jboss.security.auth.spi.LdapLoginModule"
flag="required">
-->
<login-module code="edu.vt.middleware.ldap.jaas.LdapLoginModule"
flag="required">
<module-option
name="contextFactory">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option
name="ldapUrl">ldap://ldap.pictorsolutions.com:389</module-option>
<module-option
name="java.naming.security.authentication">simple</module-option>
<module-option name="userField">uid=</module-option>
<module-option
name="baseDn">ou=People,dc=pictor,dc=com</module-option>
<module-option name="bindDn">cn=Directory Manager</module-option>
<module-option name="bindCredential">password</module-option>
</login-module>
</authentication>
</application-policy>
===================================================
Now the authenticaiton failure still happens, but when I check the log file, I
see the following error:
11:00:53.157 DEBUG [edu.vt.middleware.ldap.LdapProperties:299] -
edu.vt.middleware.ldap.auth.userField = uid=
11:00:53.157 DEBUG [edu.vt.middleware.ldap.LdapProperties:392] - Called
setUserField for edu.vt.middleware.ldap.Authenticator
11:00:53.157 DEBUG [edu.vt.middleware.ldap.LdapProperties:337] -
edu.vt.middleware.ldap.principalDNSuffix = ou=People,dc=pictor,dc=com
11:00:53.157 ERROR [edu.vt.middleware.ldap.LdapProperties:396] - Could not
invoke method setPrincipalDNSuffix
java.lang.NoSuchMethodException:
edu.vt.middleware.ldap.LdapConfig.setPrincipalDNSuffix(java.lang.String)
at java.lang.Class.getMethod(Class.java:1605)
at
edu.vt.middleware.ldap.LdapProperties.invokeMethod(LdapProperties.java:389)
at
edu.vt.middleware.ldap.LdapProperties.setLdapConfig(LdapProperties.java:340)
at
edu.vt.middleware.ldap.LdapProperties.initialize(LdapProperties.java:272)
.....
.....
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Authenticator:149] - Looking up DN
from userfield and base
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:665] - One level search with
the following parameters:
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:666] - dn = null
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:667] - attributes = <not
shown>
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:668] - return attributes =
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:676] - config =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1513] - Bind with the
following parameters:
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1514] - dn = null
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1518] - credential =
<suppressed>
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1520] - config =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1528] - dn or credential is
null, authtype set to none
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1539] - TLS not used
11:00:53.157 DEBUG [edu.vt.middleware.ldap.Ldap:1540] - authtype is none
11:00:53.167 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginS
ervlet:186] - User authentication failed
javax.security.auth.login.LoginException: java.lang.NullPointerException
at javax.naming.NameImpl.<init>(NameImpl.java:264)
at javax.naming.CompositeName.<init>(CompositeName.java:214)
===============
am I not setting the configuration properties correctly or using an
incompatible version of the vtldap jar ?
any help is appreciated.
thanx
-ram
--
Chad La Joie
http://itumi.biz
trusted identities, delivered
==========================
22:03:52.003 DEBUG [edu.vt.middleware.ldap.Authenticator:149] - Looking up DN
from userfield and base
22:03:52.005 DEBUG [edu.vt.middleware.ldap.Ldap:665] - One level search with
the following parameters:
22:03:52.005 DEBUG [edu.vt.middleware.ldap.Ldap:666] - dn = null
22:03:52.006 DEBUG [edu.vt.middleware.ldap.Ldap:667] - attributes = <not
shown>
22:03:52.006 DEBUG [edu.vt.middleware.ldap.Ldap:668] - return attributes =
22:03:52.006 DEBUG [edu.vt.middleware.ldap.Ldap:676] - config =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
22:03:52.007 DEBUG [edu.vt.middleware.ldap.Ldap:1513] - Bind with the
following parameters:
22:03:52.007 DEBUG [edu.vt.middleware.ldap.Ldap:1514] - dn = null
22:03:52.007 DEBUG [edu.vt.middleware.ldap.Ldap:1518] - credential =
<suppressed>
22:03:52.008 DEBUG [edu.vt.middleware.ldap.Ldap:1520] - config =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
22:03:52.008 DEBUG [edu.vt.middleware.ldap.Ldap:1528] - dn or credential is
null, authtype set to none
22:03:52.008 DEBUG [edu.vt.middleware.ldap.Ldap:1539] - TLS not used
22:03:52.009 DEBUG [edu.vt.middleware.ldap.Ldap:1540] - authtype is none
22:03:52.013 DEBUG
[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginS
ervlet:186] - User authentication failed
javax.security.auth.login.LoginException: java.lang.NullPointerException
at javax.naming.NameImpl.<init>(NameImpl.java:264)
=========================================
Error Message: No peer endpoint available to which to send SAML response .
I was using the URL "https://sp.pictorsolutions.com/secure" which directed me
the login page.
thanx
-ram
--