[Shib-Users] Shibboleth LDAP Authentication

[Brian Zhang]

I am a fresh man using shibboleth, hope to find suggestion from you.

I have configured everything according to the instruction. However, when i
tried to login with my user account and it always said "Authentication
Failed".

As my understanding, the authetication of shibboleth is not related to the attribute-filter.xml and attribute-resolver.xml(what and who the attribute release to). so this two files i just use the original file after installation.

and from the ldap log. The idp did connect to ldap for bind operation. Here is the log from ldap.

 

Jun 24 10:22:44 xxxxx slapd[23352]: conn=555 fd=10 ACCEPT from IP=xxx.xxx.xxx.xxx:xxx (IP=0.0.0.0:389)
Jun 24 10:22:44 xxxxx slapd[23352]: conn=555 op=0 BIND dn="" method=128
Jun 24 10:22:44 xxxxx  slapd[23352]: conn=555 op=0 RESULT tag=97 err=0 text=
Jun 24 10:22:44 xxxxx  slapd[23352]: conn=555 op=1 SRCH base="ou=xxxx,ou=xxxx,o=xxx,c=xx" scope=1 deref=3 filter="(uid=username)"
Jun 24 10:22:44 xxxxx  slapd[23352]: conn=555 op=1 SRCH attr=1.1
Jun 24 10:22:44 xxxxx slapd[23352]: conn=555 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text=
Jun 24 10:22:44 xxxxx  slapd[23352]: conn=555 op=2 UNBIND
Jun 24 10:22:44 xxxxx  slapd[23352]: conn=555 fd=10 closed

 

Here is the login.config and error log  for your reference. Please
kindly give advise. Thanks a lot.

login.config
=====================================

ShibUserPassAuth {
  edu.vt.middleware.ldap.jaas.LdapLoginModule required
     ldapUrl=ldap://xxxxxxxx:389
     base="ou=xxxx, ou=xxxx,o=xxx,c=xx"
     ssl="false"
     subtreeSearch="true"
     userField="uid";
}
=====================================

Error Log:
===============================
00:21:13.202 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:138] -
Begin initialize
00:21:13.202 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:172] -
useFirstPass = false
00:21:13.202 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:173] -
tryFirstPass = false
00:21:13.203 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:174] -
storePass = false
00:21:13.203 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:175] -
setLdapPrincipal = true
00:21:13.203 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:176] -
setLdapDnPrincipal = false
00:21:13.203 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:177] -
setLdapCredential = true
00:21:13.203 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:178] -
defaultRole = []
00:21:13.203 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:179] -
principalGroupName = null
00:21:13.203 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180] -
roleGroupName = null
00:21:13.203 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77] -
userRoleAttribute = []
00:21:13.203 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385]
- setting searchScope: ONELEVEL
00:21:13.204 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:427] -
setting subtreeSearch: true
00:21:13.204 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385]
- setting searchScope: SUBTREE
00:21:13.204 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1834]
- setting ssl: false
00:21:13.204 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168]
- setting ldapUrl: ldap://xxxxxxxx
00:21:13.204 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:274] -
setting userField: [uid]
00:21:13.205 - TRACE [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1370]
- setting baseDn: ou=xxx,ou=xxx,o=xxx,c=xx
00:21:13.205 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83] -
Created authenticator:
edu.vt.middleware.ldap.auth.AuthenticatorConfig@14439476::env$
00:21:13.205 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:368] -
Begin getCredentials
00:21:13.205 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:369] -
useFistPass = false
00:21:13.205 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:370] -
tryFistPass = false
00:21:13.205 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:371] -
useCallback = false
00:21:13.205 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:372] -
callbackhandler class =
javax.security.auth.login.LoginContext$SecureCallbackHand$
00:21:13.206 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:375] -
name callback class = javax.security.auth.callback.NameCallback
00:21:13.206 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:377] -
password callback class = javax.security.auth.callback.PasswordCallback
00:21:13.206 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:108] -
Looking up DN using userField
00:21:13.206 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:193] -
Search with the following parameters:
00:21:13.206 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:194] -
dn = ou=xxx,ou=xxxx,o=xxx,c=xx
00:21:13.206 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:195] -
filter = (uid={0})
00:21:13.206 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:196] -
filterArgs = [username]
00:21:13.206 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:197] -
searchControls = javax.naming.directory.SearchControls@11c4123
00:21:13.207 - DEBUG [edu.vt.middleware.ldap.auth.SearchDnResolver:198] -
handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@1f873dd]
00:21:13.207 - TRACE [edu.vt.middleware.ldap.auth.SearchDnResolver:200] -
config = {java.naming.provider.url=ldap://xxxxxxxx:389,
java.naming.factory.in$
00:21:13.207 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
connectionStrategy: DEFAULT
00:21:13.207 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] - setting
connectionRetryExceptions: [class javax.naming.NamingException]
00:21:13.207 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {0}
Attempting connection to ldap://xxxxxxxxx for strategy DEFAULT
00:21:13.207 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind with the
following parameters:
00:21:13.207 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -   authtype =
simple
00:21:13.208 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   dn = null
00:21:13.208 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -   credential
= <suppressed>
00:21:13.208 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] -   env =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, j$
00:21:13.227 - INFO [edu.vt.middleware.ldap.auth.SearchDnResolver:161] -
Search for user: username failed using filter: (uid={0})
00:21:13.228 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:136] -
Authentication failed
javax.naming.AuthenticationException: Cannot authenticate dn, invalid dn
       at
edu.vt.middleware.ldap.auth.AbstractAuthenticator.authenticateAndAuthorize(AbstractAuthenticator.java:160)
~[vt-ldap-3.3.2.jar:na]
       at
edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74)
~[vt-ldap-3.3.2.jar:na]
       at
edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320)
~[vt-ldap-3.3.2.jar:na]
       at
edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277)
~[vt-ldap-3.3.2.jar:na]
       at
edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60)
~[vt-ldap-3.3.2.jar:na]
       at
edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103)
~[vt-ldap-3.3.2.jar:na]
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.6.0_12]
       at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
~[na:1.6.0_12]
       at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
~[na:1.6.0_12]
       at java.lang.reflect.Method.invoke(Method.java:597) ~[na:1.6.0_12]
       at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
[na:1.6.0_12]
       at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
[na:1.6.0_12]
       at
javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
[na:1.6.0_12]
       at java.security.AccessController.doPrivileged(Native Method)
[na:1.6.0_12]
       at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
[na:1.6.0_12]
       at
javax.security.auth.login.LoginContext.login(LoginContext.java:579)
[na:1.6.0_12]
       at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:160)
[shib$
       at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:106)
[shibboleth-id$
       at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
       at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:6.0.32]
       at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
       at
edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:49)
[shibboleth-identityprovider-2.2.1.jar:na]
       at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
       at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
       at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:77)
[shibboleth-identityprovider-2.2.1.jar:na]
       at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
       at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
       at
edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51)
[shibboleth-common-1.2.1.jar:na]
       at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
       at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
       at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
[catalina.jar:6.0.32]
       at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:6.0.32]
       at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
[catalina.jar:6.0.32]
       at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:6.0.32]
       at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:6.0.32]
       at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
[catalina.jar:6.0.32]
       at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:859)
[tomcat-coyote.jar:6.0.32]
       at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:588)
[tomcat-coyote.jar:6.0.32]
       at
org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
[tomcat-coyote.jar:6.0.32]
       at java.lang.Thread.run(Thread.java:619) [na:1.6.0_12]
00:21:13.229 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:248] -
Begin abort
00:21:13.229 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:260] -
Begin logout

[Daniel Fisher]

On Thu, Jun 23, 2011 at 10:29 PM, Brian Zhang <ronanz...@gmail.com> wrote:
> Jun 24 10:22:44 xxxxx  slapd[23352]: conn=555 op=1 SRCH
> base="ou=xxxx,ou=xxxx,o=xxx,c=xx" scope=1 deref=3 filter="(uid=username)"
> Jun 24 10:22:44 xxxxx  slapd[23352]: conn=555 op=1 SRCH attr=1.1
> Jun 24 10:22:44 xxxxx slapd[23352]: conn=555 op=1 SEARCH RESULT tag=101
> err=0 nentries=0 text=

Is (uid=username) the correct filter for your schema? If so, confirm
that the entries you expect to find can be seen anonymously.

--Daniel Fisher

[Brian Zhang]

Hi Daniel,

 

Thanks for your reply.

 

In fact, i have another authentication mechanism using CAS with LDAP. When i use CAS to do sucessful authentication, i can see the log from ldap. so i guess uid={0} should be the correct filter. Actually i am not so familiar with LDAP. Please advise.

 

Jun 24 11:24:31 hkuoad3 slapd[23352]: conn=581 fd=15 ACCEPT from IP=xxxxxxxxx (IP=0.0.0.0:389)
Jun 24 11:24:31 hkuoad3 slapd[23352]: conn=580 fd=10 closed
Jun 24 11:24:31 hkuoad3 slapd[23352]: conn=581 op=0 BIND dn="uid=username,ou=xxxxxx,ou=xxxxx,o=xxx,c=xx" method=128
Jun 24 11:24:31 hkuoad3 slapd[23352]: conn=581 op=0 BIND dn="uid=username,ou=xxxx,ou=xxxx,o=xxx,c=xx" mech=SIMPLE ssf=0
Jun 24 11:24:31 hkuoad3 slapd[23352]: conn=581 op=0 RESULT tag=97 err=0 text=
Jun 24 11:24:31 hkuoad3 slapd[23352]: conn=581 op=1 SRCH base="uid=username,ou=xxxx,ou=xxxx,o=xxx,c=xx" scope=0 deref=3 filter="(objectClass=*)"
Jun 24 11:24:31 hkuoad3 slapd[23352]: conn=581 op=1 SRCH attr=mail

Jun 24 11:24:31 hkuoad3 slapd[23352]: conn=581 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jun 24 11:24:31 hkuoad3 slapd[23352]: conn=581 op=2 UNBIND
Jun 24 11:24:31 hkuoad3 slapd[23352]: conn=581 fd=15 closed

2011/6/24 Daniel Fisher <dfi...@vt.edu>

[Daniel Fisher]

On Thu, Jun 23, 2011 at 11:30 PM, Brian Zhang <ronanz...@gmail.com> wrote:
> Hi Daniel,
>
> Thanks for your reply.
>
> In fact, i have another authentication mechanism using CAS with LDAP. When i
> use CAS to do sucessful authentication, i can see the log from ldap. so i
> guess uid={0} should be the correct filter. Actually i am not so familiar
> with LDAP. Please advise.
>

Is CAS configured to use the FastBindLdapAuthenticationHandler or the
BindLdapAuthenticationHandler?

--Daniel Fisher

[Brian Zhang]

It should be FastBindLdapAuthenticationHandler.

2011/6/24 Daniel Fisher <dfi...@vt.edu>

[Daniel Fisher]

The LdapLoginModule can be configured to operate like the
FastBindLdapAuthenticationHandler. However, are you planning on
releasing attributes from this LDAP? If so, you're going to need
access to search entries for attribute resolution.

--Daniel Fisher