shibboleth-dev - Re: 2.0 Idp, tomcat authn using JAAS....
Subject: Shibboleth Developers
List archive
- From: Peter Gietz <>
- To:
- Cc:
- Subject: Re: 2.0 Idp, tomcat authn using JAAS....
- Date: Fri, 02 Nov 2007 10:59:35 +0100
wrote:
At 5:44 PM -0400 10/29/07, Scott Cantor wrote:Attributes in an LDAP search can be specified via name or OID. "1.1" is a valid OID, but it definitely does not represent an LDAP attribute. "1.1" is a standardized means to say I don't want any attributes in the result (I am only interested in the DN).
You have to combine various pieces of documentation, the JAAS Realm from
Tomcat, setting the JAAS configuration itself, and the login module
properties.
thanks very much! this helped a lot!
as did Daniel's original documentation:
http://www.middleware.vt.edu/doku.php?id=middleware:opensource:ldap
I'm making it thru several of the steps (eg tomcat pops up the form page asking for uid/pass, JASS/VT successfully authenticates me against ldap).
However, I've misconfigured something, and the role/authZ stuff isn't working.
I see this in the ldap logs:
conn=231089 op=0 msgId=1 - BIND dn="cn=stc_auth,ou=special users,dc=brown,dc=edu" method=128 version=3
conn=231089 op=0 msgId=1 - RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=stc_auth,ou=special users,dc=brown,dc=edu"
conn=231089 op=1 msgId=2 - SRCH base="ou=people,dc=brown,dc=edu" scope=1 filter="(&(uid=stc))" attrs="1.1"
conn=231089 op=1 msgId=2 - RESULT err=0 tag=101 nentries=1 etime=0
I have *no* idea what attrs="1.1" means on the SRCH.....
The Filter is broken, it should rather be something like: (& (objectclass=person) (uid=stc) ), but I am not the JAAS expert to tell you how to fix it.
Hope this helps.
Cheers,
Peter
here's my JAAS config:
shibboleth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="ldapauth.cis-qas.brown.edu" port="636"
base="ou=People,dc=brown,dc=edu"
ssl="true"
serviceUser="cn=stc_auth,ou=special users,dc=brown,dc=edu"
serviceCredential="..."
userField="uid"
userRoleAttribute="eduPersonAffiliation";
};
I wanted to retrieve eduPersonAffiliation from ldap, and have that mapped to a tomcat role value...
suggestions?
--
_______________________________________________________________________
Peter Gietz (CEO)
DAASI International GmbH phone: +49 7071 2970334
Wilhelmstr. 106 Fax: +49 7071 295114
D-72074 Tübingen mail:
Germany Web: www.daasi.de
DAASI International GmbH, Tübingen
Geschäftsführer Peter Gietz, Amtsgericht Stuttgart HRB 382175
Directory Applications for Advanced Security and Information Management
_______________________________________________________________________
- Re: 2.0 Idp, tomcat authn using JAAS...., Peter Gietz, 11/02/2007
Archive powered by MHonArc 2.6.16.