Shibboleth Developers

[Daniel Fisher <>]

There are actually two issues here.
First the vt-ldap 3.x library no longer attempts to map jndi properties 
back into it's own property space.
So any unknown properties are simply placed into the context, and in 
your case putting that specific property into the context and using 
startTLS simply won't work. (unless you write your own connection 
handler...)

The second problem I see here is shib specific and is what we should 
address.
Attempting to set any properties in the LDAPProperties element that 
override attributes in the LDAPDirectory schema has the potential to 
cause problems.
The main reason for this is that most schema attributes have a default 
value and the order in which these elements are processed will probably 
never be guaranteed.
I'm not sure if we should attempt to throw an exception when this 
occurs, log an error, or just document some of the properties that 
should not be placed in LDAPProperties.

So in your case your config should use the authenticationType attribute:

<resolver:DataConnector id="personreg" xsi:type="LDAPDirectory" 
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
   ldapURL="ldap://seneca02.u.washington.edu:389";
   baseDN="dc=washington,dc=edu"
   principal="cn=urizen3.cac.washington.edu"
   poolInitialSize="2"
   poolMaxIdleSize="5"
   cacheResults="true"
   useStartTLS="true"
   authenticationType="EXTERNAL">
......

instead of:

<LDAPProperty name="java.naming.security.authentication" value="EXTERNAL" />

--Daniel

On 2/23/10 4:45 PM, Jim Fox wrote:
> the ldap config and log portions are attached.
>
> Possibly the problem is that in version 3 the property name for 
> external anth is "edu.vt.middleware.ldap.authtype" and not 
> "java.naming.security.authentication"
>
>
>  Jim

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature