Shibboleth Developers

["Khanna, Sumit (khannast)" <>]

Thanks, I had forgotten to add my package to the logging config.

 

I think I found the LDAP problem. It’s binding anonymously instead of as the user in the login.conf. If I change the function to the following, I see five attributes print to the logs, which are the five allowed in an anonymous bind:

 

      public void authenticate(final ConnectionHandler ch, final AuthenticationCriteria ac) throws NamingException {

 

            Ldap ldap = null;

           

            try {

                  super.authenticate(ch, ac);

 

                        ldap = new Ldap(this.config);

                       

                        Attributes attrs = ldap.getAttributes(ac.getDn()/*, new String[] { "passwordExpirationTime", "loginGraceRemaining" } */);

                       

                       

                        NamingEnumeration<String> ids = attrs.getIDs();

                        while(ids.hasMore()) {

                              String id = ids.next();

                              logger.debug(String.format("ID: %s Value: %s",id,attrs.get(id)));

                        }

 

 

And if I look at the logs, I see several bind attempts, both as the admin and the user itself, both of which have access to the full range of attributes. I don’t see an anonymous bind in there, and it looks like the admin user is pulling the attributes. Is there a way to get my Ldap calls to use the same credentials used in the login.config?

 

 

[edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet:151] - Attempting to authenticate user sampleUsr

[edu.vt.middleware.ldap.jaas.LdapLoginModule:172] - useFirstPass = false

[edu.vt.middleware.ldap.jaas.LdapLoginModule:173] - tryFirstPass = false

[edu.vt.middleware.ldap.jaas.LdapLoginModule:174] - storePass = false

[edu.vt.middleware.ldap.jaas.LdapLoginModule:175] - setLdapPrincipal = true

[edu.vt.middleware.ldap.jaas.LdapLoginModule:176] - setLdapDnPrincipal = false

[edu.vt.middleware.ldap.jaas.LdapLoginModule:177] - setLdapCredential = true

[edu.vt.middleware.ldap.jaas.LdapLoginModule:178] - defaultRole = []

[edu.vt.middleware.ldap.jaas.LdapLoginModule:179] - principalGroupName = null

[edu.vt.middleware.ldap.jaas.LdapLoginModule:180] - roleGroupName = null

[edu.vt.middleware.ldap.jaas.LdapLoginModule:77] - userRoleAttribute = []

[edu.vt.middleware.ldap.jaas.LdapLoginModule:83] - Created authenticator: edu.vt.middleware.ldap.auth.AuthenticatorConfig@1096118092::env={java.naming.provider.url="ldap://example.edu:636," java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, bindCredentials=!bZ46SL+9o, java.naming.security.protocol=ssl}

[edu.vt.middleware.ldap.auth.SearchDnResolver:108] - Looking up DN using userField

[edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the following parameters:

[edu.vt.middleware.ldap.auth.SearchDnResolver:194] -   dn = o=uc

[edu.vt.middleware.ldap.auth.SearchDnResolver:195] -   filter = (uid=sampleUsr)

[edu.vt.middleware.ldap.auth.SearchDnResolver:196] -   filterArgs = [sampleUsr]

[edu.vt.middleware.ldap.auth.SearchDnResolver:197] -   searchControls = javax.naming.directory.SearchControls@69f480e3

[edu.vt.middleware.ldap.auth.SearchDnResolver:198] -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@3339ed6d]

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind with the following parameters:

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -   authtype = simple

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   dn = cn=someAdmin,ou=admins,o=example

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -   credential = <suppressed>

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind with the following parameters:

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -   authtype = simple

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   dn = cn=sampleUsr,ou=People,o=example

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -   credential = <suppressed>

[edu.vt.middleware.ldap.Ldap:632] - Attribute search with the following parameters:

[edu.vt.middleware.ldap.Ldap:633] -   dn = cn=sampleUsr,ou=People,o=uc

[edu.vt.middleware.ldap.Ldap:634] -   retAttrs = all attributes

[edu.vt.middleware.ldap.Ldap:637] -   handler = []

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind with the following parameters:

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -   authtype = simple

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   dn = cn=someAdmin,ou=admins,o=example

[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -   credential = <suppressed>

[edu.uc.ucit.shibboleth.idm.auth.GraceAuthenticationHandler:49] - ID: mail Value: mail:

[edu.uc.ucit.shibboleth.idm.auth.GraceAuthenticationHandler:49] - ID: uid Value: uid: sampleUsr

[edu.uc.ucit.shibboleth.idm.auth.GraceAuthenticationHandler:49] - ID: ou Value: ou: COM IM Pulmonary Division

[edu.uc.ucit.shibboleth.idm.auth.GraceAuthenticationHandler:49] - ID: objectClass Value: objectClass: inetOrgPerson, uceduPerson, eduPerson, uceduApplicant, uceduRosetta, organizationalPerson, Person, ndsLoginProperties, Top, DirXML-PasswordSyncStatusUser, DirXML-ApplicationAttrs

[edu.uc.ucit.shibboleth.idm.auth.GraceAuthenticationHandler:49] - ID: givenName Value: givenName: Example

[edu.uc.ucit.shibboleth.idm.auth.GraceAuthenticationHandler:49] - ID: sn Value: sn: Example

[edu.uc.ucit.shibboleth.idm.auth.GraceAuthenticationHandler:49] - ID: cn Value: cn: sampleUsr

 

 

Sumit

 

From: [mailto:] On Behalf Of Daniel Fisher
Sent: Thursday, April 28, 2011 11:55 AM
To:
Subject: Re: [Shib-Dev] Creating a Custom LoginHandler for Novel's eDirectory to handle Grace Logins/Expired Passwords

 

On Thu, Apr 28, 2011 at 9:04 AM, Khanna, Sumit (khannast) <> wrote:

 

But I have a couple of use. First, is my logger setup correctly? I’m not actually seeing that line in the idp-process or tomcat logs.

 

 

Make sure you've turned on debug for whatever package you put the GraceAuthenticationHandler in.

 

Second, how is that exception transferred over to the login servlet? I see my edu.uc.ucit.shibboleth.idm.auth.GraceLoginAuthenticationException in to logs (which is just an AuthenticationException with some added fields), but in the jsp page when you do a request.getAttribute(LoginHandler.AUTHENTICATION_EXCEPTION_KEY), the type of that class is actually a javax.security.auth.login.LoginException. Does it just copy the message from that exception into the message of a new one?

 

 

Yes.

 

Finally, and this is the big one, attrs.get("passwordExpirationTime") returns a null. You can see I tried changing new Ldap(this.config) to new Ldap(ch.getLdapConfig()), but in both cases, I don’t get any vales. If print out the DN, it is correct (cn=username,ou=People,o=uc). I’m not getting any connection exceptions and the user in the login.conf does have permission to view that attribute for a user. I’m sure I’m just missing something simple. Any ideas?

 

 

Check your LDAP logs. It appears the LDAP lookup is succeeding, so either the attributes don't exist or you don't have perms to read them.

 

--Daniel Fisher