shibboleth-dev - Re: [Shib-Dev] derefAliases broken in 2.2.x
Subject: Shibboleth Developers
List archive
- From: Dan McLaughlin <>
- To:
- Subject: Re: [Shib-Dev] derefAliases broken in 2.2.x
- Date: Tue, 7 Jun 2011 19:08:03 -0500
Hi Daniel,
I don't have a test eDir server on the outside, but I'd be surprised
if I couldn't reproduce it with OpenLDAP.
I can setup a WebEx at anytime and look directly at the systems if you'd like.
By the way... after upgrading to 2.3.0 in our Development environment.
LDAP authentication fails unless I roll back to the vt-ldap jar to
the 3.3.2 release.
18:34:46.911 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:144]
- Begin initialize
18:34:46.911 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180]
- useFirstPass = false
18:34:46.911 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:181]
- tryFirstPass = false
18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:182]
- storePass = false
18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:183]
- clearPass = false
18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:184]
- setLdapPrincipal = true
18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:185]
- setLdapDnPrincipal = false
18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:186]
- setLdapCredential = true
18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:187]
- defaultRole = []
18:34:46.913 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188]
- principalGroupName = null
18:34:46.913 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189]
- roleGroupName = null
18:34:46.913 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77]
- userRoleAttribute = []
18:34:46.913 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: ONELEVEL
18:34:46.913 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:427] - setting
subtreeSearch: true
18:34:46.914 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: SUBTREE
18:34:46.914 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1370] - setting
baseDn: T=MYBASEDN
18:34:46.914 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1834] - setting ssl:
true
18:34:46.914 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168] - setting
ldapUrl: ldap://ldap01:636
18:34:46.914 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1651] - setting
derefAliases: never
18:34:46.915 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:290] - setting
userFilter: (&(cn={0})(objectclass=person))
18:34:46.915 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83]
- Created authenticator:
edu.vt.middleware.ldap.auth.AuthenticatorConfig@20797601::env={java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
18:34:46.915 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:412]
- Begin getCredentials
18:34:46.915 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:413]
- useFistPass = false
18:34:46.915 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:414]
- tryFistPass = false
18:34:46.916 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:415]
- useCallback = false
18:34:46.916 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:416]
- callbackhandler class =
javax.security.auth.login.LoginContext$SecureCallbackHandler
18:34:46.916 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:419]
- name callback class = javax.security.auth.callback.NameCallback
18:34:46.916 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:421]
- password callback class =
javax.security.auth.callback.PasswordCallback
18:34:46.916 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:173] - User input was
empty or null
18:34:46.917 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:136]
- Authentication failed
javax.naming.AuthenticationException: Cannot authenticate dn, invalid
credential
at
edu.vt.middleware.ldap.auth.AbstractAuthenticator.authenticateAndAuthorize(AbstractAuthenticator.java:154)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103)
~[vt-ldap-3.3.3.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.6.0_24]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
~[na:1.6.0_24]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
~[na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597) ~[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
[na:1.6.0_24]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
[na:1.6.0_24]
at java.security.AccessController.doPrivileged(Native Method)
[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
[na:1.6.0_24]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
[na:1.6.0_24]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:160)
[shibboleth-identityprovider-2.3.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:106)
[shibboleth-identityprovider-2.3.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:49)
[shibboleth-identityprovider-2.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:80)
[shibboleth-identityprovider-2.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51)
[shibboleth-common-1.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
[catalina.jar:6.0.32]
at
com.googlecode.psiprobe.Tomcat60AgentValve.invoke(Tomcat60AgentValve.java:30)
[tomcat60adaptor-2.2.1.jar:2.2.1]
at
org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
[catalina-ha.jar:6.0.32]
at
org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
[catalina-ha.jar:6.0.32]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:6.0.32]
at
org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:647)
[catalina.jar:6.0.32]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
[catalina.jar:6.0.32]
at
org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:429)
[tomcat-coyote.jar:6.0.32]
at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
[tomcat-coyote.jar:6.0.32]
at
org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
[tomcat-coyote.jar:6.0.32]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
18:34:46.918 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:264]
- Begin abort
If I roll back only the vt-ldap.jar to the 3.3.2 release and change
nothing else, then the same exact login works fine...
18:45:58.042 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:138]
- Begin initialize
18:45:58.043 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:172]
- useFirstPass = false
18:45:58.043 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:173]
- tryFirstPass = false
18:45:58.043 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:174]
- storePass = false
18:45:58.044 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:175]
- setLdapPrincipal = true
18:45:58.044 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:176]
- setLdapDnPrincipal = false
18:45:58.044 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:177]
- setLdapCredential = true
18:45:58.044 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:178]
- defaultRole = []
18:45:58.044 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:179]
- principalGroupName = null
18:45:58.045 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180]
- roleGroupName = null
18:45:58.045 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77]
- userRoleAttribute = []
18:45:58.058 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: ONELEVEL
18:45:58.060 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:427] - setting
subtreeSearch: true
18:45:58.060 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: SUBTREE
18:45:58.061 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1370] - setting
baseDn: T=MYBASEDN
18:45:58.062 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1834] - setting ssl:
true
18:45:58.063 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168] - setting
ldapUrl: ldap://ldap01:636
18:45:58.064 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1651] - setting
derefAliases: never
18:45:58.065 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:290] - setting
userFilter: (&(cn={0})(objectclass=person))
18:45:58.068 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83]
- Created authenticator:
edu.vt.middleware.ldap.auth.AuthenticatorConfig@7889295::env={java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
18:45:58.068 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:368]
- Begin getCredentials
18:45:58.068 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:369]
- useFistPass = false
18:45:58.069 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:370]
- tryFistPass = false
18:45:58.069 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:371]
- useCallback = false
18:45:58.069 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:372]
- callbackhandler class =
javax.security.auth.login.LoginContext$SecureCallbackHandler
18:45:58.069 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:375]
- name callback class = javax.security.auth.callback.NameCallback
18:45:58.069 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:377]
- password callback class =
javax.security.auth.callback.PasswordCallback
18:45:58.070 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN
using userFilter
18:45:58.071 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the
following parameters:
18:45:58.071 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:194] - dn = T=MYBASEDN
18:45:58.071 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:195] - filter =
(&(cn={0})(objectclass=person))
18:45:58.071 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:196] - filterArgs =
[jdoe]
18:45:58.071 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:197] - searchControls
=
javax.naming.directory.SearchControls@1c101ac
18:45:58.072 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:198] - handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@54c72e]
18:45:58.072 - TRACE
[edu.vt.middleware.ldap.auth.SearchDnResolver:200] - config =
{java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
18:45:58.072 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
connectionStrategy: DEFAULT
18:45:58.076 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
setting connectionRetryExceptions: [class
javax.naming.NamingException]
18:45:58.077 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {0}
Attempting connection to ldap://ldap01:636 for strategy DEFAULT
18:45:58.077 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
with the following parameters:
18:45:58.078 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
authtype = simple
18:45:58.078 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
null
18:45:58.079 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
credential = <suppressed>
18:45:58.079 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.provider.url=ldap://ldap01:636,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
18:45:58.329 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
connectionStrategy: DEFAULT
18:45:58.329 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
setting connectionRetryExceptions: [class
javax.naming.NamingException]
18:45:58.330 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {1}
Attempting connection to ldap://ldap01:636 for strategy DEFAULT
18:45:58.330 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
with the following parameters:
18:45:58.330 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
authtype = simple
18:45:58.330 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
cn=JDOE,ou=FOO,ou=BAR,o=DIV
18:45:58.330 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
credential = <suppressed>
18:45:58.331 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.provider.url=ldap://ldap01:636,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
18:45:58.556 - INFO
[edu.vt.middleware.ldap.jaas.JaasAuthenticator:176] - Authentication
succeeded for dn: cn=JDOE,ou=FOO,ou=BAR,o=DIV
18:45:58.563 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN
using userFilter
18:45:58.563 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the
following parameters:
18:45:58.563 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:194] - dn = T=MYBASEDN
18:45:58.564 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:195] - filter =
(&(cn={0})(objectclass=person))
18:45:58.564 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:196] - filterArgs =
[jdoe]
18:45:58.564 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:197] - searchControls
=
javax.naming.directory.SearchControls@282ae6
18:45:58.564 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:198] - handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@54c72e]
18:45:58.564 - TRACE
[edu.vt.middleware.ldap.auth.SearchDnResolver:200] - config =
{java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
18:45:58.576 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:199]
- Begin commit
18:45:58.577 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:207]
- Committed the following principals: [jdoe[]]
18:45:58.577 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:213]
- Committed the following roles: []
18:45:58.849 - INFO [Shibboleth-Access:73] -
20110607T234558Z|144.45.7.139|www.mydomain.com:443|/profile/SAML2/Redirect/SSO|
18:45:58.872 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
connectionStrategy: ACTIVE_PASSIVE
18:45:58.873 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
setting connectionRetryExceptions: [class
javax.naming.NamingException]
18:45:58.873 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {1}
Attempting connection to ldaps://ldap01:636 for strategy
ACTIVE_PASSIVE
18:45:58.873 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
with the following parameters:
18:45:58.873 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
authtype = simple
18:45:58.874 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
null
18:45:58.874 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
credential = <suppressed>
18:45:58.874 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.provider.url=ldaps://ldap01:636,
java.naming.ldap.derefAliases=never,
java.naming.ldap.attributes.binary=GUID}
18:45:59.091 - DEBUG [edu.vt.middleware.ldap.Ldap:193] - Search with
the following parameters:
18:45:59.092 - DEBUG [edu.vt.middleware.ldap.Ldap:194] - dn = T=MYBASEDN
18:45:59.092 - DEBUG [edu.vt.middleware.ldap.Ldap:195] - filter =
(&(cn=jdoe)(objectclass=person))
18:45:59.092 - DEBUG [edu.vt.middleware.ldap.Ldap:196] - filterArgs = []
18:45:59.092 - DEBUG [edu.vt.middleware.ldap.Ldap:197] -
searchControls =
javax.naming.directory.SearchControls@f8a786
18:45:59.093 - DEBUG [edu.vt.middleware.ldap.Ldap:198] - handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@f1f2cc,
edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler@7b6d1c,
edu.vt.middleware.ldap.handler.BinarySearchResultHandler@1387498]
18:45:59.093 - TRACE [edu.vt.middleware.ldap.Ldap:200] - config =
{java.naming.provider.url=ldaps://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.ldap.attributes.binary=GUID}
18:45:59.110 - TRACE
[edu.vt.middleware.ldap.pool.DefaultLdapFactory:123] - destroyed ldap
object:
edu.vt.middleware.ldap.Ldap@384082::config=edu.vt.middleware.ldap.LdapConfig@22594860::env={java.naming.provider.url=ldaps://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.ldap.attributes.binary=GUID}
18:45:59.286 - INFO [Shibboleth-Audit:969] -
20110607T234559Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_716f56e410da222075ca48a33b078b0c|https://www.mydomain.com/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://www.mydomain.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_1f5cb388a646bcaa8434576f8150cc94|jdoe|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|cn,email,telephoneNumber,HexGUID,transientId,surname,givenName,IsCRISUser,AgencyID,|_c126abb8f0f0deba081bb6a496ef6ddf||
--
Thanks,
Dan McLaughlin
NOTICE: This e-mail message and all attachments transmitted with it
are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is strictly prohibited. The contents of
this e-mail are confidential and may be subject to work product
privileges. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
On Tue, Jun 7, 2011 at 10:01 AM, Daniel Fisher
<>
wrote:
> On Tue, Jun 7, 2011 at 9:26 AM, Dan McLaughlin
> <>
> wrote:
>> Hi Daniel,
>>
>> Actually dereference alias "never" means "Never dereferences aliases".
>
> Correct. This is a server side directive. You're telling the server
> not to dereference.
>
>> So if you have an alias it will not be returned.
>
> Incorrect. Aliases will be returned if they are found by your search
> filter. Since the server is *not* dereferencing the aliases, they will
> be returned as entries.
>
>> When we leave the default "always" then the alias and the object is
>> references is
>> returned and we get the exception about too many results returned.
>
> You should not receive any aliases entries when using that setting. If
> you are, the server is not dereferencing them and something is wrong.
>
>> The documentation from Sun/Oracle confirms my understanding.
>> http://download.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
>
> Those docs really need a few more examples. I can see why they are
> confusing.
>
> --Daniel Fisher
>
- Re: [Shib-Dev] Re: derefAliases broken in 2.2.x, (continued)
- Re: [Shib-Dev] Re: derefAliases broken in 2.2.x, Dan McLaughlin, 06/03/2011
- Re: [Shib-Dev] Re: derefAliases broken in 2.2.x, Chad La Joie, 06/03/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/03/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Chad La Joie, 06/03/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/04/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Chad La Joie, 06/04/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/04/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/07/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/07/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/07/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/07/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/07/2011
Archive powered by MHonArc 2.6.16.