shibboleth-dev - Re: [Shib-Dev] derefAliases broken in 2.2.x
Subject: Shibboleth Developers
List archive
- From: Dan McLaughlin <>
- To:
- Subject: Re: [Shib-Dev] derefAliases broken in 2.2.x
- Date: Wed, 8 Jun 2011 00:36:53 -0500
Hi Daniel,
I tried everything to get the 3.3.3 vt-ldap to work in 2.3.0 but it
failed every time and even with TRACE level logging it gives me
nothing to go on. I was able to attach with a debugger and step
through the code enough to tell it was failing due to change #1877.
After reverting FqdnSearchResultHandler.java to revision #1330
everything is working again.
"1877 4/5/11 9:42 AM 4 dfisher SearchResult#getName() returns a
string
representing a composite name, not necessarily an LDAP DN. Use a
CompositeName to parse it correctly. Add test case for entries with
special characters. Fixes vt-ldap 109."
So now I'm running the latest vt-ldap 3.3.3 (minus change #1877) and IdP
2.3.0.
Everything I'm reading on dereferencing of aliases stats that to
"deference" means "To access the thing to which a pointer points, i.e.
to follow the pointer." I don't want aliases to be followed or
searches will return the alias and the person (which is too many
results). (BTW... countLimit=1 is another workaround I've found).
In Novell the alias,aliasObject schema allows and uses the cn
attribute as the RDN, the same attribute person is using for the RDN.
Here is an example of what an alias looks like in eDir. Notice how an
alias also has a cn attribute like person, I think this is key to
explaining by you can't reproduce this. I would think if you where to
customize the schema for OpenLDAP to allow a cn attribute for the
objectclass alias, then you might be able to see the issue there as
well.
objectClass: alias
objectClass: top
aliasedObjectName: cn=JDOE-C,ou=MYNEW,ou=DEPARTMENT,o=DIV
cn: JDOE-C
name: JDOE-C
createTimestamp: 20110603142023Z
creatorsName: cn=JANEDOE,ou=FOO,ou=BAR,o=DIV
entryDN: cn=JDOE-C,ou=FOO,ou=BAR,o=DIV
entryFlags: 1
federationBoundary: t=MYBASEDN
GUID:: gO1fnuyN4BGxMgddfecjjA==
localEntryID: 345548
modifiersName: cn=JANEDOE,ou=FOO,ou=BAR,o=DIV
modifyTimestamp: 20110603142023Z
revision: 1
structuralObjectClass: alias
subordinateCount: 0
subschemaSubentry: cn=schema
So a search for with dereference alias=always for
(&(cn=jdoe-c)(objectclass=person)) will return both the person that
the alias jdoe-c points to and the actual person jdoe-c.
This returns more than one result an the following error occurs:
23:10:40.018 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:144]
- Begin initialize
23:10:40.019 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180]
- useFirstPass = false
23:10:40.019 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:181]
- tryFirstPass = false
23:10:40.019 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:182]
- storePass = false
23:10:40.019 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:183]
- clearPass = false
23:10:40.020 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:184]
- setLdapPrincipal = true
23:10:40.020 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:185]
- setLdapDnPrincipal = false
23:10:40.020 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:186]
- setLdapCredential = true
23:10:40.020 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:187]
- defaultRole = []
23:10:40.020 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188]
- principalGroupName = null
23:10:40.020 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189]
- roleGroupName = null
23:10:40.021 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77]
- userRoleAttribute = []
23:10:40.026 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: ONELEVEL
23:10:40.028 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:427] - setting
subtreeSearch: true
23:10:40.028 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: SUBTREE
23:10:40.029 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1370] - setting
baseDn: T=MYBASEDN
23:10:40.029 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1834] - setting ssl:
true
23:10:40.029 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168] - setting
ldapUrl: ldap://ldap01:636
23:10:40.029 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1651] - setting
derefAliases: always
23:10:40.029 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:290] - setting
userFilter: (&(cn={0})(objectclass=person))
23:10:40.031 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83]
- Created authenticator:
edu.vt.middleware.ldap.auth.AuthenticatorConfig@28414668::env={java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=always,
java.naming.security.protocol=ssl}
23:10:40.031 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:412]
- Begin getCredentials
23:10:40.032 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:413]
- useFistPass = false
23:10:40.032 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:414]
- tryFistPass = false
23:10:40.032 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:415]
- useCallback = false
23:10:40.032 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:416]
- callbackhandler class =
javax.security.auth.login.LoginContext$SecureCallbackHandler
23:10:40.032 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:419]
- name callback class = javax.security.auth.callback.NameCallback
23:10:40.032 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:421]
- password callback class =
javax.security.auth.callback.PasswordCallback
23:10:40.034 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN
using userFilter
23:10:40.034 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the
following parameters:
23:10:40.034 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:194] - dn = T=MYBASEDN
23:10:40.034 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:195] - filter =
(&(cn={0})(objectclass=person))
23:10:40.034 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:196] - filterArgs =
[jdoe-c]
23:10:40.035 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:197] - searchControls
=
javax.naming.directory.SearchControls@cb9b8f
23:10:40.035 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:198] - handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@151dc28]
23:10:40.035 - TRACE
[edu.vt.middleware.ldap.auth.SearchDnResolver:200] - config =
{java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=always,
java.naming.security.protocol=ssl}
23:10:40.035 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
connectionStrategy: DEFAULT
23:10:40.035 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
setting connectionRetryExceptions: [class
javax.naming.NamingException]
23:10:40.036 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {0}
Attempting connection to ldap://ldap01:636 for strategy DEFAULT
23:10:40.036 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
with the following parameters:
23:10:40.036 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
authtype = simple
23:10:40.036 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
null
23:10:40.036 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
credential = <suppressed>
23:10:40.036 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.provider.url=ldap://ldap01:636,
java.naming.ldap.derefAliases=always,
java.naming.security.protocol=ssl}
23:10:40.458 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:151] - Multiple results
found for user: jdoe-c using filter:
filter=(&(cn={0})(objectclass=person)),filterArgs=[]
23:10:40.465 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:164]
- Error occured attempting authentication
javax.naming.NamingException: Found more than (1) DN for: jdoe-c
at
edu.vt.middleware.ldap.auth.SearchDnResolver.resolve(SearchDnResolver.java:156)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.auth.Authenticator.getDn(Authenticator.java:106)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103)
~[vt-ldap-3.3.3.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.6.0_24]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
~[na:1.6.0_24]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
~[na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597) ~[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
[na:1.6.0_24]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
[na:1.6.0_24]
at java.security.AccessController.doPrivileged(Native Method)
[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
[na:1.6.0_24]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
[na:1.6.0_24]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:160)
[shibboleth-identityprovider-2.3.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:106)
[shibboleth-identityprovider-2.3.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:49)
[shibboleth-identityprovider-2.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:80)
[shibboleth-identityprovider-2.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51)
[shibboleth-common-1.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
[catalina.jar:6.0.32]
at
com.googlecode.psiprobe.Tomcat60AgentValve.invoke(Tomcat60AgentValve.java:30)
[tomcat60adaptor-2.2.1.jar:2.2.1]
at
org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
[catalina-ha.jar:6.0.32]
at
org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
[catalina-ha.jar:6.0.32]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:6.0.32]
at
org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:647)
[catalina.jar:6.0.32]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
[catalina.jar:6.0.32]
at
org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:429)
[tomcat-coyote.jar:6.0.32]
at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
[tomcat-coyote.jar:6.0.32]
at
org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
[tomcat-coyote.jar:6.0.32]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
23:10:40.466 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:264]
- Begin abort
Once I go back and set dereference aliasing back to never, then the
aliases no longer return and login is successful...
00:00:46.293 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:144]
- Begin initialize
00:00:46.294 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180]
- useFirstPass = false
00:00:46.294 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:181]
- tryFirstPass = false
00:00:46.294 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:182]
- storePass = false
00:00:46.294 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:183]
- clearPass = false
00:00:46.294 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:184]
- setLdapPrincipal = true
00:00:46.294 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:185]
- setLdapDnPrincipal = false
00:00:46.295 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:186]
- setLdapCredential = true
00:00:46.295 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:187]
- defaultRole = []
00:00:46.295 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188]
- principalGroupName = null
00:00:46.295 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189]
- roleGroupName = null
00:00:46.295 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77]
- userRoleAttribute = []
00:00:46.301 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: ONELEVEL
00:00:46.303 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:427] - setting
subtreeSearch: true
00:00:46.303 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: SUBTREE
00:00:46.303 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1370] - setting
baseDn: T=MYBASEDN
00:00:46.303 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1834] - setting ssl:
true
00:00:46.303 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168] - setting
ldapUrl: ldap://ldap01:636
00:00:46.304 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1651] - setting
derefAliases: never
00:00:46.304 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:290] - setting
userFilter: (&(cn={0})(objectclass=person))
00:00:46.305 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83]
- Created authenticator:
edu.vt.middleware.ldap.auth.AuthenticatorConfig@22419002::env={java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
00:00:46.306 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:412]
- Begin getCredentials
00:00:46.306 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:413]
- useFistPass = false
00:00:46.306 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:414]
- tryFistPass = false
00:00:46.306 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:415]
- useCallback = false
00:00:46.306 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:416]
- callbackhandler class =
javax.security.auth.login.LoginContext$SecureCallbackHandler
00:00:46.307 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:419]
- name callback class = javax.security.auth.callback.NameCallback
00:00:46.307 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:421]
- password callback class =
javax.security.auth.callback.PasswordCallback
00:00:46.308 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN
using userFilter
00:00:46.308 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the
following parameters:
00:00:46.308 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:194] - dn = T=MYBASEDN
00:00:46.309 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:195] - filter =
(&(cn={0})(objectclass=person))
00:00:46.309 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:196] - filterArgs =
[JDOE-C]
00:00:46.309 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:197] - searchControls
=
javax.naming.directory.SearchControls@82d811
00:00:46.309 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:198] - handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@374c8e]
00:00:46.310 - TRACE
[edu.vt.middleware.ldap.auth.SearchDnResolver:200] - config =
{java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
00:00:46.310 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
connectionStrategy: DEFAULT
00:00:46.310 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
setting connectionRetryExceptions: [class
javax.naming.NamingException]
00:00:46.310 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {0}
Attempting connection to ldap://ldap01:636 for strategy DEFAULT
00:00:46.310 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
with the following parameters:
00:00:46.311 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
authtype = simple
00:00:46.311 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
null
00:00:46.311 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
credential = <suppressed>
00:00:46.311 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.provider.url=ldap://ldap01:636,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
00:00:46.550 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
connectionStrategy: DEFAULT
00:00:46.551 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
setting connectionRetryExceptions: [class
javax.naming.NamingException]
00:00:46.552 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {1}
Attempting connection to ldap://ldap01:636 for strategy DEFAULT
00:00:46.552 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
with the following parameters:
00:00:46.552 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
authtype = simple
00:00:46.552 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
cn=JDOE-C,ou=MYNEW,ou=DEPARTMENT,o=DIV
00:00:46.552 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
credential = <suppressed>
00:00:46.552 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.provider.url=ldap://ldap01:636,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
00:00:46.777 - INFO
[edu.vt.middleware.ldap.jaas.JaasAuthenticator:176] - Authentication
succeeded for dn: cn=JDOE-C,ou=MYNEW,ou=DEPARTMENT,o=DIV
00:00:46.787 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN
using userFilter
00:00:46.787 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the
following parameters:
00:00:46.788 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:194] - dn = T=MYBASEDN
00:00:46.788 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:195] - filter =
(&(cn={0})(objectclass=person))
00:00:46.788 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:196] - filterArgs =
[JDOE-C]
00:00:46.789 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:197] - searchControls
=
javax.naming.directory.SearchControls@9ebd53
00:00:46.789 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:198] - handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@374c8e]
00:00:46.789 - TRACE
[edu.vt.middleware.ldap.auth.SearchDnResolver:200] - config =
{java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
00:00:46.800 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:208]
- Begin commit
00:00:46.801 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:223]
- Committed the following principals: [JDOE-C[]]
00:00:46.801 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:229]
- Committed the following roles: []
00:00:46.858 - INFO [Shibboleth-Access:73] -
20110608T050046Z|144.45.7.139|www.mydomain.com:443|/profile/SAML2/Redirect/SSO|
00:00:46.893 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
connectionStrategy: ACTIVE_PASSIVE
00:00:46.893 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
setting connectionRetryExceptions: [class
javax.naming.NamingException]
00:00:46.893 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {1}
Attempting connection to ldaps://ldap01:636 for strategy
ACTIVE_PASSIVE
00:00:46.894 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
with the following parameters:
00:00:46.894 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
authtype = simple
00:00:46.894 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
null
00:00:46.894 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
credential = <suppressed>
00:00:46.894 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.provider.url=ldaps://ldap01:636,
java.naming.ldap.derefAliases=never,
java.naming.ldap.attributes.binary=GUID}
00:00:47.114 - DEBUG [edu.vt.middleware.ldap.Ldap:193] - Search with
the following parameters:
00:00:47.114 - DEBUG [edu.vt.middleware.ldap.Ldap:194] - dn = T=MYBASEDN
00:00:47.114 - DEBUG [edu.vt.middleware.ldap.Ldap:195] - filter =
(&(cn=JDOE-C)(objectclass=person))
00:00:47.115 - DEBUG [edu.vt.middleware.ldap.Ldap:196] - filterArgs = []
00:00:47.115 - DEBUG [edu.vt.middleware.ldap.Ldap:197] -
searchControls =
javax.naming.directory.SearchControls@bf3adc
00:00:47.115 - DEBUG [edu.vt.middleware.ldap.Ldap:198] - handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@1f66f50,
edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler@61947,
edu.vt.middleware.ldap.handler.BinarySearchResultHandler@6597d1]
00:00:47.115 - TRACE [edu.vt.middleware.ldap.Ldap:200] - config =
{java.naming.provider.url=ldaps://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.ldap.attributes.binary=GUID}
00:00:47.132 - TRACE
[edu.vt.middleware.ldap.pool.DefaultLdapFactory:123] - destroyed ldap
object:
edu.vt.middleware.ldap.Ldap@6304462::config=edu.vt.middleware.ldap.LdapConfig@13440889::env={java.naming.provider.url=ldaps://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.ldap.attributes.binary=GUID}
00:00:47.521 - INFO [Shibboleth-Audit:969] -
20110608T050047Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_e2c6d19bdeebd8e666415e7b2b1fae09|https://www.mydomain.com/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://www.mydomain.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_2bfff3f6b80fa10b46242720b0e20127|JDOE-C|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|cn,email,telephoneNumber,HexGUID,transientId,surname,givenName,IsCRISUser,AgencyID,|_0dd78a45e9f33fff0498713295b29af7||
But here is the odd thing, which is what originally caused me to post
to this thread...
Simply reverting the ldap properties in the login config so they match
the example, has the same affect as if I had set dereference aliases
to always.
New way works...
edu.vt.middleware.ldap.jaas.LdapLoginModule required
ldapUrl="ldap://ldap01:636";
ssl="true"
baseDn="T=MYBASEDN"
subtreeSearch="true"
derefAliases="never"
userFilter="(&(cn={0})(objectclass=person))";
Old way doesn't work...
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="ldap://ldap01:636";
port="636"
base="T=MYBASDN"
ssl="true"
userField="cn"
subtreeSearch="true"
derefAliases="never";
Note that in both cases I have derefAliases = never, but using the old
parameters fails because the alias is followed and I get 2 results.
The exact same properties work just fine with the old version of
vt-ldap that shipped in IdP 2.2.1. I still haven't been able to
explain this behavior, but like I stated earlier, I'm not sure this is
even valid since the old properties aren't even mentioned in the docs
anymore.
00:12:11.242 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:144]
- Begin initialize
00:12:11.243 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180]
- useFirstPass = false
00:12:11.243 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:181]
- tryFirstPass = false
00:12:11.243 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:182]
- storePass = false
00:12:11.243 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:183]
- clearPass = false
00:12:11.243 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:184]
- setLdapPrincipal = true
00:12:11.243 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:185]
- setLdapDnPrincipal = false
00:12:11.244 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:186]
- setLdapCredential = true
00:12:11.244 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:187]
- defaultRole = []
00:12:11.244 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188]
- principalGroupName = null
00:12:11.244 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189]
- roleGroupName = null
00:12:11.244 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77]
- userRoleAttribute = []
00:12:11.249 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: ONELEVEL
00:12:11.251 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:427] - setting
subtreeSearch: true
00:12:11.251 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
searchScope: SUBTREE
00:12:11.252 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1834] - setting ssl:
true
00:12:11.252 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168] - setting
ldapUrl: ldap://ldap01:636
00:12:11.252 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:274] - setting
userField: [cn]
00:12:11.252 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1651] - setting
derefAliases: never
00:12:11.253 - TRACE
[edu.vt.middleware.ldap.auth.AuthenticatorConfig:1370] - setting
baseDn: T=MYBASEDN
00:12:11.254 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83]
- Created authenticator:
edu.vt.middleware.ldap.auth.AuthenticatorConfig@15257019::env={java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
00:12:11.254 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:412]
- Begin getCredentials
00:12:11.255 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:413]
- useFistPass = false
00:12:11.255 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:414]
- tryFistPass = false
00:12:11.255 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:415]
- useCallback = false
00:12:11.255 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:416]
- callbackhandler class =
javax.security.auth.login.LoginContext$SecureCallbackHandler
00:12:11.255 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:419]
- name callback class = javax.security.auth.callback.NameCallback
00:12:11.255 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:421]
- password callback class =
javax.security.auth.callback.PasswordCallback
00:12:11.256 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:108] - Looking up DN
using userField
00:12:11.257 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the
following parameters:
00:12:11.257 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:194] - dn = T=MYBASEDN
00:12:11.257 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:195] - filter =
(cn={0})
00:12:11.257 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:196] - filterArgs =
[jdoe-c]
00:12:11.257 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:197] - searchControls
=
javax.naming.directory.SearchControls@172978f
00:12:11.258 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:198] - handler =
[edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@3c591c]
00:12:11.258 - TRACE
[edu.vt.middleware.ldap.auth.SearchDnResolver:200] - config =
{java.naming.provider.url=ldap://ldap01:636,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
00:12:11.258 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
connectionStrategy: DEFAULT
00:12:11.258 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
setting connectionRetryExceptions: [class
javax.naming.NamingException]
00:12:11.259 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {0}
Attempting connection to ldap://ldap01:636 for strategy DEFAULT
00:12:11.259 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
with the following parameters:
00:12:11.259 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
authtype = simple
00:12:11.259 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
null
00:12:11.259 - DEBUG
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
credential = <suppressed>
00:12:11.260 - TRACE
[edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
{java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.provider.url=ldap://ldap01:636,
java.naming.ldap.derefAliases=never,
java.naming.security.protocol=ssl}
00:12:11.496 - DEBUG
[edu.vt.middleware.ldap.auth.SearchDnResolver:151] - Multiple results
found for user: jdoe-c using filter: filter=(cn={0}),filterArgs=[]
00:12:11.502 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:164]
- Error occured attempting authentication
javax.naming.NamingException: Found more than (1) DN for: jdoe-c
at
edu.vt.middleware.ldap.auth.SearchDnResolver.resolve(SearchDnResolver.java:156)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.auth.Authenticator.getDn(Authenticator.java:106)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60)
~[vt-ldap-3.3.3.jar:na]
at
edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103)
~[vt-ldap-3.3.3.jar:na]
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
~[na:1.6.0_24]
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
~[na:1.6.0_24]
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
~[na:1.6.0_24]
at java.lang.reflect.Method.invoke(Method.java:597) ~[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
[na:1.6.0_24]
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
[na:1.6.0_24]
at java.security.AccessController.doPrivileged(Native Method)
[na:1.6.0_24]
at
javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
[na:1.6.0_24]
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
[na:1.6.0_24]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:160)
[shibboleth-identityprovider-2.3.0.jar:na]
at
edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:106)
[shibboleth-identityprovider-2.3.0.jar:na]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
[servlet-api.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:49)
[shibboleth-identityprovider-2.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:80)
[shibboleth-identityprovider-2.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51)
[shibboleth-common-1.3.0.jar:na]
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
[catalina.jar:6.0.32]
at
com.googlecode.psiprobe.Tomcat60AgentValve.invoke(Tomcat60AgentValve.java:30)
[tomcat60adaptor-2.2.1.jar:2.2.1]
at
org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
[catalina-ha.jar:6.0.32]
at
org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
[catalina-ha.jar:6.0.32]
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
[catalina.jar:6.0.32]
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
[catalina.jar:6.0.32]
at
org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:647)
[catalina.jar:6.0.32]
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
[catalina.jar:6.0.32]
at
org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:429)
[tomcat-coyote.jar:6.0.32]
at
org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
[tomcat-coyote.jar:6.0.32]
at
org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
[tomcat-coyote.jar:6.0.32]
at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
00:12:11.504 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:264]
- Begin abort
--
Thanks,
Dan McLaughlin
NOTICE: This e-mail message and all attachments transmitted with it
are for the sole use of the intended recipient(s) and may contain
confidential and privileged information. Any unauthorized review, use,
disclosure or distribution is strictly prohibited. The contents of
this e-mail are confidential and may be subject to work product
privileges. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
On Tue, Jun 7, 2011 at 7:08 PM, Dan McLaughlin
<>
wrote:
> Hi Daniel,
>
> I don't have a test eDir server on the outside, but I'd be surprised
> if I couldn't reproduce it with OpenLDAP.
>
> I can setup a WebEx at anytime and look directly at the systems if you'd
> like.
>
> By the way... after upgrading to 2.3.0 in our Development environment.
> LDAP authentication fails unless I roll back to the vt-ldap jar to
> the 3.3.2 release.
>
> 18:34:46.911 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:144]
> - Begin initialize
> 18:34:46.911 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180]
> - useFirstPass = false
> 18:34:46.911 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:181]
> - tryFirstPass = false
> 18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:182]
> - storePass = false
> 18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:183]
> - clearPass = false
> 18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:184]
> - setLdapPrincipal = true
> 18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:185]
> - setLdapDnPrincipal = false
> 18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:186]
> - setLdapCredential = true
> 18:34:46.912 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:187]
> - defaultRole = []
> 18:34:46.913 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:188]
> - principalGroupName = null
> 18:34:46.913 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:189]
> - roleGroupName = null
> 18:34:46.913 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77]
> - userRoleAttribute = []
> 18:34:46.913 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
> searchScope: ONELEVEL
> 18:34:46.913 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:427] - setting
> subtreeSearch: true
> 18:34:46.914 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
> searchScope: SUBTREE
> 18:34:46.914 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1370] - setting
> baseDn: T=MYBASEDN
> 18:34:46.914 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1834] - setting ssl:
> true
> 18:34:46.914 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168] - setting
> ldapUrl: ldap://ldap01:636
> 18:34:46.914 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1651] - setting
> derefAliases: never
> 18:34:46.915 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:290] - setting
> userFilter: (&(cn={0})(objectclass=person))
> 18:34:46.915 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83]
> - Created authenticator:
> edu.vt.middleware.ldap.auth.AuthenticatorConfig@20797601::env={java.naming.provider.url=ldap://ldap01:636,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.ldap.derefAliases=never,
> java.naming.security.protocol=ssl}
> 18:34:46.915 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:412]
> - Begin getCredentials
> 18:34:46.915 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:413]
> - useFistPass = false
> 18:34:46.915 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:414]
> - tryFistPass = false
> 18:34:46.916 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:415]
> - useCallback = false
> 18:34:46.916 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:416]
> - callbackhandler class =
> javax.security.auth.login.LoginContext$SecureCallbackHandler
> 18:34:46.916 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:419]
> - name callback class = javax.security.auth.callback.NameCallback
> 18:34:46.916 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:421]
> - password callback class =
> javax.security.auth.callback.PasswordCallback
> 18:34:46.916 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:173] - User input was
> empty or null
> 18:34:46.917 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:136]
> - Authentication failed
> javax.naming.AuthenticationException: Cannot authenticate dn, invalid
> credential
> at
> edu.vt.middleware.ldap.auth.AbstractAuthenticator.authenticateAndAuthorize(AbstractAuthenticator.java:154)
> ~[vt-ldap-3.3.3.jar:na]
> at
> edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:74)
> ~[vt-ldap-3.3.3.jar:na]
> at
> edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:320)
> ~[vt-ldap-3.3.3.jar:na]
> at
> edu.vt.middleware.ldap.auth.Authenticator.authenticate(Authenticator.java:277)
> ~[vt-ldap-3.3.3.jar:na]
> at
> edu.vt.middleware.ldap.jaas.JaasAuthenticator.authenticate(JaasAuthenticator.java:60)
> ~[vt-ldap-3.3.3.jar:na]
> at
> edu.vt.middleware.ldap.jaas.LdapLoginModule.login(LdapLoginModule.java:103)
> ~[vt-ldap-3.3.3.jar:na]
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> ~[na:1.6.0_24]
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> ~[na:1.6.0_24]
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> ~[na:1.6.0_24]
> at java.lang.reflect.Method.invoke(Method.java:597) ~[na:1.6.0_24]
> at
> javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
> [na:1.6.0_24]
> at
> javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
> [na:1.6.0_24]
> at
> javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
> [na:1.6.0_24]
> at java.security.AccessController.doPrivileged(Native Method)
> [na:1.6.0_24]
> at
> javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
> [na:1.6.0_24]
> at
> javax.security.auth.login.LoginContext.login(LoginContext.java:579)
> [na:1.6.0_24]
> at
> edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.authenticateUser(UsernamePasswordLoginServlet.java:160)
> [shibboleth-identityprovider-2.3.0.jar:na]
> at
> edu.internet2.middleware.shibboleth.idp.authn.provider.UsernamePasswordLoginServlet.service(UsernamePasswordLoginServlet.java:106)
> [shibboleth-identityprovider-2.3.0.jar:na]
> at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
> [servlet-api.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
> [catalina.jar:6.0.32]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
> at
> edu.internet2.middleware.shibboleth.idp.util.NoCacheFilter.doFilter(NoCacheFilter.java:49)
> [shibboleth-identityprovider-2.3.0.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina.jar:6.0.32]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
> at
> edu.internet2.middleware.shibboleth.idp.session.IdPSessionFilter.doFilter(IdPSessionFilter.java:80)
> [shibboleth-identityprovider-2.3.0.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina.jar:6.0.32]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
> at
> edu.internet2.middleware.shibboleth.common.log.SLF4JMDCCleanupFilter.doFilter(SLF4JMDCCleanupFilter.java:51)
> [shibboleth-common-1.3.0.jar:na]
> at
> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
> [catalina.jar:6.0.32]
> at
> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
> [catalina.jar:6.0.32]
> at
> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
> [catalina.jar:6.0.32]
> at
> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
> [catalina.jar:6.0.32]
> at
> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
> [catalina.jar:6.0.32]
> at
> com.googlecode.psiprobe.Tomcat60AgentValve.invoke(Tomcat60AgentValve.java:30)
> [tomcat60adaptor-2.2.1.jar:2.2.1]
> at
> org.apache.catalina.ha.session.JvmRouteBinderValve.invoke(JvmRouteBinderValve.java:227)
> [catalina-ha.jar:6.0.32]
> at
> org.apache.catalina.ha.tcp.ReplicationValve.invoke(ReplicationValve.java:347)
> [catalina-ha.jar:6.0.32]
> at
> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
> [catalina.jar:6.0.32]
> at
> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
> [catalina.jar:6.0.32]
> at
> org.apache.catalina.valves.RemoteIpValve.invoke(RemoteIpValve.java:647)
> [catalina.jar:6.0.32]
> at
> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:298)
> [catalina.jar:6.0.32]
> at
> org.apache.coyote.ajp.AjpAprProcessor.process(AjpAprProcessor.java:429)
> [tomcat-coyote.jar:6.0.32]
> at
> org.apache.coyote.ajp.AjpAprProtocol$AjpConnectionHandler.process(AjpAprProtocol.java:384)
> [tomcat-coyote.jar:6.0.32]
> at
> org.apache.tomcat.util.net.AprEndpoint$Worker.run(AprEndpoint.java:1665)
> [tomcat-coyote.jar:6.0.32]
> at java.lang.Thread.run(Thread.java:662) [na:1.6.0_24]
> 18:34:46.918 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:264]
> - Begin abort
>
>
> If I roll back only the vt-ldap.jar to the 3.3.2 release and change
> nothing else, then the same exact login works fine...
>
>
> 18:45:58.042 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:138]
> - Begin initialize
> 18:45:58.043 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:172]
> - useFirstPass = false
> 18:45:58.043 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:173]
> - tryFirstPass = false
> 18:45:58.043 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:174]
> - storePass = false
> 18:45:58.044 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:175]
> - setLdapPrincipal = true
> 18:45:58.044 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:176]
> - setLdapDnPrincipal = false
> 18:45:58.044 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:177]
> - setLdapCredential = true
> 18:45:58.044 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:178]
> - defaultRole = []
> 18:45:58.044 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:179]
> - principalGroupName = null
> 18:45:58.045 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:180]
> - roleGroupName = null
> 18:45:58.045 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:77]
> - userRoleAttribute = []
> 18:45:58.058 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
> searchScope: ONELEVEL
> 18:45:58.060 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:427] - setting
> subtreeSearch: true
> 18:45:58.060 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1385] - setting
> searchScope: SUBTREE
> 18:45:58.061 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1370] - setting
> baseDn: T=MYBASEDN
> 18:45:58.062 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1834] - setting ssl:
> true
> 18:45:58.063 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1168] - setting
> ldapUrl: ldap://ldap01:636
> 18:45:58.064 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:1651] - setting
> derefAliases: never
> 18:45:58.065 - TRACE
> [edu.vt.middleware.ldap.auth.AuthenticatorConfig:290] - setting
> userFilter: (&(cn={0})(objectclass=person))
> 18:45:58.068 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:83]
> - Created authenticator:
> edu.vt.middleware.ldap.auth.AuthenticatorConfig@7889295::env={java.naming.provider.url=ldap://ldap01:636,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.ldap.derefAliases=never,
> java.naming.security.protocol=ssl}
> 18:45:58.068 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:368]
> - Begin getCredentials
> 18:45:58.068 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:369]
> - useFistPass = false
> 18:45:58.069 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:370]
> - tryFistPass = false
> 18:45:58.069 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:371]
> - useCallback = false
> 18:45:58.069 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:372]
> - callbackhandler class =
> javax.security.auth.login.LoginContext$SecureCallbackHandler
> 18:45:58.069 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:375]
> - name callback class = javax.security.auth.callback.NameCallback
> 18:45:58.069 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:377]
> - password callback class =
> javax.security.auth.callback.PasswordCallback
> 18:45:58.070 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN
> using userFilter
> 18:45:58.071 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the
> following parameters:
> 18:45:58.071 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:194] - dn = T=MYBASEDN
> 18:45:58.071 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:195] - filter =
> (&(cn={0})(objectclass=person))
> 18:45:58.071 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:196] - filterArgs =
> [jdoe]
> 18:45:58.071 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:197] - searchControls
> =
> javax.naming.directory.SearchControls@1c101ac
> 18:45:58.072 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:198] - handler =
> [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@54c72e]
> 18:45:58.072 - TRACE
> [edu.vt.middleware.ldap.auth.SearchDnResolver:200] - config =
> {java.naming.provider.url=ldap://ldap01:636,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.ldap.derefAliases=never,
> java.naming.security.protocol=ssl}
> 18:45:58.072 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
> connectionStrategy: DEFAULT
> 18:45:58.076 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
> setting connectionRetryExceptions: [class
> javax.naming.NamingException]
> 18:45:58.077 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {0}
> Attempting connection to ldap://ldap01:636 for strategy DEFAULT
> 18:45:58.077 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
> with the following parameters:
> 18:45:58.078 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
> authtype = simple
> 18:45:58.078 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
> null
> 18:45:58.079 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
> credential = <suppressed>
> 18:45:58.079 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
> {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.provider.url=ldap://ldap01:636,
> java.naming.ldap.derefAliases=never,
> java.naming.security.protocol=ssl}
> 18:45:58.329 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
> connectionStrategy: DEFAULT
> 18:45:58.329 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
> setting connectionRetryExceptions: [class
> javax.naming.NamingException]
> 18:45:58.330 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {1}
> Attempting connection to ldap://ldap01:636 for strategy DEFAULT
> 18:45:58.330 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
> with the following parameters:
> 18:45:58.330 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
> authtype = simple
> 18:45:58.330 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
> cn=JDOE,ou=FOO,ou=BAR,o=DIV
> 18:45:58.330 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
> credential = <suppressed>
> 18:45:58.331 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
> {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.provider.url=ldap://ldap01:636,
> java.naming.ldap.derefAliases=never,
> java.naming.security.protocol=ssl}
> 18:45:58.556 - INFO
> [edu.vt.middleware.ldap.jaas.JaasAuthenticator:176] - Authentication
> succeeded for dn: cn=JDOE,ou=FOO,ou=BAR,o=DIV
> 18:45:58.563 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:102] - Looking up DN
> using userFilter
> 18:45:58.563 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:193] - Search with the
> following parameters:
> 18:45:58.563 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:194] - dn = T=MYBASEDN
> 18:45:58.564 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:195] - filter =
> (&(cn={0})(objectclass=person))
> 18:45:58.564 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:196] - filterArgs =
> [jdoe]
> 18:45:58.564 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:197] - searchControls
> =
> javax.naming.directory.SearchControls@282ae6
> 18:45:58.564 - DEBUG
> [edu.vt.middleware.ldap.auth.SearchDnResolver:198] - handler =
> [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@54c72e]
> 18:45:58.564 - TRACE
> [edu.vt.middleware.ldap.auth.SearchDnResolver:200] - config =
> {java.naming.provider.url=ldap://ldap01:636,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.ldap.derefAliases=never,
> java.naming.security.protocol=ssl}
> 18:45:58.576 - TRACE [edu.vt.middleware.ldap.jaas.LdapLoginModule:199]
> - Begin commit
> 18:45:58.577 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:207]
> - Committed the following principals: [jdoe[]]
> 18:45:58.577 - DEBUG [edu.vt.middleware.ldap.jaas.LdapLoginModule:213]
> - Committed the following roles: []
> 18:45:58.849 - INFO [Shibboleth-Access:73] -
> 20110607T234558Z|144.45.7.139|www.mydomain.com:443|/profile/SAML2/Redirect/SSO|
> 18:45:58.872 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:93] - setting
> connectionStrategy: ACTIVE_PASSIVE
> 18:45:58.873 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:110] -
> setting connectionRetryExceptions: [class
> javax.naming.NamingException]
> 18:45:58.873 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:152] - {1}
> Attempting connection to ldaps://ldap01:636 for strategy
> ACTIVE_PASSIVE
> 18:45:58.873 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind
> with the following parameters:
> 18:45:58.873 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -
> authtype = simple
> 18:45:58.874 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] - dn =
> null
> 18:45:58.874 - DEBUG
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -
> credential = <suppressed>
> 18:45:58.874 - TRACE
> [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:86] - env =
> {java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.provider.url=ldaps://ldap01:636,
> java.naming.ldap.derefAliases=never,
> java.naming.ldap.attributes.binary=GUID}
> 18:45:59.091 - DEBUG [edu.vt.middleware.ldap.Ldap:193] - Search with
> the following parameters:
> 18:45:59.092 - DEBUG [edu.vt.middleware.ldap.Ldap:194] - dn = T=MYBASEDN
> 18:45:59.092 - DEBUG [edu.vt.middleware.ldap.Ldap:195] - filter =
> (&(cn=jdoe)(objectclass=person))
> 18:45:59.092 - DEBUG [edu.vt.middleware.ldap.Ldap:196] - filterArgs = []
> 18:45:59.092 - DEBUG [edu.vt.middleware.ldap.Ldap:197] -
> searchControls =
> javax.naming.directory.SearchControls@f8a786
> 18:45:59.093 - DEBUG [edu.vt.middleware.ldap.Ldap:198] - handler =
> [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@f1f2cc,
> edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler@7b6d1c,
> edu.vt.middleware.ldap.handler.BinarySearchResultHandler@1387498]
> 18:45:59.093 - TRACE [edu.vt.middleware.ldap.Ldap:200] - config =
> {java.naming.provider.url=ldaps://ldap01:636,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.ldap.derefAliases=never,
> java.naming.ldap.attributes.binary=GUID}
> 18:45:59.110 - TRACE
> [edu.vt.middleware.ldap.pool.DefaultLdapFactory:123] - destroyed ldap
> object:
> edu.vt.middleware.ldap.Ldap@384082::config=edu.vt.middleware.ldap.LdapConfig@22594860::env={java.naming.provider.url=ldaps://ldap01:636,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
> java.naming.ldap.derefAliases=never,
> java.naming.ldap.attributes.binary=GUID}
> 18:45:59.286 - INFO [Shibboleth-Audit:969] -
> 20110607T234559Z|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect|_716f56e410da222075ca48a33b078b0c|https://www.mydomain.com/shibboleth|urn:mace:shibboleth:2.0:profiles:saml2:sso|https://www.mydomain.com/idp/shibboleth|urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST|_1f5cb388a646bcaa8434576f8150cc94|jdoe|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|cn,email,telephoneNumber,HexGUID,transientId,surname,givenName,IsCRISUser,AgencyID,|_c126abb8f0f0deba081bb6a496ef6ddf||
>
>
>
> --
>
> Thanks,
>
> Dan McLaughlin
>
>
> NOTICE: This e-mail message and all attachments transmitted with it
> are for the sole use of the intended recipient(s) and may contain
> confidential and privileged information. Any unauthorized review, use,
> disclosure or distribution is strictly prohibited. The contents of
> this e-mail are confidential and may be subject to work product
> privileges. If you are not the intended recipient, please contact the
> sender by reply e-mail and destroy all copies of the original message.
>
>
> On Tue, Jun 7, 2011 at 10:01 AM, Daniel Fisher
> <>
> wrote:
>> On Tue, Jun 7, 2011 at 9:26 AM, Dan McLaughlin
>> <>
>> wrote:
>>> Hi Daniel,
>>>
>>> Actually dereference alias "never" means "Never dereferences aliases".
>>
>> Correct. This is a server side directive. You're telling the server
>> not to dereference.
>>
>>> So if you have an alias it will not be returned.
>>
>> Incorrect. Aliases will be returned if they are found by your search
>> filter. Since the server is *not* dereferencing the aliases, they will
>> be returned as entries.
>>
>>> When we leave the default "always" then the alias and the object is
>>> references is
>>> returned and we get the exception about too many results returned.
>>
>> You should not receive any aliases entries when using that setting. If
>> you are, the server is not dereferencing them and something is wrong.
>>
>>> The documentation from Sun/Oracle confirms my understanding.
>>> http://download.oracle.com/javase/jndi/tutorial/ldap/misc/aliases.html
>>
>> Those docs really need a few more examples. I can see why they are
>> confusing.
>>
>> --Daniel Fisher
>>
>
- Re: [Shib-Dev] derefAliases broken in 2.2.x, (continued)
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/08/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/09/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/09/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/09/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/09/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Daniel Fisher, 06/21/2011
- Re: [Shib-Dev] derefAliases broken in 2.2.x, Dan McLaughlin, 06/22/2011
Archive powered by MHonArc 2.6.16.