java11 NPE with ldap configuration (Thread local SslConfig has not been set), works fine in 1.8.0_191-b12
Description
Attachments
causes
Activity
Closing this out because we've concluded JNDI is no longer viable. The ldaptive in V4 is updated to use UnboundID by default with no explicit deployer step. Various gaps have been addressed in the feature set so JNDI properties should be unneeded.
I've already switched the master branch to use it by adding the property to global-system.xml, so if we wanted to retrofit it it's not hard, but I think it's something a deployer could do without violating any rules, isn't it?
Ugh, just read the wiki note. This feels like we (I) need to embody it into the Windows Installer? Or is that pandering to bugs? I'd be looking at V4 only
Is this safe behavior to retrofit to Java8?
Links to pertinent JDK issues:
https://bugs.java.com/bugdatabase/view_bug.do?bug_id=JDK-8217606
https://bugs.openjdk.java.net/browse/JDK-8217606
Testing with JDK 8u202, JNDI provider appears to work (doesn't crash). Don't know if it leaks, but I could check if I knew what to look for. I assume they would go together though, so looks like they did not backport that bug and Java 8 remains ok.
Ldap connectivity works with Oracle jdk1.8.0_191 but fails to work when the execution environment java is changed to openjdk11+28 for the exact same configuration.
It's as if the loading / configuration setup behaviour changes subtly.
Configurations I've tested:
:check_mark: Good: IdP-3.3.3, openjdk9.0.4, ldaptive-1.0.11 – no errors, ldap connections work, idp works
:check_mark: Good: IdP-3.3.3, openjdk9.0.4, ldaptive-1.2.3 – no errors, ldap connections work, idp works
:cross_mark: Not Good: IdP-3.4.0, openjdk9.0.4, ldaptive-1.0.11 – ERROR state - LDAP connections fail due to SslConfig NPE in per stacktrace
:cross_mark: Not Good: IdP-3.4.0, openjdk9.0.4, ldaptive-1.0.13 – ERROR state - LDAP connections fail due to SslConfig NPE per stacktrace
:check_mark: GoodIdP-3.4.0, jdk1.8.0_191, ldaptive-1.0.11 --no errors, ldap connections work, idp works ok
:cross_mark: IdP-3.4.0, openjdk11+28, ldaptive-1.0.11 --ERROR state- LDAP connections fail due to SslConfig NPE per stacktrace
Stacktrace: Stack traces from idp v3.4.1 with logback.xml set to TRACE for org.ldaptive
in a sandbox using our build tool environment but with v3.4.1 as the IdP connecting over TLS to the ldap instance.
2018-11-02 11:14:45,957 - INFO [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:583] - Refreshing shibboleth.AttributeResolverService: startup date [Fri Nov 02 11:14:45 EDT 2018]; parent: Root WebApplicationContext2018-11-02 11:14:46,441 - TRACE [org.ldaptive.ssl.SslConfig:131] - setting credentialConfig: org.ldaptive.ssl.CredentialConfigFactory$2@628bd77e2018-11-02 11:14:46,457 - TRACE [org.ldaptive.BindConnectionInitializer:83] - setting bindDn: cn=shibboleth,ou=apps,dc=example,dc=com2018-11-02 11:14:46,457 - TRACE [org.ldaptive.BindConnectionInitializer:106] - setting bindCredential: <suppressed>2018-11-02 11:14:46,458 - TRACE [org.ldaptive.ConnectionConfig:85] - setting ldapUrl: ldaps://ldap.example.com2018-11-02 11:14:46,458 - TRACE [org.ldaptive.ConnectionConfig:110] - setting connectTimeout: 30002018-11-02 11:14:46,458 - TRACE [org.ldaptive.ConnectionConfig:162] - setting responseTimeout: 30002018-11-02 11:14:46,458 - TRACE [org.ldaptive.ConnectionConfig:213] - setting sslConfig: [org.ldaptive.ssl.SslConfig@727861082::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2@628bd77e, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null]2018-11-02 11:14:46,459 - TRACE [org.ldaptive.ConnectionConfig:285] - setting connectionInitializer: [org.ldaptive.BindConnectionInitializer@1234219829::bindDn=cn=shibboleth,ou=apps,dc=example,dc=com, bindSaslConfig=null, bindControls=null]2018-11-02 11:14:46,464 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,465 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@6b86826a2018-11-02 11:14:46,465 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,465 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@4b9fa2f2018-11-02 11:14:46,465 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,466 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@32caae192018-11-02 11:14:46,478 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:120] - setting connectionStrategy: org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy@3be46d9c2018-11-02 11:14:46,478 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:96] - setting properties: {}2018-11-02 11:14:46,535 - TRACE [org.ldaptive.ssl.SslConfig:131] - setting credentialConfig: org.ldaptive.ssl.CredentialConfigFactory$2@49f26462018-11-02 11:14:46,536 - TRACE [org.ldaptive.BindConnectionInitializer:83] - setting bindDn: cn=shibboleth,ou=apps,dc=example,dc=com2018-11-02 11:14:46,536 - TRACE [org.ldaptive.BindConnectionInitializer:106] - setting bindCredential: <suppressed>2018-11-02 11:14:46,536 - TRACE [org.ldaptive.ConnectionConfig:85] - setting ldapUrl: ldaps://ldap.example.com2018-11-02 11:14:46,536 - TRACE [org.ldaptive.ConnectionConfig:110] - setting connectTimeout: 30002018-11-02 11:14:46,536 - TRACE [org.ldaptive.ConnectionConfig:162] - setting responseTimeout: 30002018-11-02 11:14:46,537 - TRACE [org.ldaptive.ConnectionConfig:213] - setting sslConfig: [org.ldaptive.ssl.SslConfig@2080672560::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2@49f2646, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null]2018-11-02 11:14:46,537 - TRACE [org.ldaptive.ConnectionConfig:285] - setting connectionInitializer: [org.ldaptive.BindConnectionInitializer@815593047::bindDn=cn=shibboleth,ou=apps,dc=example,dc=com, bindSaslConfig=null, bindControls=null]2018-11-02 11:14:46,542 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,542 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@111702282018-11-02 11:14:46,543 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,543 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@46ee70132018-11-02 11:14:46,543 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:70] - setting operationExceptionResultCodes: [PROTOCOL_ERROR, SERVER_DOWN]2018-11-02 11:14:46,544 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:144] - setting controlProcessor: org.ldaptive.provider.ControlProcessor@69d587312018-11-02 11:14:46,544 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:120] - setting connectionStrategy: org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy@3be46d9c2018-11-02 11:14:46,544 - TRACE [org.ldaptive.provider.jndi.JndiProviderConfig:96] - setting properties: {}2018-11-02 11:14:46,558 - TRACE [org.ldaptive.ssl.SslConfig:131] - setting credentialConfig: org.ldaptive.ssl.CredentialConfigFactory$2@49f26462018-11-02 11:14:46,558 - TRACE [org.ldaptive.ssl.SslConfig:155] - setting trustManagers: null2018-11-02 11:14:46,558 - TRACE [org.ldaptive.ssl.SslConfig:179] - setting hostnameVerifier: null2018-11-02 11:14:46,558 - TRACE [org.ldaptive.ssl.SslConfig:203] - setting hostnameVerifierConfig: null2018-11-02 11:14:46,559 - TRACE [org.ldaptive.ssl.SslConfig:227] - setting enabledCipherSuites: null2018-11-02 11:14:46,559 - TRACE [org.ldaptive.ssl.SslConfig:251] - setting enabledProtocols: null2018-11-02 11:14:46,559 - TRACE [org.ldaptive.ssl.SslConfig:276] - setting handshakeCompletedListeners: null2018-11-02 11:14:46,565 - TRACE [org.ldaptive.ssl.SslConfig:203] - setting hostnameVerifierConfig: [org.ldaptive.ssl.HostnameVerifierConfig@1958731110::certificateHostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]]2018-11-02 11:14:46,575 - TRACE [org.ldaptive.ssl.ThreadLocalTLSSocketFactory:48] - Using SSLContextInitializer=[org.ldaptive.ssl.X509SSLContextInitializer@1098139353::trustManagers=null, hostnameVerifierConfig=[org.ldaptive.ssl.HostnameVerifierConfig@1958731110::certificateHostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]], trustCerts=[Ljava.security.cert.X509Certificate;@34070bd2, authenticationCert=null]2018-11-02 11:14:46,582 - TRACE [org.ldaptive.ssl.X509SSLContextInitializer:123] - Initialize SSLContext with keyManagers=null and trustManagers=[[org.ldaptive.ssl.AggregateTrustManager@1445947009::trustManagers=[sun.security.ssl.X509TrustManagerImpl@6f6f65a4, [org.ldaptive.ssl.HostnameVerifyingTrustManager@160479339::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]]], trustStrategy=ALL]]2018-11-02 11:14:46,626 - TRACE [org.ldaptive.provider.jndi.JndiConnectionFactory:92] - [[ldapUrl=ldaps://ldap.example.com, count=0]] Attempting connection to ldaps://ldap.example.com for strategy org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy@3be46d9c2018-11-02 11:14:46,645 - TRACE [org.ldaptive.ssl.ThreadLocalTLSSocketFactory:48] - Using SSLContextInitializer=[org.ldaptive.ssl.X509SSLContextInitializer@220666452::trustManagers=null, hostnameVerifierConfig=[org.ldaptive.ssl.HostnameVerifierConfig@1958731110::certificateHostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]], trustCerts=[Ljava.security.cert.X509Certificate;@34070bd2, authenticationCert=null]2018-11-02 11:14:46,646 - TRACE [org.ldaptive.ssl.X509SSLContextInitializer:123] - Initialize SSLContext with keyManagers=null and trustManagers=[[org.ldaptive.ssl.AggregateTrustManager@1878583108::trustManagers=[sun.security.ssl.X509TrustManagerImpl@409395b9, [org.ldaptive.ssl.HostnameVerifyingTrustManager@1407721609::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]]], trustStrategy=ALL]]2018-11-02 11:14:46,704 - DEBUG [org.ldaptive.ssl.AggregateTrustManager:151] - checkServerTrusted for sun.security.ssl.X509TrustManagerImpl@409395b9 succeeded2018-11-02 11:14:46,707 - DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier:112] - verifying hostname=ldap.example.com against cert=O=Example Institution, CN=ldap.example.com2018-11-02 11:14:46,708 - DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier:183] - verifyDNS using subjectAltNames=[]2018-11-02 11:14:46,735 - DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier:197] - verifyDNS using CN=[ldap.example.com]2018-11-02 11:14:46,735 - TRACE [org.ldaptive.ssl.DefaultHostnameVerifier:286] - matching for hostname=ldap.example.com, certName=ldap.example.com, isWildcard=false2018-11-02 11:14:46,735 - TRACE [org.ldaptive.ssl.DefaultHostnameVerifier:304] - match=true for ldap.example.com == ldap.example.com2018-11-02 11:14:46,736 - DEBUG [org.ldaptive.ssl.DefaultHostnameVerifier:201] - verifyDNS found hostname match: ldap.example.com2018-11-02 11:14:46,736 - DEBUG [org.ldaptive.ssl.HostnameVerifyingTrustManager:93] - checkCertificateTrusted for org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828 succeeded against O=Example Institution, CN=ldap.example.com2018-11-02 11:14:46,736 - DEBUG [org.ldaptive.ssl.AggregateTrustManager:151] - checkServerTrusted for [org.ldaptive.ssl.HostnameVerifyingTrustManager@1407721609::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]] succeeded2018-11-02 11:14:46,737 - DEBUG [org.ldaptive.ssl.AggregateTrustManager:179] - invoking getAcceptedIssuers for sun.security.ssl.X509TrustManagerImpl@409395b92018-11-02 11:14:46,737 - DEBUG [org.ldaptive.ssl.AggregateTrustManager:179] - invoking getAcceptedIssuers for [org.ldaptive.ssl.HostnameVerifyingTrustManager@1407721609::hostnameVerifier=org.ldaptive.ssl.DefaultHostnameVerifier@6fc7e828, hostnames=[ldap.example.com]]2018-11-02 11:14:46,790 - DEBUG [org.ldaptive.BindOperation:138] - execute request=[org.ldaptive.BindRequest@608392736::bindDn=cn=shibboleth,ou=apps,dc=example,dc=com, saslConfig=null, controls=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection@79702169::config=[org.ldaptive.ConnectionConfig@1234328865::ldapUrl=ldaps://ldap.example.com, connectTimeout=3000, responseTimeout=3000, sslConfig=[org.ldaptive.ssl.SslConfig@2080672560::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$2@49f2646, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer@815593047::bindDn=cn=shibboleth,ou=apps,dc=example,dc=com, bindSaslConfig=null, bindControls=null]], providerConnectionFactory=[org.ldaptive.provider.jndi.JndiConnectionFactory@1535729270::metadata=[ldapUrl=ldaps://ldap.example.com, count=1], environment={java.naming.ldap.factory.socket=org.ldaptive.ssl.ThreadLocalTLSSocketFactory, com.sun.jndi.ldap.connect.timeout=3000, java.naming.ldap.version=3, java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory, com.sun.jndi.ldap.read.timeout=3000}, providerConfig=[org.ldaptive.provider.jndi.JndiProviderConfig@1948456514::operationExceptionResultCodes=[PROTOCOL_ERROR, SERVER_DOWN], properties={}, connectionStrategy=org.ldaptive.provider.ConnectionStrategies$ActivePassiveConnectionStrategy@3be46d9c, controlProcessor=org.ldaptive.provider.ControlProcessor@69d58731, environment=null, tracePackets=null, removeDnUrls=true, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, PARTIAL_RESULTS], sslSocketFactory=null, hostnameVerifier=null]], providerConnection=org.ldaptive.provider.jndi.JndiConnection@4a6facb0]2018-11-02 11:14:46,823 - ERROR [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator:156] - Connection factory validation failedorg.ldaptive.OperationException: javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set] at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:67)Caused by: javax.naming.CommunicationException: ldap.example.com:636 at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:215)Caused by: java.lang.NullPointerException: Thread local SslConfig has not been set at org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:70)2018-11-02 11:14:46,827 - ERROR [net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector:151] - Data Connector 'myLDAP': Invalid connector configurationnet.shibboleth.idp.attribute.resolver.dc.ValidationException: [org.ldaptive.OperationException@1842537555::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set], providerException=javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set]] at net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator.validate(ConnectionFactoryValidator.java:158)Caused by: org.ldaptive.OperationException: javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set] at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:67)Caused by: javax.naming.CommunicationException: ldap.example.com:636 at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:215)Caused by: java.lang.NullPointerException: Thread local SslConfig has not been set at org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:70)2018-11-02 11:14:46,829 - WARN [net.shibboleth.ext.spring.context.FilesystemGenericApplicationContext:551] - Exception encountered during context initialization - cancelling refresh attempt: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'myLDAP': Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Data Connector 'myLDAP': Invalid connector configuration2018-11-02 11:14:46,845 - ERROR [net.shibboleth.utilities.java.support.service.AbstractReloadableService:182] - Service 'shibboleth.AttributeResolverService': Initial load failednet.shibboleth.utilities.java.support.service.ServiceException: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'myLDAP': Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Data Connector 'myLDAP': Invalid connector configuration at net.shibboleth.ext.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:377)Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'myLDAP': Invocation of init method failed; nested exception is net.shibboleth.utilities.java.support.component.ComponentInitializationException: Data Connector 'myLDAP': Invalid connector configuration at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1631)Caused by: net.shibboleth.utilities.java.support.component.ComponentInitializationException: Data Connector 'myLDAP': Invalid connector configuration at net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector.doInitialize(LDAPDataConnector.java:152)Caused by: net.shibboleth.idp.attribute.resolver.dc.ValidationException: [org.ldaptive.OperationException@1842537555::resultCode=PROTOCOL_ERROR, matchedDn=null, responseControls=null, referralURLs=null, messageId=-1, message=javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set], providerException=javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set]] at net.shibboleth.idp.attribute.resolver.dc.ldap.impl.ConnectionFactoryValidator.validate(ConnectionFactoryValidator.java:158)Caused by: org.ldaptive.OperationException: javax.naming.CommunicationException: ldap.example.com:636 [Root exception is java.lang.NullPointerException: Thread local SslConfig has not been set] at org.ldaptive.provider.ProviderUtils.throwOperationException(ProviderUtils.java:67)Caused by: javax.naming.CommunicationException: ldap.example.com:636 at java.naming/com.sun.jndi.ldap.Connection.<init>(Connection.java:215)Caused by: java.lang.NullPointerException: Thread local SslConfig has not been set at org.ldaptive.ssl.ThreadLocalTLSSocketFactory.getDefault(ThreadLocalTLSSocketFactory.java:70)2018-11-02 11:14:46,846 - INFO [net.shibboleth.utilities.java.support.service.AbstractReloadableService:184] - Service 'shibboleth.AttributeResolverService': Continuing to poll configuration
ldap.properties file:
# LDAP authentication configuration, see authn/ldap-authn-config.xml # Note, this doesn't apply to the use of JAAS ## Authenticator strategy, either anonSearchAuthenticator, bindSearchAuthenticator, directAuthenticator, adAuthenticator idp.authn.LDAP.authenticator=bindSearchAuthenticator ## Connection properties ## idp.authn.LDAP.ldapURL=ldaps://ldap.example.com idp.authn.LDAP.useStartTLS=false idp.authn.LDAP.useSSL=true # Time in milliseconds that connects will block #idp.authn.LDAP.connectTimeout = PT3S # Time in milliseconds to wait for responses #idp.authn.LDAP.responseTimeout = PT3S ## SSL configuration, either jvmTrust, certificateTrust, or keyStoreTrust idp.authn.LDAP.sslConfig=certificateTrust ## If using certificateTrust above, set to the trusted certificate's path idp.authn.LDAP.trustCertificates=%{idp.home}/ssl/ldap-server.crt ## If using keyStoreTrust above, set to the truststore path idp.authn.LDAP.trustStore=%{idp.home}/credentials/ldap-server.truststore ## Return attributes during authentication idp.authn.LDAP.returnAttributes=cn ## DN resolution properties ## # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator # for AD: CN=Users,DC=example,DC=org idp.authn.LDAP.baseDN=ou=people,dc=example,dc=com idp.authn.LDAP.subtreeSearch=true idp.authn.LDAP.userFilter=(uid={user}) # bind search configuration # for AD: idp.authn.LDAP.bindDN=adminuser@domain.com idp.authn.LDAP.bindDN=cn=shibboleth,ou=apps,dc=example,dc=com idp.authn.LDAP.bindDNCredential=readonly # Format DN resolution, used by directAuthenticator, adAuthenticator # for AD use idp.authn.LDAP.dnFormat=%s@domain.com idp.authn.LDAP.dnFormat=uid=%s,ou=people,dc=example,dc=com # LDAP attribute configuration, see attribute-resolver.xml # Note, this likely won't apply to the use of legacy V2 resolver configurations idp.attribute.resolver.LDAP.ldapURL=%{idp.authn.LDAP.ldapURL} idp.attribute.resolver.LDAP.connectTimeout=%{idp.authn.LDAP.connectTimeout:PT3S} idp.attribute.resolver.LDAP.responseTimeout=%{idp.authn.LDAP.responseTimeout:PT3S} idp.attribute.resolver.LDAP.baseDN=%{idp.authn.LDAP.baseDN:undefined} idp.attribute.resolver.LDAP.bindDN=%{idp.authn.LDAP.bindDN:undefined} idp.attribute.resolver.LDAP.bindDNCredential=%{idp.authn.LDAP.bindDNCredential:undefined} idp.attribute.resolver.LDAP.useStartTLS=%{idp.authn.LDAP.useStartTLS:true} idp.attribute.resolver.LDAP.trustCertificates=%{idp.authn.LDAP.trustCertificates:undefined} idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal) # LDAP pool configuration, used for both authn and DN resolution #idp.pool.LDAP.minSize = 3 #idp.pool.LDAP.maxSize = 10 #idp.pool.LDAP.validateOnCheckout = false #idp.pool.LDAP.validatePeriodically = true #idp.pool.LDAP.validatePeriod = PT5M #idp.pool.LDAP.prunePeriod = PT5M #idp.pool.LDAP.idleTime = PT10M #idp.pool.LDAP.blockWaitTime = PT3S #idp.pool.LDAP.failFastInitialize = false
attribute-resolver.xml DataConnector (v3.4.0 syntax)
<DataConnector id="myLDAP" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"> <FilterTemplate> <![CDATA[ %{idp.attribute.resolver.LDAP.searchFilter} ]]> </FilterTemplate> <ConnectionPool minPoolSize="%{idp.pool.LDAP.minSize:3}" maxPoolSize="%{idp.pool.LDAP.maxSize:10}" blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" /> </DataConnector>