idp.attribute.resolver.LDAP.connectionStrategy ignored in attribute-resolver.xml

Basics

Technical

Logistics

Basics

Technical

Logistics

Description

We are running Shibboleth IDP 4.1.4 containerized and use an Active Directory as source for our attribute resolver via LDAP.
In ldap.properties, we have set the following (relevant parts):

{{idp.authn.LDAP.ldapURL = ldap://dc1 ldap://dc2 ldap://dc3
idp.authn.LDAP.connectionStrategy = RANDOM
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectionStrategy = %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE}}}

The data connector in attribute-resolver.xml looks like this:

<DataConnector id="ActiveDirectory" xsi:type="LDAPDirectory"
    ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
    baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
    principal="%{idp.attribute.resolver.LDAP.bindDN}"
    principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
    trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
    useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
    connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
    responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
    connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}">
    <FilterTemplate>
        <![CDATA[
            (userPrincipalName=$resolutionContext.principal)
        ]]>
    </FilterTemplate>
    <ConnectionPool
      minPoolSize="%{idp.pool.LDAP.minSize:3}"
      maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
      blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
      validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
      validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
      validateDN="%{idp.pool.LDAP.validateDN:}"
      validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
      expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
  </DataConnector>

However, according to the logs, Shibboleth uses the ACTIVE_PASSIVE connection strategy, no matter what we set as strategy in ldap.properties (we even tried setting both strategies to RANDOM without the reference from the resolver to the authn strategy). The only way to get it to use RANDOM is to hardcode the strategy in attribute-resolver.xml and not referencing the variables from ldap.properties.

To the best of our knowledge, our configuration should work, so we assume this is a bug.

Environment

Container based on jetty:9.4.43-jre11 run via podman on RHEL 8.4

Activity

Rod Widdowson

December 20, 2021 at 1:39 PM

Test cherry-picked from mainline and error confirmed.
Fix cherry-picked from mainline and confirmed error fixed.
Done.

Scott Cantor

December 17, 2021 at 6:44 PM

(edited)

This could probably be backported safely to 4.1.5? @Rod Widdowson If I’m not mistaken, please roll this up and apply back when you have a chance.

Rod Widdowson

December 10, 2021 at 10:53 AM

@Martin Gollowitzer: Thanks for digging this one out.

This is now fixed and will be part of V4.2

meanwhile the work around is to not use properties when setting connectionStrategy

hence

...nectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
    responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
    connectionStrategy="RANDOM">
    <FilterTem...

Rod Widdowson

December 9, 2021 at 8:35 PM

Test added (and it fails). Fix committed (and test now passes),

I’ll wait until the CI situation stabilizes before I push the changes.

Rod Widdowson

December 9, 2021 at 11:37 AM

I’ve code up a fix, but I need to write some regression tests

Resize issue view side panel

Fixed

Details

Assignee

Rod Widdowson

Reporter

Martin Gollowitzer

Created November 25, 2021 at 12:02 PM

Updated December 20, 2021 at 1:39 PM

Resolved December 20, 2021 at 1:39 PM

idp.attribute.resolver.LDAP.connectionStrategy ignored in attribute-resolver.xml

Description

Environment

Activity

Details

Assignee

Reporter

Components

Fix versions

Affects versions

Flag notifications

Something's gone wrong

Something's gone wrong