Fixed
Details
Details
Assignee
Rod Widdowson
Rod WiddowsonReporter
Martin Gollowitzer
Martin GollowitzerComponents
Fix versions
Affects versions
Created November 25, 2021 at 12:02 PM
Updated December 20, 2021 at 1:39 PM
Resolved December 20, 2021 at 1:39 PM
We are running Shibboleth IDP 4.1.4 containerized and use an Active Directory as source for our attribute resolver via LDAP.
In ldap.properties, we have set the following (relevant parts):
{{idp.authn.LDAP.ldapURL = ldap://dc1 ldap://dc2 ldap://dc3
idp.authn.LDAP.connectionStrategy = RANDOM
idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL}
idp.attribute.resolver.LDAP.connectionStrategy = %{idp.authn.LDAP.connectionStrategy:ACTIVE_PASSIVE}}}
The data connector in attribute-resolver.xml looks like this:
<DataConnector id="ActiveDirectory" xsi:type="LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}" responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}" connectionStrategy="%{idp.attribute.resolver.LDAP.connectionStrategy}"> <FilterTemplate> <![CDATA[ (userPrincipalName=$resolutionContext.principal) ]]> </FilterTemplate> <ConnectionPool minPoolSize="%{idp.pool.LDAP.minSize:3}" maxPoolSize="%{idp.pool.LDAP.maxSize:10}" blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}" validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}" validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}" validateDN="%{idp.pool.LDAP.validateDN:}" validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}" expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/> </DataConnector>
However, according to the logs, Shibboleth uses the ACTIVE_PASSIVE connection strategy, no matter what we set as strategy in ldap.properties (we even tried setting both strategies to RANDOM without the reference from the resolver to the authn strategy). The only way to get it to use RANDOM is to hardcode the strategy in attribute-resolver.xml and not referencing the variables from ldap.properties.
To the best of our knowledge, our configuration should work, so we assume this is a bug.