Current File(s): conf/authn/password-authn-config.xml, conf/ldap.properties, conf/authn/authn.properties
Format: Native Spring, Properties
...
The idp.authn.LDAP.authenticator property controls the workflow for how authentication occurs against the LDAP directory for most “simple” cases by automatically configuring a number of underlying objects based on a set of built-in “authenticator types” supported by the ldaptive library.
anonSearchAuthenticator | Performs an anonymous search for the user's DN |
bindSearchAuthenticator | Binds with a configured DN as a service account, then searches for the user's DN |
directAuthenticator | User DNs are of a known format. i.e. CN=user_name,ou=accounts,dc=domain,dc=edu. No DN search is performed. |
adAuthenticator | Configuration that leverages the AD specific @domain.com format. No DN search is performed since AD supports binding directly with that user name. |
Depending on the choice above, various other properties must be set (see the reference section below).
...
If StartTLS or SSL are used, a source of trust anchors must be configured to control certificate validation, using the idp.authn.LDAP.sslConfig property:
certificateTrust | Uses the idp.authn.LDAP.trustCertificates property to load a resource containing the trust anchors (such as a file of PEM-format certificates) |
keyStoreTrust | Uses the idp.authn.LDAP.trustStore property to load a keystore containing the trust anchors |
jvmTrust | Uses the default JVM trust anchors (the JVM-wide "cacerts" file) |
disabled | Does not allow SSL or startTLS connections. |
We have tentative plans to deprecate the “jvmTrust” option, which has already been removed from the attribute resolution side of the software, as it is bad practice and has been a source of serious security flaws.
...
Expand | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
A number of properties are found in ldap.properties to configure LDAP authentication global defaults. Most of the time, this is sufficient to deal with most configurations without having to delve into modifying any beans, unless you're trying to chain together separately configured back-ends. Note that the big "override everything" hook tends to be the idp.authn.LDAP.authenticator property, as most of the other properties auto-configure specific aspects of one of the built-in Authenticator beans.
|
...
Expand | ||
---|---|---|
| ||
LDAP attributes are returned as part of the authentication process and exposed in the LDAPResponseContext. | ||
Property | Sample | Result |
Property | Sample | Result |
---|---|---|
idp.authn.LDAP.returnAttributes | uid, eduPersonAffiliation | Returns the uid and eduPersonAffiliation attributes. |
* | Returns all user attributes on the entry. | |
*,+ | Returns all user and operational attributes on the entry. | |
1.1 | No attribute returned. No search performed. |
By default, attributes will be searched for using the same connection the user authenticated on. Therefore the user must have read on any attributes for those to be returned.
If you need access to attributes that user does not have read access to, then you must configure a connection pool that is authorized to read that data. The easiest way to that is to use the idp.authn.LDAP.resolveEntryWithBindDN=true
property. This will configure a separate connection pool using the bind credentials. However, if the attributes you need require different credentials, then following configuration demonstrates how to add a new connection pool for that purpose.
Spring Configuration
Code Block | ||
---|---|---|
| ||
<!-- Modify the authenticator to use the entry resolver --> <bean name="anonSearchAuthenticator" class="org.ldaptive.auth.Authenticator" p:entryResolver-ref="bindSearchEntryResolver"> ... <!-- Add an entry resolver to read attributes --> <bean id="bindSearchEntryResolver" class="org.ldaptive.auth.PooledSearchEntryResolverSearchEntryResolver" p:connectionFactory-ref="entryResolverPooledConnectionFactory" /> <bean id="entryResolverPooledConnectionFactory" class="org.ldaptive.pool.PooledConnectionFactory" p:connectionPoolconnectionConfig-ref="entryResolverConnectionPool" /> <bean id="entryResolverConnectionPool" class="org.ldaptive.pool.BlockingConnectionPool" parent="connectionPool" p:connectionFactory-ref="entryResolverConnectionFactory" pentryResolverConnectionConfig" p:name="entry-resolver-pool" /> <bean id="entryResolverConnectionFactory" class="org.ldaptive.DefaultConnectionFactory" p:connectionConfig-ref="entryResolverConnectionConfig" /> <bean id="entryResolverConnectionConfig" parent="connectionConfig" p:connectionInitializerconnectionInitializers-ref="entryResolverConnectionInitializer" /> <bean id="entryResolverConnectionInitializer" class="org.ldaptive.BindConnectionInitializer" p:bindDn="%{idp.authn.LDAP.entryResolver.bindDN}"> <property name="bindCredential"> <bean class="org.ldaptive.Credential"> <constructor-arg value="%{idp.authn.LDAP.entryResolver.bindDNCredential}" /> </bean> </property> </bean> |
Add the idp.authn.LDAP.entryResolver.bindDN and idp.authn.LDAP.entryResolver.bindDNCredential properties to conf/ldap.properties and credentials/secrets.properties respectively. Then set idp.authn.LDAP.authenticator to anonSearchAuthenticator. to complete the configuration.
Note: if you're using the bindSearchAuthenticator and those credentials can be reused for entry resolution, then this configuration can be shortened by wiring the bindPooledConnectionFactory to the entry resolver.
title | DN Resolution |
---|
Single Directory with Multiple Branches
Expand | |||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||||||||||||||||||
Single Directory with Multiple BranchesExtensible MatchingIf your directory supports extensible matching, this is the easiest way to find users that are distributed over multiple branches.
Aggregate DN ResolverThis authenticator combines the results of multiple DN resolvers. Spring Configuration
Add the idp.authn.LDAP.baseDN[12] and idp.authn.LDAP.userFilter[12] properties to conf/ldap.properties. The key values used in dnResolvers and authHandlers can be anything, but must tie a single DN resolver to a single auth handler. By default an error will occur if more than (1) DN is resolved. In addition to these beans, the aggregateAuthenticator bean (in the example above) must be injected into the LDAP credential validator in password-authn-config.xml: Code Block | -authn-config.xml:
Multiple DirectoriesAggregate DN ResolverThis authenticator combines the results of multiple DN resolvers that connect to multiple directories. Spring Configuration
Multiple DirectoriesAggregate DN ResolverThis authenticator combines the results of multiple DN resolvers that connect to multiple directories. Spring Configuration
Complete example with DN resolvers and authentication handlers for bindSearch
Complete example with DN resolvers and authentication handlers for bindSearch
DN resolvers are invoked asynchronously, so all resolvers will be used for each authentication request. |
Expand | |||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| |||||||||||||||||||||||||||
The ldaptive LDAP library has the ability to extract detailed account status information from the directory during authentication. According to the Ldaptive documentation, no standard for exposing account state data has been universally adopted by LDAP vendors, but the library uses a handler which encapsulates account state information. This state contains Warning and Error types that are common to the most popular policy implementations. Password Policy ControlThe Password Policy for LDAP Directories (draft) standard is implemented by several LDAP directories, including OpenLDAP and Oracle DSEE. The Password Policy Control is used during an LDAP bind operation to request information about the user's account state. To enable the Password Policy Control handlers in ldaptive, add the following to conf/ldap.properties: conf/ldap.properties
The user will be informed on the login page if there are any Password Policy warnings or errors (messages can be customized in messages/messages.properties). Password expiration warnings have been confirmed to work with Oracle DSEE. Please notify us or edit this page if you test successfully with other directory products. Locked AccountsTo inform the user of a locked account, some configuration is needed to detect the error code returned by the LDAP bind request. In authn/password-authn-config.xml, add an entry to the message clasification rules defined by shibboleth.authn.Password.ClassifiedMessageMap password-authn-config.xml
This maps the error code to a AccountLocked event. It will run the empty user flow authn/conditions/account-locked and then pass control back to the form. With this configuration, the user gets the message "Your account is locked". Debug informationDetails of the AuthenticationResponse received, including the password policy controls, can be viewed using the TRACE log level in the logger of name "net.shibboleth.idp" (edit logback.xml). Active Directory ConfigurationThe system comes with definitions to configure Active Directory authentication response handlers against a single directory. Active Directory does not fully support extensible match rules (https://msdn.microsoft.com/en-us/library/cc223241.aspx). Active Directory (by default) does not support anonymous queries (https://technet.microsoft.com/en-us/library/Cc755809%28v=WS.10%29.aspx). Using an entry resolver to generate password expiration warningsSpring Configuration
Example for two Active Directories with two DN Resolvers for eachThis example uses directed BaseDN's with LDAP filters, and binds the queries. Spring Configuration
Add missing Active Directory account state errorsIf adAuthenticator is the authenticator set in the idp.authn.LDAP.authenticator property, Short Description values are contained in the response. If bindSearchAuthenticator is the authenticator set in the idp.authn.LDAP.authenticator property, HEX values are contained in the response. It is possible to use either or both as outlined in the following example. (http://ldapwiki.willeke.com/wiki/Common%20Active%20Directory%20Bind%20Errors) password-authn-config.xml
messages/messages.properties
|
...