Versions Compared

Old Version 7

changes.mady.by.user peter

Saved on

compared with

New Version Current

changes.mady.by.user peter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

The following are issues, encountered by some deployers, related to specific LDAP server products used in conjunction with username/password authentication or the attribute resolvers LDAP data connector.

Table of Contents
minLevel2

Microsoft Active Directory

Port

...

Standard LDAP

If all users reside under the same single-depth object (e.g., CN=Users,DC=example,DC=edu), the standard ports can likely be used:

  • 389 for plain-old LDAP or LDAP with StartTLS. Note, StartTLS is only available on Windows Server 2003 and later.
  • 636 for LDAPS

Searches using the above connection information may encounter and need to handle referrals (see Referrals below).

Global Catalog

If users are spread across multiple object (e.g., CN=Staff,DC=example,DC=edu and CN=Faculty,DC=example,DC=edu) or if the standard connection method (above) doesn't work, the global catalog ports can be used:

  • 3268 for plain-old LDAP or LDAP with startTLSStartTLS. Note, startTLS StartTLS is only available on Windows Server 2003 and later.
  • 3269 for LDAPS

As a general note, the global catalog supports searches across the entire forest. Attributes that should be accessible to the Shibboleth IdP will have to be specified as part of the Partial Attribute Set (PAS) in Active Directory.

Bind DN

Active Directory authenticates users against its internal Kerberos realm. Therefore the principal name used for the bindDn configuration option should be a Kerberos principal name, user@domain, not a DN, cn=user,ou=Users,dc=example,dc=org.

...

When performing a standard LDAP search on port 389/636, under some circumstances Active Directory will return LDAP referrals as a part of the LDAP result set. For example, this is known to occur when when using a domain DN as the LDAP search base (e.g. dc=example, dc=org) as opposed to a lower level container (e.g. cn=Users,dc=example,dc=org). These referrals must be followed for successful completion of the query by the connector. This entails adding a configuration parameter to the LDAP data connector configuration:

Code Block

<LDAPProperty name="java.naming.referral" value="follow"/>

...