When implementing our IdP I found lots of conflicting information on how it should be setup, we run a Windows Server 2008 R2 forest and domain functional level where all domain controllers are also global catalogues. I can confirm these settings work:
LDAP configuration in attribute-resolver.xml
<!-- Example LDAP Connector -->
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://domain.suffix:3268" baseDN="dc=domain,dc=suffix" principal="idpserviceaccount@domain.suffix"
principalCredential="passwordgoeshere">
<FilterTemplate>
<![CDATA[
(samAccountName=$requestContext.principalName)
]]>
</FilterTemplate>
</resolver:DataConnector>
// Example LDAP authentication
// See: https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="domain.suffix"
base="dc=domain,dc=suffix"
port="3268"
userField="sAMAccountName"
subtreeSearch="true"
serviceUser="serviceaccount@domain.suffix"
ServiceCredential="passwordgoeshere";
// See: https://spaces.internet2.edu/display/SHIB2/IdPAuthUserPass
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="domain.suffix"
base="dc=domain,dc=suffix"
port="3268"
userField="sAMAccountName"
subtreeSearch="true"
serviceUser="serviceaccount@domain.suffix"
ServiceCredential="passwordgoeshere";
Marc, I can't thank you enough. I see this post is a couple years old but it really helped me out. I have been through all the shib docs and list, university docs, msad docs and tried so many variations I just kept circling but couldn't seem to land. I can finally continue forward with my project and get some sleep.
ReplyDeleteThanks again.
Bonnie
Hi Bonnie,
DeleteReally glad it helped you - i had simular evenings of bashing my head against a brick wall trying to get this to work so felt i should share it.
I have a couple of other posts on getting the attributes from AD security groups that may interest you.
Good luck with your implementation
Marc