Changes between Version 29 and Version 30 of ConnectorsSetup


Ignore:
Timestamp:
08/01/13 11:30:19 (11 years ago)
Author:
dabantz@…
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • ConnectorsSetup

    v29 v30  
    4343(2) Configure the IdP to directly trust these certificates: (2.1) for authN and (2.2) for retrieving attributes from the LDAP directory [these are independent]: 
    4444 
    45  (2.1) Configure the authentication module to trust the AD certificate by adding to the configuration in ''$IDP_HOME''/conf/login.config a line like (per Daniel Fisher <dfisher@vt.edu> 2013-04-24 and 2013-07-30): 
     45 (2.1) Configure the authentication module to trust the AD certificate by adding to the configuration in ''$IDP_HOME''/conf/login.config a line like (per Daniel Fisher <dfisher@vt.edu> 2013-04-24 and 2013-07-30). The explicitly trusted certificate may be an individual server certificate, a pem file with multiple server certificates, or, in this example, the certificate for the issuing private CA: 
    4646 
    47   {{{ 
    48 // UA AD Auth 
    49    edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient 
    50       ldapUrl="ldap://fbk-adua02.ua.ad.alaska.edu:3268" 
    51       baseDn="dc=ua,dc=ad,dc=alaska,dc=edu" 
    52       bindDn="cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=ad,dc=alaska,dc=edu" 
    53       bindCredential="••••••••••" 
    54       subtreeSearch="true" 
    55 // Directly reference imported server certificate for TLS on 3268 rather than SSL on 3269 
    56       sslSocketFactory="{trustCertificates=file:/opt/shibboleth-idp/trustedservercerts/Fbk-Adua02.ua.ad.alaska.edu.pem}" 
    57       ssl="false" 
    58       tls="true" 
    59       userField="sAMAccountName,uaIdentifier"; 
    6047 
    61   }}} 
    62  
    63 For multiple server instances to provide connection fail-over, or simply to avoid importing and maintaining relatively short-lived server certificates, trust the issuing CA's certificate: 
    6448 {{{ 
    6549 
     
    6953      baseDn="dc=ua,dc=ad,dc=alaska,dc=edu" 
    7054      bindDn="cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=ad,dc=alaska,dc=edu" 
    71       bindCredential="lkjhyuio87" 
     55      bindCredential="•••••••••••" 
    7256      subtreeSearch="true" 
    7357// Directly reference imported certificate for CA used to create/sign UA AD server certs  
     
    7862 
    7963 }}} 
    80  (2.2) Configure the Data Connectors in '$IDP_HOME''/conf/attribute-resolver.xml to use StartTLSTrustCredential.  https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverLDAPDataConnector 
    81 (additional input from Nate Klingenstein <Nate Klingenstein <ndk@internet2.edu> 2013-06-04): 
     64 (2.2) Configure the Data Connectors in '$IDP_HOME''/conf/attribute-resolver.xml to use StartTLSTrustCredential.   
     65 
     66 As for the login configuration, the certificate may be an individual server certificate, or the issuing private CA's certificate.  Here we use the same file, so that the IdP has only one copy of the private CA certificate used for both login.config and attribute-resolver.xml 
     67 
     68 https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverLDAPDataConnector 
     69 additional input from Nate Klingenstein <Nate Klingenstein <ndk@internet2.edu> 2013-06-04: 
     70 
    8271{{{  
    8372<resolver:DataConnector xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc" 
    84                  id="uaADLDAP" 
    85                  ldapURL="ldaps://fbk-adua01.ua.ad.alaska.edu:3268"     
    86                  baseDN="ou=useraccounts,dc=ua,dc=ad,dc=alaska,dc=edu"  
    87                  principal="cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=ad,dc=alaska,dc=edu"   
    88                  principalCredential="•••••••••••" 
    89                  useStartTLS="true"> 
     73            id="uaADLDAP" 
     74            ldapURL="ldap://fbk-adua01.ua.ad.alaska.edu:3268"     
     75            baseDN="ou=useraccounts,dc=ua,dc=ad,dc=alaska,dc=edu"  
     76            principal="cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=ad,dc=alaska,dc=edu"   
     77            principalCredential="•••••••••••" 
     78            useStartTLS="true"> 
    9079 
    9180    <FilterTemplate>....</FilterTemplate> 
    9281 
    93     <StartTLSTrustCredential xsi:type="security:X509Inline"  
    94                 xmlns:security="urn:mace:shibboleth:2.0:security"  
    95                 id="UA_AD_CA_Certificate"> 
    96         <security:Certificate> 
    97             <!-- DER or PEM encoded cert --> 
    98         </security:Certificate> 
     82    <StartTLSTrustCredential xsi:type="security:X509Filesystem"  
     83               xmlns:security="urn:mace:shibboleth:2.0:security"  
     84               id="UA_AD_CA_Certificate"> 
     85              <security:Certificate> 
     86                   /opt/shibboleth-idp/trustedservercerts/UA_AD_CA.pem 
     87              </security:Certificate> 
    9988    </StartTLSTrustCredential> 
    10089</resolver:DataConnector> 
    101  
    102 <!-- OR --> 
    103  
    104    <StartTLSTrustCredential xsi:type="security:X509FileSystem"  
    105                xmlns:security="urn:mace:shibboleth:2.0:security"  
    106                id="UA_AD_CA_Certificate"> 
    107        <security:Certificate>/opt/shibboleth-idp/trustedservercerts/UA_AD_CA.pem</security:Certificate> 
    108    </StartTLSTrustCredential> 
    10990}}} 
    11091=== [[IdPSetup|Failover connectors]] ===