Changes between Version 8 and Version 9 of ConnectorsSetup

Timestamp:

04/11/13 16:52:01 (12 years ago)

Author:

dabantz@…

Comment:

--

ConnectorsSetup

@@ -34 +34 @@
 ldaps://edir.alaska.edu:636
 }}}
+
+=== [[IdPSetup|Failover connectors]] ===
+
+If a !DataConnector fails in attribute resolution - for example, if the connection to the server fails because the server is off-line, or connection is refused due to expired credentials or invalid SSL certificate - attribute resolution is aborted, even if attributes were successfully retrieved using other !DataConnectors.  To minimize the impact of such connection failures, include failover in the !DataConnector definition.
+{{{
+<!--  LDAP Connector to edir, a multi-node cluster of LDAP directories -->
+    <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
+                                ldapURL="ldaps://edir.alaska.edu:636" baseDN="ou=people,dc=alaska,dc=edu" 
+                                principal="uid=shibboleth03,ou=resource,dc=alaska,dc=edu" principalCredential="shibboleth+20090303">
+                        <resolver:FailoverDataConnector ref="FailoverStaticConnector" />
+        <FilterTemplate>
+            <![CDATA[
+            (|(uid=$requestContext.principalName)(uasystemid=$requestContext.principalName)(bannerid=$requestContext.principalName))
+            ]]>
+        </FilterTemplate>
+    </resolver:DataConnector>
+    
+<!-- Primary UA AD server using Global Catalog search per https://wiki.shibboleth.net/confluence/display/SHIB2/LdapServerIssues -->
+  <resolver:DataConnector id="uaADLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
+                                ldapURL="ldaps://fbk-adua01.ua.ad.alaska.edu:3269" baseDN="ou=useraccounts,dc=ua,dc=ad,dc=alaska,dc=edu" 
+                                principal="cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=ad,dc=alaska,dc=edu" principalCredential="lkjhyuio87">
+        <resolver:FailoverDataConnector ref="FailoverADConnector" />
+        <FilterTemplate>
+            <![CDATA[
+                (|(sAMAccountName=$requestContext.principalName)(uaIdentifier=$requestContext.principalName))
+            ]]>
+        </FilterTemplate>
+    </resolver:DataConnector>
+<!-- Failover to unencrypted LDAP on second AD node; retrieve public attributes even if certificate issue prevents ldaps connection -->
+  <resolver:DataConnector id="FailoverADConnector" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
+                                ldapURL="ldap://fbk-adua02.ua.ad.alaska.edu:389" baseDN="ou=useraccounts,dc=ua,dc=ad,dc=alaska,dc=edu" 
+                                principal="cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=ad,dc=alaska,dc=edu" principalCredential="lkjhyuio87">
+        <resolver:FailoverDataConnector ref="FailoverStaticConnector" />
+        <FilterTemplate>
+            <![CDATA[
+                (|(sAMAccountName=$requestContext.principalName)(uaIdentifier=$requestContext.principalName))
+            ]]>
+        </FilterTemplate>
+        </resolver:DataConnector>
+        
+<!-- Last resort to avoid DataConnector failure & aborted resolution: provide generic attributes -->
+<resolver:DataConnector id="FailoverStaticConnector" xsi:type="Static" xmlns="urn:mace:shibboleth:2.0:resolver:dc">
+        <Attribute id="eduPersonAffiliation">
+          <Value>affiliate</Value>
+          <Value>member</Value>
+     </Attribute>
+</resolver:DataConnector>
+}}}