== [[https://iam.alaska.edu/|IAM]] / [[https://iam.alaska.edu/projects|Projects]] / [[https://iam.alaska.edu/shib|Shibboleth]] / LDAP Connectors == === Shibboleth connector principal names and URLs for LDAP access to UA AD instances: === DEV (Banner LRGP identities) {{{ cn=uashib,ou=uaf_service,ou=uaf,dc=ur,dc=addev,dc=alaska,dc=edu ldaps://addev-ur01.ur.addev.alaska.edu:3269 }}} TEST (Banner TEST identities) {{{ cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=adt,dc=alaska,dc=edu ldaps://fbk-adtua01.ua.adt.alaska.edu:3269 }}} PREP (Banner PREP identities) {{{ cn=uashib,ou=uaf_service,ou=uaf,dc=u,dc=adpp,dc=alaska,dc=edu ldaps://fbk-uadpp01.u.adpp.alaska.edu:3269 }}} PROD (Banner PROD identities) {{{ cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=adt,dc=alaska,dc=edu ldaps://fbk-adua01.ua.ad.alaska.edu:3269 }}} === Shibboleth connector principal names and URLs for DSEE LDAP directories: === PROD (Banner PROD identities in multi-node cluster behind hardware equalizer): {{{ uid=shibboleth03,ou=resource,dc=alaska,dc=edu ldaps://edir.alaska.edu:636 }}} === Establishing trust of self-signed or private-CA certificates for SSL/StartTLS === Certificates used in the UA Domain are issued from a private local CA. Shibboleth configurations will fail to load if they cannot establish trust when required by specifying connections use SSL or StartTLS. Trust of the private CA can be established by: (1) Import the private CA root certificate or the AD service certificate(s) itself into the java trusted keystore. This requires ongoing maintenance as that keystore may be overwritten by any number of upgrade or refresh processes, requiring re-import of the CA certificate. (2) Configure the IdP to directly trust these certificates: (2.1) for authN and (2.2) for retrieving attributes from the LDAP directory [these are independent]: (2.1) Configure the authentication module to trust the AD certificate by adding to the configuration in ''$IDP_HOME''/conf/login.config a line like (per Daniel Fisher 2013-04-24 and 2013-07-30). The explicitly trusted certificate may be an individual server certificate, a pem file with multiple server certificates, or, in this example, the certificate for the issuing private CA: {{{ // UA AD Auth edu.vt.middleware.ldap.jaas.LdapLoginModule sufficient ldapUrl="ldap://fbk-adua02.ua.ad.alaska.edu:3268 ldap://fbk-adua03.ua.ad.alaska.edu:3268" baseDn="dc=ua,dc=ad,dc=alaska,dc=edu" bindDn="cn=uashib,ou=uaf_service,ou=uaf,dc=ua,dc=ad,dc=alaska,dc=edu" bindCredential="•••••••••••" subtreeSearch="true" // Directly reference imported certificate for CA used to create/sign UA AD server certs sslSocketFactory="{trustCertificates=file:/opt/shibboleth-idp/trustedservercerts/UA_AD_CA.pem}" ssl="false" tls="true" userField="sAMAccountName,uaIdentifier"; }}} (2.2) Configure the Data Connectors in '$IDP_HOME''/conf/attribute-resolver.xml to use StartTLSTrustCredential. As for the login configuration, the certificate may be an individual server certificate, or the issuing private CA's certificate. Here we use the same file, so that the IdP has only one copy of the private CA certificate used for both login.config and attribute-resolver.xml https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverLDAPDataConnector additional input from Nate Klingenstein 2013-06-04: {{{ .... /opt/shibboleth-idp/trustedservercerts/UA_AD_CA.pem }}} === [[IdPSetup|Failover connectors]] === If a !DataConnector fails in attribute resolution - for example, if the connection to the server fails because the server is off-line, attribute resolution is aborted, even if attributes were successfully retrieved using other !DataConnectors. To minimize the impact of such connection failures, include failover in the !DataConnector definition. Connections that fail because of a certificate trust failure apparently always abort; certificate trust failure is in effect a fatal error for the IdP. {{{ .... .... .... affiliate member }}}