Changes between Version 11 and Version 12 of idpiam2018


Ignore:
Timestamp:
Sep 3, 2018, 8:41:24 AM (6 years ago)
Author:
admin
Comment:

--

Legend:

Unmodified
Added
Removed
Modified

  • idpiam2018

    v11 v12  
    719719
    72072028. Connect the openLDAP to the IdP to allow the authentication of the users:
    721     * use `openssl x509 -outform der -in /etc/ssl/certs/ldap_server.pem -out /opt/shibboleth-idp/credentials/ldap_server.crt` to load the ldap certificate.
     721* use `openssl x509 -outform der -in /etc/ssl/certs/ldap_server.pem -out /opt/shibboleth-idp/credentials/ldap_server.crt` to load the ldap certificate.
    722722   
    723     If you host ldap in a seperate machine, copy the ldap_server.crt to  `/opt/shibboleth-idp/credentials}}} *
    724 {{{
    725    vim /opt/shibboleth-idp/conf/ldap.properties}}}
    726 
    727      * Solution 1: LDAP + STARTTLS:
     723If you host ldap in a seperate machine, copy the ldap_server.crt to  `/opt/shibboleth-idp/credentials`
     724*
     725{{{
     726   vim /opt/shibboleth-idp/conf/ldap.properties
     727}}}
     728* Solution 1: LDAP + STARTTLS:
    728729
    729730{{{
     
    739740       idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD###
    740741       idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
    741        }}}
    742      * Solution 2: LDAP + TLS:
     742}}}
     743
     744* Solution 2: LDAP + TLS:
    743745
    744746{{{
     
    754756       idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD###
    755757       idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates:undefined}
    756        }}}
    757      * Solution 3: plain LDAP
     758}}}
     759* Solution 3: plain LDAP
    758760 
    759761{{{
     
    766768       idp.authn.LDAP.bindDN = cn=admin,dc=example,dc=org
    767769       idp.authn.LDAP.bindDNCredential = ###LDAP_ADMIN_PASSWORD###
    768        }}}       (If you decide to use the Solution 3, you have to remove (or comment out) the following code from your Attribute Resolver file:
     770}}}       
     771(If you decide to use the Solution 3, you have to remove (or comment out) the following code from your Attribute Resolver file:
    769772     
    770773{{{
     
    777780       -->
    778781       </resolver:DataConnector>
    779        }}}
    780        '''UTILITY FOR OPENLDAP ADMINISTRATOR:'''
    781         *
    782 {{{
    783    ldapsearch -H ldap:// -x -b "dc=example,dc=it" -LLL dn}}}           * the baseDN ==> `ou=people, dc=example,dc=org` (branch containing the registered users)
    784            * the bindDN ==> `cn=admin,dc=example,dc=org` (distinguished name for the user that can made queries on the LDAP)
    785 
     782}}}
     783'''UTILITY FOR OPENLDAP ADMINISTRATOR:'''*ldapsearch -H ldap:// -x -b "dc=example,dc=it" -LLL dn`* the baseDN ==> `ou=people, dc=example,dc=org` (branch containing the registered users) * the bindDN ==> `cn=admin,dc=example,dc=org` (distinguished name for the user that can made queries on the LDAP)
    786784
    78778529. Enrich IDP logs with the authentication error occurred on LDAP:
    788 *
    789 {{{
    790    vim /opt/shibboleth-idp/conf/logback.xml}}}
     786*
     787{{{
     788   vim /opt/shibboleth-idp/conf/logback.xml
     789}}}
    791790{{{
    792791     <!-- Logs LDAP related messages -->
     
    795794     <!-- Logs on LDAP user authentication -->
    796795     <logger name="org.ldaptive.auth.Authenticator" level="INFO" />
    797      }}}
     796}}}
    79879730. Build the '''attribute-resolver.xml''' to define which attributes your IdP can manage. Here you can find the '''attribute-resolver-v1-LEARN.xml''' provided by LEARN:
    799     * Download the attribute resolver provided by LEARN:
    800       `wget https://fr-training.ac.lk/attribute-resolver-v1-LEARN.xml -O /opt/shibboleth-idp/conf/attribute-resolver-v1-LEARN.xml}}}
    801     * Modify `services.xml` file:
    802       `vim /opt/shibboleth-idp/conf/services.xml}}}
     798* Download the attribute resolver provided by LEARN:
     799      `wget https://fr-training.ac.lk/attribute-resolver-v1-LEARN.xml -O /opt/shibboleth-idp/conf/attribute-resolver-v1-LEARN.xml`
     800* Modify `services.xml` file:
     801      `vim /opt/shibboleth-idp/conf/services.xml`
    803802{{{
    804803      <value>%{idp.home}/conf/attribute-resolver.xml</value>
    805       }}}
    806       must become:
     804}}}
     805must become:
    807806
    808807{{{
    809808      <value>%{idp.home}/conf/attribute-resolver-v1-LEARN.xml</value>
    810       }}}
    811     * Configure the LDAP Data Connector to be compliant to the values put on `ldap.properties`. (See above suggestions)
    812 
    813     * Restart Tomcat8:
    814       `service tomcat8 restart}}}
     809}}}
     810* Configure the LDAP Data Connector to be compliant to the values put on `ldap.properties`. (See above suggestions)
     811
     812* Restart Tomcat8: `service tomcat8 restart`
    81581331. Enable the SAML2 support by changing the `idp-metadata.xml` and disabling the SAML v1.x deprecated support:
    816814 *