Discussion:
Usage of LDAPPROPERTY in attribute-resolver.xml
Farzan Qureshi
2014-08-14 21:34:35 UTC
Permalink
Hi all,

I am trying to configure Shibboleth as an IdP for MS Office 365. I am
following instructions from the link
http://technet.microsoft.com/en-us/library/jj205463.aspx#BKMK_1

It says that to convert the AD records to binary when they are fetched by
Shibboleth, we have to add an LDAPPROPERTY. For example:

<!-- Example LDAP Connector -->

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://ldap.myorg.com"
baseDN="ou=Users,dc=myorg,dc=com"
principal="CN=ServiceUser,OU=Users,DC=myorg,DC=com"
principalCredential="t3st3tye">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>

<LDAPProperty name="java.naming.ldap.attributes.binary" value="objectGUID"/>

</resolver:DataConnector>


I have made all the required changes and have skipped this LDAPPROPERTY
because it gives me error which I will address shortly. Everything is
working alright however I am still waiting for microsoft to update our
federation settings so that I can try to login with Shibboleth IdP. The
problem is that on the website it is mentioned that we must use
<LDAPProperty name="java.naming.ldap.attributes.binary" value="objectGUID"/>

or else authentication will fail because the format of objectGUID will not
be in binary.

When I add the above configuration in attribute-resolver.xml and restart
tomcat services I get following errors. However when I remove
<LDAPProperty name="java.naming.ldap.attributes.binary" value="objectGUID"/>
there are no errors and everything start to work. I wonder if the syntax of
<LDAPProperty name="java.naming.ldap.attributes.binary" value="objectGUID"/>
is correct or may be it is based on old shibboleth versions. We are running
Shibboleth IdP 2.4.0.

Any ideas?

Following are the errors:



15-Aug-2014 09:23:52.298 INFO [localhost-startStop-1]
org.apache.catalina.core.ApplicationContext.log Initializing Spring root
WebApplicationContext
15-Aug-2014 09:23:57.911 SEVERE [localhost-startStop-1]
org.apache.catalina.core.StandardContext.listenerStart Exception sending
context initialized event to listener instance of class
org.springframework.web.context.ContextLoaderListener
org.springframework.beans.factory.BeanCreationException: Error creating
bean with name 'shibboleth.AttributeResolver': Invocation of init method
failed; nested exception is
edu.internet2.middleware.shibboleth.common.service.ServiceException:
Configuration was not loaded for shibboleth.AttributeResolver service,
error creating components.
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1338)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:473)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory$1.run(AbstractAutowireCapableBeanFactory.java:409)
at java.security.AccessController.doPrivileged(Native Method)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:380)
at
org.springframework.beans.factory.support.AbstractBeanFactory$1.getObject(AbstractBeanFactory.java:264)
at
org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222)
at
org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:261)
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:185)
at
org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:164)
at
org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:429)
at
org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:728)
at
org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:380)
at
org.springframework.web.context.ContextLoader.createWebApplicationContext(ContextLoader.java:255)
at
org.springframework.web.context.ContextLoader.initWebApplicationContext(ContextLoader.java:199)
at
org.springframework.web.context.ContextLoaderListener.contextInitialized(ContextLoaderListener.java:45)
at
org.apache.catalina.core.StandardContext.listenerStart(StandardContext.java:4760)
at
org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5184)
at
org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:150)
at
org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:724)
at
org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:700)
at
org.apache.catalina.core.StandardHost.addChild(StandardHost.java:714)
at
org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:581)
at
org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1686)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
at java.util.concurrent.FutureTask.run(FutureTask.java:266)
at
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at java.lang.Thread.run(Thread.java:745)
Caused by:
edu.internet2.middleware.shibboleth.common.service.ServiceException:
Configuration was not loaded for shibboleth.AttributeResolver service,
error creating components.
at
edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:192)
at
edu.internet2.middleware.shibboleth.common.config.BaseReloadableService.initialize(BaseReloadableService.java:148)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:483)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeCustomInitMethod(AbstractAutowireCapableBeanFactory.java:1414)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.invokeInitMethods(AbstractAutowireCapableBeanFactory.java:1375)
at
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1335)
... 28 more
Caused by: org.xml.sax.SAXParseException; lineNumber: 345; columnNumber:
78; cvc-complex-type.2.4.a: Invalid content was found starting with element
'LDAPProperty'. One of
'{"urn:mace:shibboleth:2.0:resolver:dc":ReturnAttributes,
"urn:mace:shibboleth:2.0:resolver:dc":LDAPProperty,
"urn:mace:shibboleth:2.0:resolver:dc":StartTLSTrustCredential,
"urn:mace:shibboleth:2.0:resolver:dc":StartTLSAuthenticationCredential,
"urn:mace:shibboleth:2.0:resolver:dc":ConnectionPool,
"urn:mace:shibboleth:2.0:resolver:dc":ResultCache}' is expected.
at
org.apache.xerces.util.ErrorHandlerWrapper.createSAXParseException(Unknown
Source)
at org.apache.xerces.util.ErrorHandlerWrapper.error(Unknown Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown
Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown
Source)
at org.apache.xerces.impl.XMLErrorReporter.reportError(Unknown
Source)
at
org.apache.xerces.impl.xs.XMLSchemaValidator$XSIErrorReporter.reportError(Unknown
Source)
at
org.apache.xerces.impl.xs.XMLSchemaValidator.reportSchemaError(Unknown
Source)
at
org.apache.xerces.impl.xs.XMLSchemaValidator.handleStartElement(Unknown
Source)
at
org.apache.xerces.impl.xs.XMLSchemaValidator.emptyElement(Unknown Source)
at
org.apache.xerces.impl.XMLNSDocumentScannerImpl.scanStartElement(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl$FragmentContentDispatcher.dispatch(Unknown
Source)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown
Source)
at org.apache.xerces.parsers.XML11Configuration.parse(Unknown
Source)
at org.apache.xerces.parsers.XMLParser.parse(Unknown Source)
at org.apache.xerces.parsers.DOMParser.parse(Unknown Source)
at org.apache.xerces.jaxp.DocumentBuilderImpl.parse(Unknown Source)
at
edu.internet2.middleware.shibboleth.common.config.SpringDocumentLoader.loadDocument(SpringDocumentLoader.java:56)
at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.doLoadBeanDefinitions(XmlBeanDefinitionReader.java:396)
at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:342)
at
org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions(XmlBeanDefinitionReader.java:310)
at
org.springframework.beans.factory.support.AbstractBeanDefinitionReader.loadBeanDefinitions(AbstractBeanDefinitionReader.java:143)
at
edu.internet2.middleware.shibboleth.common.config.SpringConfigurationUtils.populateRegistry(SpringConfigurationUtils.java:89)
at
edu.internet2.middleware.shibboleth.common.config.BaseService.loadContext(BaseService.java:170)
... 36 more
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Cantor, Scott
2014-08-14 21:41:53 UTC
Permalink
Post by Farzan Qureshi
It says that to convert the AD records to binary when they are fetched by
If that's their example, it's wrong.
Post by Farzan Qureshi
<LDAPProperty name="java.naming.ldap.attributes.binary"
value="objectGUID"/>
Unless the default namespace is set to the data connector namespace, you
need a dc: prefix on the element.
Post by Farzan Qureshi
When I add the above configuration in attribute-resolver.xml and restart
tomcat services I get following errors.
Read the error. It's telling you the mistake.
Post by Farzan Qureshi
78; cvc-complex-type.2.4.a: Invalid content was found starting with
element 'LDAPProperty'. One of
'{"urn:mace:shibboleth:2.0:resolver:dc":ReturnAttributes,
"urn:mace:shibboleth:2.0:resolver:dc":LDAPProperty,
"urn:mace:shibboleth:2.0:resolver:dc":StartTLSTrustCredential,
"urn:mace:shibboleth:2.0:resolver:dc":StartTLSAuthenticationCredential,
"urn:mace:shibboleth:2.0:resolver:dc":ConnectionPool,
"urn:mace:shibboleth:2.0:resolver:dc":ResultCache}' is expected.
See the namespace in front of the LDAPProperty element in the expected
content list?

See how the "starting with" line doesn't have that?

-- Scott
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org
Farzan Qureshi
2014-08-14 21:53:38 UTC
Permalink
Hi Scott,

You are the man! Thanks a lot.

I have now added as below and there are no erros now:

<!-- Example LDAP Connector -->

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldap://ldap.myorg.com"
baseDN="ou=Users,dc=myorg,dc=com"
principal="CN=ServiceUser,OU=Users,DC=myorg,DC=com"
principalCredential="t3st3tye">
<dc:FilterTemplate>
<![CDATA[
(uid=$requestContext.principalName)
]]>
</dc:FilterTemplate>

<dc:LDAPProperty name="java.naming.ldap.attributes.binary"
value="objectGUID"/>

</resolver:DataConnector>



Microsoft documentation is full of errors and sytax errors I tell you :-)

Thanks for guiding me.

Kind regards,

Farzan
Post by Cantor, Scott
Post by Farzan Qureshi
It says that to convert the AD records to binary when they are fetched by
If that's their example, it's wrong.
Post by Farzan Qureshi
<LDAPProperty name="java.naming.ldap.attributes.binary"
value="objectGUID"/>
Unless the default namespace is set to the data connector namespace, you
need a dc: prefix on the element.
Post by Farzan Qureshi
When I add the above configuration in attribute-resolver.xml and restart
tomcat services I get following errors.
Read the error. It's telling you the mistake.
Post by Farzan Qureshi
78; cvc-complex-type.2.4.a: Invalid content was found starting with
element 'LDAPProperty'. One of
'{"urn:mace:shibboleth:2.0:resolver:dc":ReturnAttributes,
"urn:mace:shibboleth:2.0:resolver:dc":LDAPProperty,
"urn:mace:shibboleth:2.0:resolver:dc":StartTLSTrustCredential,
"urn:mace:shibboleth:2.0:resolver:dc":StartTLSAuthenticationCredential,
"urn:mace:shibboleth:2.0:resolver:dc":ConnectionPool,
"urn:mace:shibboleth:2.0:resolver:dc":ResultCache}' is expected.
See the namespace in front of the LDAPProperty element in the expected
content list?
See how the "starting with" line doesn't have that?
-- Scott
--
To unsubscribe from this list send an email to
--
*Farzan Qureshi* | Network Administrator & Help-desk Support | Rosmini
College | (09) 487 0 530
--
This email and any files transmitted with it are confidential and intended
solely for the use of the individual or entity to whom they are addressed.
If you have received this email in error please notify the system manager (
admin-***@public.gmane.org). Please note that any views or opinions presented
in this email are solely those of the author and do not necessarily
represent those of the company. Finally, the recipient should check this
email and any attachments for the presence of viruses. Rosmini College
accepts no liability for any damage caused by any virus transmitted by this
email.
Loading...