[prev in list] [next in list] [prev in thread] [next in thread] 

List:       shibboleth-users
Subject:    Re: Shibboleth with Active Directory rejects all user names
From:       Tim Williams <tmw () autotrain ! org>
Date:       2016-10-31 14:35:58
Message-ID: 5a6ec6f9-d4c5-623d-bf3f-10268fd9dd8a () autotrain ! org
[Download RAW message or body]

On 31/10/16 14:21, Cantor, Scott wrote:
> > I've now copied the default ldap-authn-config.xml and
> > password-authn-config.xml back into the config directory and this has
> > fixed the java exception. I don't think I've edited any other files
> > except for ldap.properties.
> 
> Most of the time editing the properties is more than enough to get a basic login \
> working before worrying about pooling and all the other fancy features.

> > I'm now getting "The password you entered was incorrect." for all login
> > attempts, regardless of whether the username exists or not.
> 
> I don't think it comes out of the box with all the AD errors mapped, but if it says \
> the password's incorrect, then the code AD is sending back matches one of the codes \
> defined in the classified errors map for that error condition, it's that simple. If \
> it wasn't, it would dump it out as an unclassified error on the page. I don't know \
> enough about AD or LDAP to know how it's possible to get that result if the entry \
> isn't found. I think you're making life harder by using DEBUG, it's too noisy. It \
> will tell you why it failed regardless. Use DEBUG if you need DEBUG, not just for \
> the fun of it.

I've set the log back to INFO now.

I think I just found the final error in the config, I had part of the
domain name missing from the idp.authn.LDAP.dnFormat property. I can now
log in. Phew!

Thanks for your help, it's much appreciated.

Tim W

-- 
Tim Williams BSc MSc MBCS
AutoTrain
58 Jacoby Place
Priory Road
Edgbaston
Birmingham
B5 7UW
United Kingdom

Web : http://www.autotrain.org, http://www.utrain.info
Tel : +44 (0)844 487 4117

AutoTrain is a trading name of EuroMotor-AutoTrain LLP
Registered in the United Kingdom, number: OC317070.
-- 
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net


[prev in list] [next in list] [prev in thread] [next in thread]