[prev in list] [next in list] [prev in thread] [next in thread]
List: shibboleth-users
Subject: Getting Errors with LDAP Data Connector
From: Christopher Bland via users <users () shibboleth ! net>
Date: 2024-02-28 19:48:36
Message-ID: BLAPR07MB83389B71FD2CC163B6A7C6BEB4582 () BLAPR07MB8338 ! namprd07 ! prod ! outlook ! com
[Download RAW message or body]
Hi All,
I am building a new v5 IDP from scratch. When I add a Data Connector for our AD \
servers I keep getting errors. My Data Connector looks like this
<DataConnector id="fduLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" />
</DataConnector>
I am getting "Error creating bean with name 'fduLDAP': Cannot create inner bean \
'(inner bean)#1afea182". Our DCs have an InCommon signed cert so I am trying to make \
use of the OS CA store.
2024-02-28 14:39:43,251 - - ERROR \
[net.shibboleth.shared.service.AbstractReloadableService:179] - Service \
'shibboleth.AttributeResolverService': Initial load failed
net.shibboleth.shared.service.ServiceException: Failed to load [file \
[/opt/shibboleth-idp/conf/attribute-resolver.xml], class path resource \
[net/shibboleth/idp/conf/attribute-resolver-system.xml]]
at net.shibboleth.shared.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:385)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating \
bean with name 'fduLDAP': Cannot create inner bean '(inner bean)#1afea182' of type \
[org.ldaptive.PooledConnectionFactory] while setting bean property \
'connectionFactory'
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating \
bean with name '(inner bean)#1afea182': Cannot create inner bean '(inner \
bean)#7e3ccedb' of type [org.ldaptive.ConnectionConfig] while setting bean property \
'connectionConfig'
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating \
bean with name '(inner bean)#7e3ccedb': Cannot create inner bean '(inner \
bean)#20e1ce62' of type [org.ldaptive.ssl.SslConfig] while setting bean property \
'sslConfig'
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating \
bean with name '(inner bean)#20e1ce62': Cannot create inner bean '(inner \
bean)#329cdafa' of type \
[net.shibboleth.idp.attribute.resolver.spring.dc.ldap.impl.CredentialConfigFactoryBean] \
while setting bean property 'credentialConfig'
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating \
bean with name '(inner bean)#329cdafa': Cannot create inner bean '(inner \
bean)#1f953e51' of type \
[org.opensaml.spring.credential.BasicX509CredentialFactoryBean] while setting bean \
property 'trustCredential'
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421)
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating \
bean with name '(inner bean)#1f953e51': IO error
at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1770)
Caused by: org.cryptacular.StreamException: IO error
at org.cryptacular.util.CertUtil.readCertificateChain(CertUtil.java:328)
Caused by: java.io.IOException: extra data at the end
at java.base/sun.security.util.DerValue.<init>(DerValue.java:428)
My ldap.properties look like
idp.authn.LDAP.authenticator = adAuthenticator
idp.authn.LDAP.ldapURL = ldaps://adserver1.fdu.edu:3269
idp.authn.LDAP.useStartTLS = false
idp.authn.LDAP.connectionStrategy = ACTIVE_PASSIVE
idp.authn.LDAP.sslConfig = certificateTrust
idp.authn.LDAP.trustCertificates. = \
/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt \
idp.authn.LDAP.returnAttributes = * idp.authn.LDAP.baseDN \
= dc=fdu,dc=edu idp.authn.LDAP.subtreeSearch = true
idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal)
idp.authn.LDAP.bindDN = service_account_DN
idp.authn.LDAP.dnFormat = undefined
idp.attribute.resolver.LDAP.exportAttributes = sAMAccountName userPrincipalName \
givenName sn idp.pool.LDAP.minSize = 3
idp.pool.LDAP.maxSize = 10
idp.pool.LDAP.validateOnCheckout = false
idp.pool.LDAP.validatePeriodically = true
idp.pool.LDAP.validatePeriod = PT5M
idp.pool.LDAP.validateDN =
idp.pool.LDAP.validateFilter = (objectClass=*)
idp.pool.LDAP.prunePeriod = PT5M
idp.pool.LDAP.idleTime = PT10M
idp.pool.LDAP.blockWaitTime = PT3S
-Chris
[Attachment #3 (text/html)]
<html xmlns:o="urn:schemas-microsoft-com:office:office" \
xmlns:w="urn:schemas-microsoft-com:office:word" \
xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" \
xmlns="http://www.w3.org/TR/REC-html40"> <head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style>
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi All,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I am building a new v5 IDP from scratch. When I add a Data \
Connector for our AD servers I keep getting errors. My Data Connector looks \
like this<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> <DataConnector id="fduLDAP" \
xsi:type="LDAPDirectory"<o:p></o:p></p> <p class="MsoNormal"> \
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"<o:p></o:p></p>
<p class="MsoNormal"> \
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"<o:p></o:p></p> <p \
class="MsoNormal"> \
principal="%{idp.attribute.resolver.LDAP.bindDN}"<o:p></o:p></p> <p \
class="MsoNormal"> \
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"<o:p></o:p></p>
<p class="MsoNormal"> \
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"<o:p></o:p></p>
<p class="MsoNormal"> \
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"<o:p></o:p></p>
<p class="MsoNormal"> \
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"<o:p></o:p></p> \
<p class="MsoNormal"> \
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"><o:p></o:p></p>
<p class="MsoNormal"> \
<FilterTemplate><o:p></o:p></p> <p class="MsoNormal"> \
<![CDATA[<o:p></o:p></p> <p class="MsoNormal"> \
\
%{idp.attribute.resolver.LDAP.searchFilter}<o:p></o:p></p> <p \
class="MsoNormal"> ]]><o:p></o:p></p> <p \
class="MsoNormal"> </FilterTemplate><o:p></o:p></p> \
<p class="MsoNormal"> \
<ConnectionPool<o:p></o:p></p> <p class="MsoNormal"> \
minPoolSize="%{idp.pool.LDAP.minSize:3}"<o:p></o:p></p> <p \
class="MsoNormal"> \
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"<o:p></o:p></p> <p \
class="MsoNormal"> \
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"<o:p></o:p></p> <p \
class="MsoNormal"> \
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"<o:p></o:p></p>
<p class="MsoNormal"> \
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"<o:p></o:p></p> \
<p class="MsoNormal"> \
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" /><o:p></o:p></p> <p \
class="MsoNormal"> </DataConnector><o:p></o:p></p> <p \
class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal">I am getting "Error \
creating bean with name 'fduLDAP': Cannot create inner bean '(inner \
bean)#1afea182". Our DCs have an InCommon signed cert so I am trying to make use \
of the OS CA store.<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">2024-02-28 14:39:43,251 - - ERROR \
[net.shibboleth.shared.service.AbstractReloadableService:179] - Service \
'shibboleth.AttributeResolverService': Initial load failed<o:p></o:p></p> <p \
class="MsoNormal">net.shibboleth.shared.service.ServiceException: Failed to load \
[file [/opt/shibboleth-idp/conf/attribute-resolver.xml], class path resource \
[net/shibboleth/idp/conf/attribute-resolver-system.xml]]<o:p></o:p></p> <p \
class="MsoNormal"> at \
net.shibboleth.shared.spring.service.ReloadableSpringService.doReload(ReloadableSpringService.java:385)<o:p></o:p></p>
<p class="MsoNormal">Caused by: \
org.springframework.beans.factory.BeanCreationException: Error creating bean with \
name 'fduLDAP': Cannot create inner bean '(inner bean)#1afea182' of type \
[org.ldaptive.PooledConnectionFactory] while setting bean property \
'connectionFactory'<o:p></o:p></p> <p class="MsoNormal"> \
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421)<o:p></o:p></p>
<p class="MsoNormal">Caused by: \
org.springframework.beans.factory.BeanCreationException: Error creating bean with \
name '(inner bean)#1afea182': Cannot create inner bean '(inner bean)#7e3ccedb' of \
type [org.ldaptive.ConnectionConfig] while setting bean property \
'connectionConfig'<o:p></o:p></p> <p class="MsoNormal"> at \
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421)<o:p></o:p></p>
<p class="MsoNormal">Caused by: \
org.springframework.beans.factory.BeanCreationException: Error creating bean with \
name '(inner bean)#7e3ccedb': Cannot create inner bean '(inner bean)#20e1ce62' of \
type [org.ldaptive.ssl.SslConfig] while setting bean property \
'sslConfig'<o:p></o:p></p> <p class="MsoNormal"> at \
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421)<o:p></o:p></p>
<p class="MsoNormal">Caused by: \
org.springframework.beans.factory.BeanCreationException: Error creating bean with \
name '(inner bean)#20e1ce62': Cannot create inner bean '(inner bean)#329cdafa' of \
type [net.shibboleth.idp.attribute.resolver.spring.dc.ldap.impl.CredentialConfigFactoryBean]
while setting bean property 'credentialConfig'<o:p></o:p></p>
<p class="MsoNormal"> at \
org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421)<o:p></o:p></p>
<p class="MsoNormal">Caused by: \
org.springframework.beans.factory.BeanCreationException: Error creating bean with \
name '(inner bean)#329cdafa': Cannot create inner bean '(inner bean)#1f953e51' of \
type [org.opensaml.spring.credential.BasicX509CredentialFactoryBean] while setting \
bean property 'trustCredential'<o:p></o:p></p> <p class="MsoNormal"> \
at org.springframework.beans.factory.support.BeanDefinitionValueResolver.resolveInnerBeanValue(BeanDefinitionValueResolver.java:421)<o:p></o:p></p>
<p class="MsoNormal">Caused by: \
org.springframework.beans.factory.BeanCreationException: Error creating bean with \
name '(inner bean)#1f953e51': IO error<o:p></o:p></p> <p class="MsoNormal"> \
at \
org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.initializeBean(AbstractAutowireCapableBeanFactory.java:1770)<o:p></o:p></p>
<p class="MsoNormal">Caused by: org.cryptacular.StreamException: IO \
error<o:p></o:p></p> <p class="MsoNormal"> at \
org.cryptacular.util.CertUtil.readCertificateChain(CertUtil.java:328)<o:p></o:p></p> \
<p class="MsoNormal">Caused by: java.io.IOException: extra data at the \
end<o:p></o:p></p> <p class="MsoNormal"> at \
java.base/sun.security.util.DerValue.<init>(DerValue.java:428)<o:p></o:p></p> \
<p class="MsoNormal"><o:p> </o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">My ldap.properties look like<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">idp.authn.LDAP.authenticator \
= adAuthenticator<o:p></o:p></p> <p \
class="MsoNormal">idp.authn.LDAP.ldapURL \
= \
ldaps://adserver1.fdu.edu:3269<o:p></o:p></p> <p \
class="MsoNormal">idp.authn.LDAP.useStartTLS \
= false<o:p></o:p></p> <p \
class="MsoNormal">idp.authn.LDAP.connectionStrategy = \
ACTIVE_PASSIVE<o:p></o:p></p> <p class="MsoNormal">idp.authn.LDAP.sslConfig \
= \
certificateTrust<o:p></o:p></p> <p \
class="MsoNormal">idp.authn.LDAP.trustCertificates. \
= /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt<o:p></o:p></p> <p \
class="MsoNormal">idp.authn.LDAP.returnAttributes \
= *<o:p></o:p></p> <p class="MsoNormal">idp.authn.LDAP.baseDN \
= \
dc=fdu,dc=edu<o:p></o:p></p> <p class="MsoNormal">idp.authn.LDAP.subtreeSearch \
= true<o:p></o:p></p> <p \
class="MsoNormal">idp.attribute.resolver.LDAP.searchFilter=(uid=$resolutionContext.principal)<o:p></o:p></p>
<p class="MsoNormal">idp.authn.LDAP.bindDN \
= service_account_DN<o:p></o:p></p> \
<p class="MsoNormal">idp.authn.LDAP.dnFormat \
= undefined<o:p></o:p></p> <p \
class="MsoNormal">idp.attribute.resolver.LDAP.exportAttributes = \
sAMAccountName userPrincipalName givenName sn<o:p></o:p></p> <p \
class="MsoNormal">idp.pool.LDAP.minSize \
= 3<o:p></o:p></p> <p \
class="MsoNormal">idp.pool.LDAP.maxSize \
= 10<o:p></o:p></p> <p \
class="MsoNormal">idp.pool.LDAP.validateOnCheckout = \
false<o:p></o:p></p> <p class="MsoNormal">idp.pool.LDAP.validatePeriodically \
= true<o:p></o:p></p> <p \
class="MsoNormal">idp.pool.LDAP.validatePeriod \
= PT5M<o:p></o:p></p> <p \
class="MsoNormal">idp.pool.LDAP.validateDN \
=<o:p></o:p></p> <p \
class="MsoNormal">idp.pool.LDAP.validateFilter \
= (objectClass=*)<o:p></o:p></p> <p \
class="MsoNormal">idp.pool.LDAP.prunePeriod \
= PT5M<o:p></o:p></p> <p \
class="MsoNormal">idp.pool.LDAP.idleTime \
= PT10M<o:p></o:p></p> <p \
class="MsoNormal">idp.pool.LDAP.blockWaitTime \
= PT3S<o:p></o:p></p> <p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-Chris<o:p></o:p></p>
</div>
</body>
</html>
--
For Consortium Member technical support, see https://shibboleth.atlassian.net/wiki/x/ZYEpPw
To unsubscribe from this list send an email to users-unsubscribe@shibboleth.net
--===============6788201936628829762==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic