LDAP Configuration for Shibboleth SSO

Last updated on Mar 21, 2021 2 min read

IDP Supports 2 TLS Connection Types.

  • LDAP Over SSL
  • LDAP with STARTTLS

OpenLDAP Installation with STARTTLS

  • By following this blog, We can configure the LDAP.
    • Setting the Hostname and FQDN
    • Installing the LDAP Server and GnuTLS Software
    • Create the Certificate Templates
    • Create CA Key and Certificate
    • Create LDAP Service Key and Certificate
    • Give OpenLDAP Access to the LDAP Server Key
    • Configure OpenLDAP to Use the Certificate and Keys
    • Setting up the Client Machines
  • Note: While following the blog, the hostname that is used is “ldap.example.com” but in Shibboleth configuration it’s “ldap.example.org” so use “ldap.example.org”.

Flow Execution Exception Resolved

To resolve the “Flow Execution Exception”, Open the “ldap.properties” file from “/opt/shibboleth-idp/conf/ldap.properties” and replace the following information which was generated while configuring “OpenLDAP Installation with STARTTLS”

  • ldap.auth.LDAP.ldapURL=ldap://ldap.example.org:389
  • Uncomment ldap.authn.LDAP.useStartTLS
  • ldap.auth.LDAP.trustCertificates=/etc/ssl/certs/ldap_server.pem (Path configured during “OpenLDAP Installation with STARTTLS”)
  • then restart the tomcate service using followig command
    • sudo service tomcat restart

Create Organization Unit in LDAP

To configure the “‘people’ Organization Unit” which was pre-configured in SP, Create the “.ldif” file with following content as shown:

Create Organization Unit information: create_ou.ldif

dn: ou=people,dc=example,dc=org
objectClass: organizationalUnit
ou: people

Run the following command which will execute the content of “.ldif” file to create “‘people’ Organization Unit” in LDAP server as shown:

Create OU

ldapadd -x -W -D "cn=admin,dc=example,dc=org" -f create_ou.ldif

Create User in LDAP

To create the user in LDAP Server, create the “.ldif” file with the following content which contains username and organization unit information in “dn” attribute.

Create new user information: new_user.ldif

dn: uid=sanjay@mailinator.com,ou=people,dc=example,dc=org
objectClass: posixAccount
objectClass: shadowAccount
objectClass: inetOrgPerson
cn: Sanjay
sn: Gondaliya
uid: sanjay@mailinator.com
uidNumber: 5000
gidNumber: 5000
homeDirectory: /home/sanjay
loginShell: /bin/sh
gecos: Comments

Run the following command which will execute the content of “.ldif” file to create user in “people Organization Unit” in LDAP server as shown:

Create new user

ldapadd -x -W -D "cn=admin,dc=example,dc=org" -f new_user.ldif

Run the following command to set the password for the user which was created in above steps and use that login credential to login in Shibboleth SP using the command below:

Create Password

ldappasswd -s P@ssw0rd -W -D "cn=admin,dc=example,dc=org" -x "uid=sanjay@mailinator.com,ou=people,dc=example,dc=org"

Shibboleth SSO Login

Use the login credential created in above step to login in to Shibboleth SP as shown in the video:

Index
Avatar
Sanjay Gondaliya
Technical Director

My research interests include automation in pentration testing.