URL: http://www.switch.ch/aai/docs/shibboleth/SWITCH/1.1/origin/install-origin-1.1-debian.html Authors: Patrik Schnellmann (Version > 1.0), Fabio Poroli (Version 1.0) - SWITCH $Date: 2005/07/11 08:48:31 $ $Revision: 1.1.1.1 $
This guide describes Debian specific installation and configuration for the SWITCHaai Federation.It complements the original Shibboleth 1.1 Origin Deployment Guide from Internet2. Please make sure you are familiar with the original documentation before following this document.
References to the original guide are marked as (see ORIG-chapter#).
Note: For general information about the deployment of Shibboleth within the SWITCHaai Federation, please consult the Deployment section of our website.
Note: If you want to join the AAI-Test Federation instead of the productive SWITCHaai Federation, please consult the AAI-Test Reconfiguration guide for information how to reconfigure your Shibboleth origin.
In order to deploy Shibboleth 1.1 Origin on debian stable, some additional system configuration has to be done.
APT::Default-Release "woody"; APT::Cache-Limit "8388608";
The Debian 3.0 (woody) should be updated and the latest security patches installed (in particular for SSL support). A recommended APT configuration file /etc/apt/sources.list
could contain the following entries:
# /etc/apt/sources.list: package resource list for APT # # Standard package sources for woody # deb http://mirror.switch.ch/ftp/mirror/debian/ woody main non-free contrib deb http://mirror.switch.ch/ftp/mirror/debian-non-US/ woody/non-US main non-free contrib # # Standard source package sources for woody # deb-src http://mirror.switch.ch/ftp/mirror/debian/ woody main non-free contrib deb-src http://mirror.switch.ch/ftp/mirror/debian-non-US/ woody/non-US main non-free contrib # # Security patches and updates # deb ftp://mirror.switch.ch/mirror/debian-security woody/updates main contrib non-free deb http://security.debian.org/ woody/updates main contrib non-free
The installation of Apache is not always required as Tomcat can perform authentication and SSL encryption by itself. Also for Tomcat there are some SSO systems that we can use. See the following guidelines for a Tomcat only installation using the SSO system CAS of the YALE University.
apt
-tools: /etc/apt/sources.list
the entry deb http://share.runtime-collective.com/~berkan/debian woody misc
apt-get install j2sdk1.4
.
(This can be done in /etc/profile for instance.) /opt
is the right place to install it.# cd /opt # wget http://mirror.switch.ch/ftp/mirror/apache/dist/jakarta/tomcat-4/v4.1.29/bin/jakarta-tomcat-4.1.29-LE-jdk14.tar.gz # tar xzvf jakarta-tomcat-4.1.29-LE-jdk14.tar.gz # ln -s ./jakarta-tomcat-4.1.29-LE-jdk14 ./tomcat
After this basic installation we need to copy the libraries (xalan, dom3-xml-apis, dom3-xercesImpl) that came with the shibboleth tar-ball to be endorsed in the Java Application Server.# cd /opt # wget http://www.switch.ch/aai/docs/shibboleth/internet2/1.1/shibboleth-origin-1.1.tar.gz # tar xzvf shibboleth-origin-1.1.tar.gz
# cd /opt/shibboleth-origin-1.1 # cp webApplication/WEB-INF/lib/xalan-2.4.1.jar ./endorsed/ # cp -p endorsed/* /opt/tomcat/common/endorsed/
src/conf/origin.properties
, that is the most important configuration file for Shibboleth, is overwritten. In order to avoid the overwriting of the critical files you have two possibilities:
/etc/opt/tomcat/shibboleth-origin-1.1
(following the Filesystem Hierarchy Standard using /etc/opt
for storing the configuration files).
/opt/shibboleth-origin-1.1/webAppConfig/origin.xml
(this file
will be
translated to WEB-INF/web.xml
during the build process)
as follows:<!-- ... --> <servlet> <servlet-name>Logging Service</servlet-name> <servlet-class>edu.internet2.middleware.shibboleth.log.LogServ</servlet-class> <init-param> <param-name>log4jConfigFileLocation</param-name> <param-value>file:///etc/opt/tomcat/shibboleth-origin-1.1/log4j.properties</param-value> </init-param> <load-on-startup>1</load-on-startup> </servlet> <servlet> <servlet-name>HS</servlet-name> <display-name>Shibboleth Handle Service</display-name> <servlet-class>edu.internet2.middleware.shibboleth.hs.HandleServlet</servlet-class> <init-param> <param-name>OriginPropertiesFile</param-name> <param-value>file:///etc/opt/tomcat/shibboleth-origin-1.1/origin.properties</param-value> </init-param> </servlet> <servlet> <servlet-name>AA</servlet-name> <display-name>Shibboleth Attribute Authority</display-name> <servlet-class>edu.internet2.middleware.shibboleth.aa.AAServlet</servlet-class> <init-param> <param-name>OriginPropertiesFile</param-name> <param-value>file:///etc/opt/tomcat/shibboleth-origin-1.1/origin.properties</param-value> </init-param> </servlet> <!-- ... -->
/etc/opt/tomcat/shibboleth-origin-1.1
.# mkdir /etc/opt/tomcat/shibboleth-origin-1.1
# mv /opt/shibboleth-origin-1.1/src/conf/* /etc/opt/tomcat/shibboleth-origin-1.1/
# rmdir /opt/shibboleth-origin-1.1/src/conf
...
<target name="compile" depends="init">
<javac srcdir="${src}" destdir="${build}" includes="**/*.java" debug="on">
<classpath refid="build.path" />
</javac>
<copy todir="${build}/schemas">
<fileset dir="${src}/schemas"/>
</copy>
</target>
...
# cd /opt/shibboleth-origin-1.1
# ./ant build-util
# ./ant dist-origin
# cp -p dist/shibboleth.war /opt/tomcat/webapps/
$ openssl genrsa -des3 -out SYSTEMNAME.enckey 1024
$ openssl rsa -in
SYSTEMNAME.enckey
-out SYSTEMNAME.enckey
$ openssl req -new -key SYSTEMNAME.enckey
SYSTEMNAME.enckey
in /etc/apache/ssl.key
and the received signed
server certificate SYSTEMNAME.cer
to /etc/apache/ssl.crt
.$ mv SYSTEMNAME.enckey
/etc/apache/ssl.key
$ mv
SYSTEMNAME.cer
/etc/apache/ssl.crt
SSLCertificateKeyFile
and SSLCertificateFile
in the Apache configuration file /etc/apache/httpd.conf
to
the files
above.ROOT_CERTIFICATE.cer
to the bundle of known server
certificates in /etc/apache/ssl.crt/ca-bundle.crt
if it
is not already there:$ cat
ROOT_CERTIFICATE.cer
>>
/etc/apache/ssl.crt/ca-bundle.crt
The certificate and the keys used for Shibboleth/Tomcat can be shared with Apache. In order to achieve this we need to duplicate the keys generated for Apache into a Java Keystore.
Start with an empty Java keystore:
Create a new keystore using the command (use your own keystore password STOREPASS):
$ keytool -genkey -v -alias aaaa -keystore keystore.jks -storepass STOREPASS
and then remove the alias "aaaa" from the keystore:
$ keytool -delete -alias aaaa -keystore keystore.jks
SYSTEMNAME
with your host's FQDN (fully qualified domain name).
$ openssl pkcs8 -in SYSTEMNAME.enckey
-topk8 -nocrypt -outform DER -out /tmp/SYSTEMNAME.der.pkcs8
$ cd
/etc/opt/tomcat/shibboleth-origin-1.1
$ export SHIB_HOME=/opt/shibboleth-origin-1.1
$ cat SYSTEMNAME.cer
ROOT_CERTIFICATE.cer
>
/tmp/cert.bundle
$
/opt/shibboleth-origin-1.1/bin/extkeytool -importkey\
-keystore keystore.jks
-storepass STOREPASS
-alias SYSTEMNAME \
-keyfile /tmp/SYSTEMNAME.der.pkcs8
-keypass KEYPASS \
-certfile
/tmp/cert.bundle
\
-provider
org.bouncycastle.jce.provider.BouncyCastleProvider
$JAVA_HOME/jre/lib/security/cacerts
file:$ openssl x509 -in
SYSTEMNAME.cer
-out
SYSTEMNAME.cer
.der -outform DER
$ keytool -import -trustcacerts -alias xxxx -file
SYSTEMNAME.cer.der
xxxx
you would typically use a short name for the Certification Authority such as switchserverca
./tmp/SYSTEMNAME.der.pkcs8
.
<Server port="8005" shutdown="SHUTDOWN" debug="0">
<Service name="Tomcat-Standalone">
<Connector className="org.apache.ajp.tomcat4.Ajp13Connector" port="8009"
minProcessors="5" maxProcessors="75" acceptCount="10" debug="0"
address="127.0.0.1" tomcatAuthentication="false"/>
<Engine name="Standalone" defaultHost="localhost" debug="0">
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt" timestamp="true"/>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>
<Host name="localhost" debug="0" appBase="webapps" unpackWARs="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" prefix="localhost_access_log." suffix=".txt"
pattern="common" resolveHosts="false"/>
<Logger className="org.apache.catalina.logger.FileLogger"
directory="logs" prefix="localhost_log." suffix=".txt"
timestamp="true"/>
</Host>
</Engine>
</Service>
</Server>
<?xml version="1.0" encoding="UTF-8"?> <AttributeReleasePolicy xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="urn:mace:shibboleth:arp:1.0" xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd"> <Description>Example release policy permitting mandatory attributes.</Description> <Rule> <Target> <AnyTarget/> </Target> <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:sn"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:givenName"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonGender"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:preferredLanguage"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:mail"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:homePostalAddress"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:postalAddress"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:homePhone"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:telephoneNumber"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:mobile"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:eduPersonAffiliation"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgDN"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:eduPersonOrgUnitDN"> <AnyValue release="permit"/> </Attribute> <Attribute name="urn:mace:dir:attribute-def:eduPersonEntitlement"> <AnyValue release="permit"/> </Attribute> </Rule> </AttributeReleasePolicy>A3. File /etc/tomcat/jk/workers.properties (no changes) (see ORIG-3.b.6)
workers.tomcat_home=/usr/share/tomcat
ps=/
worker.list=ajp12, ajp13
worker.ajp12.port=8007
worker.ajp12.host=localhost
worker.ajp12.type=ajp12
worker.ajp12.lbfactor=1
worker.ajp13.port=8009
worker.ajp13.host=localhost
worker.ajp13.type=ajp13
worker.ajp13.lbfactor=1
worker.loadbalancer.type=lb
worker.loadbalancer.balanced_workers=ajp12, ajp13
worker.inprocess.class_path=$(workers.tomcat_home)$(ps)lib$(ps)tomcat.jar
worker.inprocess.cmd_line=start
worker.inprocess.stdout=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stdout
worker.inprocess.stderr=$(workers.tomcat_home)$(ps)logs$(ps)inprocess.stderrA4. /etc/apache/httpd.conf (see ORIG-3.b.6, ORIG-3.b.8, ORIG-4.c)
mod_ssl configuration
Global configuration
LoadModule ssl_module /usr/lib/apache/1.3/mod_ssl.so# The whole SSL configuration in this context # the main server and all SSL-enabled virtual hosts. # We surround the directives with <IfModule> .. </Ifmodule>, so that Apache # will keep a valid configuration even if mod_ssl is ever removed. <IfModule mod_ssl.c> # These will make apache listen to port 443 in addition to the # standard port 80. HTTPS requests use port 443. Listen 80 Listen 443 # Some MIME-types for downloading Certificates and CRLs AddType application/x-x509-ca-cert .crt AddType application/x-pkcs7-crl .crl # Pass Phrase Dialog: # Configure the pass phrase gathering process. # The filtering dialog program (`builtin' is a internal # terminal dialog) has to provide the pass phrase on stdout. SSLPassPhraseDialog builtin # Inter-Process Session Cache: # Configure the SSL Session Cache: First either `none' # or `dbm:/path/to/file' for the mechanism to use and # second the expiring timeout (in seconds). #SSLSessionCache none SSLSessionCache dbm:/var/run/mod_ssl_scache SSLSessionCacheTimeout 300 # Semaphore: # Configure the path to the mutual exclusion semaphore the # SSL engine uses internally for inter-process synchronization. SSLMutex file:/var/run/mod_ssl_mutex # Pseudo Random Number Generator (PRNG): # Configure one or more sources to seed the PRNG of the # SSL library. The seed data should be of good random quality. # WARNING! On some platforms /dev/random blocks if not enough entropy # is available. This means you then cannot use the /dev/random device # because it would lead to very long connection times (as long as # it requires to make more entropy available). But usually those # platforms additionally provide a /dev/urandom device which doesn't # block. So, if available, use this one instead. Read the mod_ssl User # Manual for more details. SSLRandomSeed startup builtin SSLRandomSeed connect builtin #SSLRandomSeed startup file:/dev/random 512 #SSLRandomSeed startup file:/dev/urandom 512 #SSLRandomSeed connect file:/dev/random 512 #SSLRandomSeed connect file:/dev/urandom 512 # Logging: # The home of the dedicated SSL protocol logfile. Errors are # additionally duplicated in the general error log file. Put # this somewhere where it cannot be used for symlink attacks on # a real server (i.e. somewhere where only root can write). # Log levels are (ascending order: higher ones include lower ones): # none, error, warn, info, trace, debug. SSLLog /var/log/apache/ssl_engine.log SSLLogLevel info </IfModule>Virtual Host configuration
<IfModule mod_ssl.c> <VirtualHost _default_:443> # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine On # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /etc/apache/ssl.crt/HOST.DOMAIN.CH.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /etc/apache/ssl.key/HOST.DOMAIN.CH.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convenience. SSLCertificateChainFile /etc/apache/ssl.crt/CAKEYCHAIN.crt #Sertificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /etc/apache/ssl.crt SSLCACertificateFile /etc/apache/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /etc/apache/ssl.crl #SSLCARevocationFile /etc/apache/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require SSLVerifyDepth 10 # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't # wait for the close notify alert from client. When you need a # different shutdown approach you can use one of the following # variables: # ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, # i.e. no SSL close notify alert is send or allowed to received. # This violates the SSL/TLS standard but is needed for some # brain-dead browsers. Use this when you receive I/O errors # because of the standard approach where mod_ssl sends the close # notify alert. # ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, # i.e. a SSL close notify alert is send and mod_ssl waits for the # close notify alert of the client. This is 100% SSL/TLS standard # compliant, but in practice often causes hanging connections with # brain-dead browsers. Use this only for browsers where you know # that their SSL implementation works correctly. # # NOTICE: Most problems of broken clients are also related to the # HTTP keep-alive facility, so you usually additionally want to # disable keep-alive for those clients, too. Use variable # "nokeepalive" for this. SetEnvIf User-Agent ".*MSIE.*" nokeepalive ssl-unclean-shutdown </VirtualHost> </IfModule>mod_jk configuration
The following directives for instance configure a "basic authentication" via an LDAP server. There are, however, other authentication methods like Pubcookie or other SSO systems (CAS) as described above.
LoadModule jk_module /usr/lib/apache/1.3/mod_jk.so LoadModule auth_ldap_module /usr/lib/apache/1.3/auth_ldap.so <Location /shibboleth/AA> SSLOptions +StdEnvVars +ExportCertData </Location>
<Location /shibboleth/HS> AuthType Basic AuthName "HS" AuthLDAPURL ldap://ldap-server.domain.ch:389/o=domain,c=CH?uid?sub?(objectClass=*) require valid-user </Location>
<IfModule mod_jk.c> JkWorkersFile /etc/tomcat/jk/workers.properties JkLogFile "/var/log/apache/mod_jk.log" JkLogLevel debug JkMount /shibboleth/* ajp13 </IfModule>A5. /etc/opt/tomcat/shibboleth/origin.properties (see ORIG-4.a, ORIG-5.a)
Remember to replace $STOREPASS and $KEYPASS with your own passwords.
edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer=origin-server.domain.ch edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName=urn:mace:switch.ch:SWITCHaai:pilot:domain.ch edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl=https://origin-server.domain.ch/shibboleth/AA edu.internet2.middleware.shibboleth.hs.HandleServlet.username=REMOTE_USER edu.internet2.middleware.shibboleth.hs.HandleServlet.authMethod=urn:oasis:names:tc:SAML:1.0:am:password edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePath=file:///etc/opt/tomcat/shibboleth/keystore.jks edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePassword=$STOREPASS edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias=SYSTEMNAME edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyPassword=$KEYPASS edu.internet2.middleware.shibboleth.hs.HandleServlet.certAlias=domain.ch edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName=origin-server.domain.ch edu.internet2.middleware.shibboleth.aa.AAServlet.passThruErrors=false edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver.ResolverConfig=file:///etc/opt/tomcat/shibboleth/resolver.xml edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation=edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository.Path=file:///etc/opt/tomcat/shibboleth/arps/ edu.internet2.middleware.shibboleth.aa.arp.BaseArpRepository.ArpTTL=300 edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation=edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository edu.internet2.middleware.shibboleth.hs.BaseHandleRepository.handleTTL=1000 edu.internet2.middleware.shibboleth.audiences=urn:mace:switch.ch:SWITCHaai:pilotA6. /etc/opt/tomcat/shibboleth/resolver.xml (see ORIG-4.a.i, ORIG-5.d)
In order to test the resolver configuration (ORIG-5.d.i) you can use following tool written for Shibboleth:<AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="urn:mace:shibboleth:resolver:1.0"
xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0 shibboleth-resolver-1.0.xsd">
<SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonUniqueID">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:sn">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:givenName">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonDateOfBirth">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonGender">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:preferredLanguage">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:mail">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:homePostalAddress">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:postalAddress">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:homePhone">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:telephoneNumber">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:mobile">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganization">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonHomeOrganizationType">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonAffiliation">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch1">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch2">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyBranch3">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStudyLevel">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:switch.ch:attribute-def:swissEduPersonStaffCategory">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonOrgDN">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonOrgUnitDN">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<SimpleAttributeDefinition id="urn:mace:dir:attribute-def:eduPersonEntitlement">
<DataConnectorDependency requires="directory"/>
</SimpleAttributeDefinition>
<JNDIDirectoryDataConnector id="directory">
<Search filter="uid=%PRINCIPAL%">
<Controls searchScope="SUBTREE_SCOPE" returningObjects="false" />
</Search>
<Property name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory" />
<Property name="java.naming.provider.url" value="ldap://ldap-server.domain.ch:389/O=domain,C=ch" />
<!--
<Property name="java.naming.security.principal" value="CN=admin,O=domain,C=ch" />
-->
<!--
<Property name="java.naming.security.credentials" value="examplePassword" />
-->
</JNDIDirectoryDataConnector>
</AttributeResolver>
$ /opt/shibboleth-origin-1.1/bin/resolvertest --user=demouser --file=file:///etc/opt/tomcat/shibboleth/resolver.xml-- $Id: install-origin-1.1-debian.html,v 1.1.1.1 2005/07/11 08:48:31 schnell Exp $