LDAP value order
haim at hrz.uni-marburg.de
Mon Nov 28 09:05:30 GMT 2011
Thanks for all your input!
It turns out that our OpenLDAP server supports ordered values, and
vt-ldap may also keep the order if configured to do so, but the order is
finally lost in attribute filtering within the depths of the Shibboleth
IdP. I guess we will have to live with that, or "fix" the attribute
filter engine some day.
(If we remove the 'filter="shibboleth.AttributeFilterEngine"' from the
SAML2AttributeAuthority in service.xml, Shibboleth releases the
attributes unfiltered in the order they come from vt-ldap. So it's
indeed the filter not respecting value order.)
> The order in which attributes are displayed in uApprove is configurable.
Yes it is, but each attribute's values are still mixed up by Shibboleth
before. If LDAP value order is not preserved, at least alphabetical
ordering would be desirable here.
> we build attribute values in our directory to represent hierarchy
We have a custom "linkToDepartment" LDAP entry (mapped to Shibboleth's
orgUnitDN) which contains the ou values in hierarchical order, so that
is not the problem.
Well, let's close this for now.
More information about the users