Each attribute rule contains one and only one value rule.

Glenn Wearen glenn.wearen at heanet.ie
Fri Feb 15 11:39:32 EST 2013 

In my setup I assign every known  values of ePe to all users  in the resolver and then attempt to filter the values based on some other attributes value.

But I think what I'm trying to do cannot be achieved due the limitation that "Each attribute rule contains one and only one value rule." (https://wiki.shibboleth.net/confluence/display/SHIB2/IdPAddAttributeFilter#IdPAddAttributeFilter-3DefineAttributeRules )

this is what I've come up with…


   <afp:AttributeRule attributeID="eduPersonEntitlement" xsi:type="basic:OR">
                <basic:Rule xsi:type="AttributeValueRegex" attributeID="distinguishedName" regex="^OU=ComputerScience.*$">
                <afp:PermitValueRule xsi:type="basic:OR">       
                        <basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:heanet.ie:edugate:sp:onthehub:13209481" ignoreCase="true"/>
                        <basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace:heanet.ie:edugate:sp:onthehub:14556661" ignoreCase="true"/>
                </afp:PermitValueRule>
                </basic:Rule>
                <basic:Rule xsi:type="basic:AttributeValueRegex" attributeID="distinguishedName" regex="^OU=HumanitiesStudent.*$">
                <afp:PermitValueRule xsi:type="basic:OR">       
                        <basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace-dir:heanet.ie:edugate:sp:onthehub:69303931" ignoreCase="true"/>
                        <basic:Rule xsi:type="basic:AttributeValueString" value="urn:mace-dir:heanet.ie:edugate:sp:onthehub:98632322" ignoreCase="true"/>
                </afp:PermitValueRule>
                </basic:Rule>
 </afp:AttributeRule>

This raises the error "ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:188] - Configuration was not loaded for shibboleth.AttributeFilterEngine service, error creating components.  The root cause of this error was: org.xml.sax.SAXParseException: cvc-elt.4.3: Type 'basic:OR' is not validly derived from the type definition, 'AttributeRuleType', of element 'afp:AttributeRule'."

I had a look at the schema and I don't think it allows for an OR on an AttributeRule.

Anybody got a suggestion that doesn't involve a script resolver, or a script matching rule ?
Glenn

Edugate Operations
HEAnet Limited, Ireland's Education and Research Network - 
1st Floor, 5 George's Dock, IFSC, Dublin 1
Registered in Ireland, no 275301  tel: +353-1-6609040  fax: +353-1-6603666

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20130215/f43d9540/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2330 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20130215/f43d9540/attachment.bin

More information about the users mailing list