Getting LDAP groups a user is a member of

Richard Genthner moose at symplicity.com
Fri Jul 18 10:39:37 EDT 2014 

I'm running on ldap and in all my scripts to get group membership, I use 
this filter

"(&(objectClass=posixGroup)(memberUid=moose))" cn

I"m trying to figure out how I can make shibboleth do something similar 
with out losing my authentication.

> Rhys Smith <mailto:Smith at cardiff.ac.uk>
> July 18, 2014 at 10:23 AM
> Yep, my answer is completely subject (may or may not work for you) 
> depending on your answer to Peter's point also...
> --
> Dr Rhys Smith
> Identity, Access, and Middleware Specialist
> Cardiff University & Janet, the UK's research and education network
>
> email: smith at cardiff.ac.uk / rhys.smith at ja.net
> GPG: 0x4638C985
>
>
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
> Rhys Smith <mailto:Smith at cardiff.ac.uk>
> July 18, 2014 at 10:20 AM
> If you're using a directory that stores this in the memberOf attribute 
> (e.g. AD), then just add something like the following to 
> attribute-resolver.xml (assuming the principal you use to connect to 
> your LDAP have read rights to the attribute):
>
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="memberOf" 
> sourceAttributeID="memberOf">
> <resolver:Dependency ref="myLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML1String" 
> name="urn:mace:dir:attribute-def:memberOf" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String" 
> name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="memberOf" />
> </resolver:AttributeDefinition>
>
> Note that if using something like eDirectory, this is stored in the 
> groupMembership attribute rather than the memberOf attribute.
>
> Also, I've had some thing on the other end using SAML1 that expected 
> it to be called "isMemberOf" rather than "memberOf", so my full 
> attribute config (we use eDir) looks like this
>
> <!-- Group Membership. Exists as groupMembership in eDir, but usually 
> known as memberOf so we use that name, also isMemberOf over SAML1 -->
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="memberOf" 
> sourceAttributeID="groupMembership">
> <resolver:Dependency ref="myLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML1String" 
> name="urn:mace:dir:attribute-def:memberOf" />
> <resolver:AttributeEncoder xsi:type="enc:SAML1String" 
> name="urn:mace:dir:attribute-def:isMemberOf" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String" 
> name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="memberOf" />
> </resolver:AttributeDefinition>
>
> Finally, note that memberOf or isMemberOf was never registered in the 
> urn:mace:dir:attribute-def: namespace so what I've done is completely 
> wrong (improper rather than won't work), but I had some stuff on the 
> other end that was expecting it to have that name so I just bit the 
> bullet and did it against my own objections.
>
> If you're just doing this internally, and you control what the SP(s) 
> so can map from whatever name you care to define, then the safer and 
> more proper thing would be to just use the OID name even in SAML1, e.g.
>
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="memberOf" 
> sourceAttributeID="groupMembership">
> <resolver:Dependency ref="myLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML1String" 
> name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String" 
> name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="memberOf" />
> </resolver:AttributeDefinition>
>
> Of course, if this is going to be SAML2 only, then you can just ignore 
> that problem and just have the one SAML2 encoder.
>
>
> HTH,
> Rhys.
> --
> Dr Rhys Smith
> Identity, Access, and Middleware Specialist
> Cardiff University & Janet, the UK's research and education network
>
> email: smith at cardiff.ac.uk / rhys.smith at ja.net
> GPG: 0x4638C985
>
>
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net
> Richard Genthner <mailto:moose at symplicity.com>
> July 18, 2014 at 9:55 AM
> I have been trying to figure out how to expose ldap groups that a user 
> belongs too. Does anyone have ideas on how to expose these ?
>
> --
> To unsubscribe from this list send an email to 
> users-unsubscribe at shibboleth.net

-- 

-- 
Richard Genthner
Senior System Administrator
rgenthner at symplicity.com
tel. 703-351-0200 x8051
Direct 703-373-7033
sip:8051 at voip.symplicity.com
Symplicity Corporation
http://www.symplicity.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140718/ee0a2da7/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1176 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140718/ee0a2da7/attachment-0002.jpg 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1334 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140718/ee0a2da7/attachment-0003.jpg

More information about the users mailing list