Getting LDAP groups a user is a member of
Richard Genthner
moose at symplicity.com
Fri Jul 18 10:39:37 EDT 2014
I'm running on ldap and in all my scripts to get group membership, I use
this filter
"(&(objectClass=posixGroup)(memberUid=moose))" cn
I"m trying to figure out how I can make shibboleth do something similar
with out losing my authentication.
> Rhys Smith <mailto:Smith at cardiff.ac.uk>
> July 18, 2014 at 10:23 AM
> Yep, my answer is completely subject (may or may not work for you)
> depending on your answer to Peter's point also...
> --
> Dr Rhys Smith
> Identity, Access, and Middleware Specialist
> Cardiff University & Janet, the UK's research and education network
>
> email: smith at cardiff.ac.uk / rhys.smith at ja.net
> GPG: 0x4638C985
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> Rhys Smith <mailto:Smith at cardiff.ac.uk>
> July 18, 2014 at 10:20 AM
> If you're using a directory that stores this in the memberOf attribute
> (e.g. AD), then just add something like the following to
> attribute-resolver.xml (assuming the principal you use to connect to
> your LDAP have read rights to the attribute):
>
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="memberOf"
> sourceAttributeID="memberOf">
> <resolver:Dependency ref="myLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML1String"
> name="urn:mace:dir:attribute-def:memberOf" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="memberOf" />
> </resolver:AttributeDefinition>
>
> Note that if using something like eDirectory, this is stored in the
> groupMembership attribute rather than the memberOf attribute.
>
> Also, I've had some thing on the other end using SAML1 that expected
> it to be called "isMemberOf" rather than "memberOf", so my full
> attribute config (we use eDir) looks like this
>
> <!-- Group Membership. Exists as groupMembership in eDir, but usually
> known as memberOf so we use that name, also isMemberOf over SAML1 -->
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="memberOf"
> sourceAttributeID="groupMembership">
> <resolver:Dependency ref="myLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML1String"
> name="urn:mace:dir:attribute-def:memberOf" />
> <resolver:AttributeEncoder xsi:type="enc:SAML1String"
> name="urn:mace:dir:attribute-def:isMemberOf" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="memberOf" />
> </resolver:AttributeDefinition>
>
> Finally, note that memberOf or isMemberOf was never registered in the
> urn:mace:dir:attribute-def: namespace so what I've done is completely
> wrong (improper rather than won't work), but I had some stuff on the
> other end that was expecting it to have that name so I just bit the
> bullet and did it against my own objections.
>
> If you're just doing this internally, and you control what the SP(s)
> so can map from whatever name you care to define, then the safer and
> more proper thing would be to just use the OID name even in SAML1, e.g.
>
> <resolver:AttributeDefinition xsi:type="ad:Simple" id="memberOf"
> sourceAttributeID="groupMembership">
> <resolver:Dependency ref="myLDAP" />
> <resolver:AttributeEncoder xsi:type="enc:SAML1String"
> name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" />
> <resolver:AttributeEncoder xsi:type="enc:SAML2String"
> name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="memberOf" />
> </resolver:AttributeDefinition>
>
> Of course, if this is going to be SAML2 only, then you can just ignore
> that problem and just have the one SAML2 encoder.
>
>
> HTH,
> Rhys.
> --
> Dr Rhys Smith
> Identity, Access, and Middleware Specialist
> Cardiff University & Janet, the UK's research and education network
>
> email: smith at cardiff.ac.uk / rhys.smith at ja.net
> GPG: 0x4638C985
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> Richard Genthner <mailto:moose at symplicity.com>
> July 18, 2014 at 9:55 AM
> I have been trying to figure out how to expose ldap groups that a user
> belongs too. Does anyone have ideas on how to expose these ?
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
--
--
Richard Genthner
Senior System Administrator
rgenthner at symplicity.com
tel. 703-351-0200 x8051
Direct 703-373-7033
sip:8051 at voip.symplicity.com
Symplicity Corporation
http://www.symplicity.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20140718/ee0a2da7/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1176 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140718/ee0a2da7/attachment-0002.jpg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: postbox-contact.jpg
Type: image/jpeg
Size: 1334 bytes
Desc: not available
Url : http://shibboleth.net/pipermail/users/attachments/20140718/ee0a2da7/attachment-0003.jpg
More information about the users
mailing list