cannot pull isMemberOf attribute

Cameron Kerr cameron.kerr at otago.ac.nz
Fri Mar 7 05:13:19 EST 2014


Suggest you only request the attributes you need; you'll get better LDAP performance that way. 

Also, remember that you can filter attribute values, which generally is useful to do if using this to release group information about a user. 

Cameron Kerr. Sent from my iPad.
Systems Engineer, Systems Services Team, ITS, Otago University

> On 7/03/2014, at 5:01 pm, "Lipscomb, Gary" <glipscomb at csu.edu.au> wrote:
> 
> Thanks for the hint, we've been trying to user memberOf to populate some attributes based on group membership.
> I'm not sure if I should continue in this thread or start a new one. :-)
> 
> We configured the LDAP connector in attribute-resolver.xml as below
> 
>     <resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory" xmlns="urn:mace:shibboleth:2.0:resolver:dc"
>        ldapURL="${ldap.url}" baseDN="o=xxxx.yyy.edu.au" principal="${ldap.principal}"
>        principalCredential="${ldap.credential}">
>        <FilterTemplate>
>            <![CDATA[
>                (uid=$requestContext.principalName)
>            ]]>
>        </FilterTemplate>
>        <ReturnAttributes>* memberOf</ReturnAttributes>
>        <LDAPProperty name="java.naming.referral" value="follow"/>
>    </resolver:DataConnector>
> 
> And the list of groups a user belongs to is shown
> 
>        14:19:42.973 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: memberOf[cn=STAFF,ou=Groups,o=xxxx.yyy.edu.au, cn=VPN_GENERAL,ou=Groups,o=xxxx.yyy.edu.au, cn=PERMANENT_STAFF,ou=Groups,o=xxxx.yyy.edu.au, cn=EZPROXY_ACCESS,ou=Groups,o=xxxx.yyy.edu.au]
> 
> We are then trying to set an attribute eduPersonEntitlement based in the following script which doesn't return a result (based on [1]).
> 
>  <resolver:AttributeDefinition id="eduPersonEntitlement" xsi:type="Script" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
>    sourceAttributeID="eduPersonEntitlement">
>    <resolver:Dependency ref="myLDAP" />
>    <resolver:AttributeEncoder xsi:type="SAML1String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>        name="urn:mace:dir:attribute-def:eduPersonEntitlement" />
>    <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>        name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" friendlyName="eduPersonEntitlement" />
> 
>    <Script>
>    <![CDATA[
>       importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
>       eduPersonEntitlement = new BasicAttribute("eduPersonEntitlement");
> 
>        // If the user has group membership
>        if (typeof memberOf != "undefined" && memberOf != null ){
>            // Then go through each group membership and add the appropriate affiliation
>            // The IdP will remove duplicate values so we don't need to worry about that here
>            for ( i = 0; memberOf != null && i < memberOf.getValues().size(); i++ ){
>                value = memberOf.getValues().get(i);
>                if (value.indexOf("cn=EZPROXY_ACCESS,ou=Groups,o=xxxx.yyy.edu.au") > 0){
>                    eduPersonEntitlement.getValues().add('urn:mace:dir:entitlement:common-lib-terms');
>                }
>            }
>        }
>      ]]>
>    </Script>
>  </resolver:AttributeDefinition>
> 
> 
> I've tried turning the logging onto ALL but can't see how the calculation calculates.
> 
>    <!-- Logs IdP, but not OpenSAML, messages -->
>    <logger name="edu.internet2.middleware.shibboleth" level="ALL"/>
> 
> 
> 1.  Is there a way to see the process?
> 2.   Is there a flaw in the above script.
> 
> 
> [1] https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinitionExamples#ResolverScriptAttributeDefinitionExamples-GenerateAffiliationbasedonGroups
> 
> thanks
> 
> Gary
> 
> 
> |-----Original Message-----
> |From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net]
> |On Behalf Of Cameron Kerr
> |Sent: Friday, 7 March 2014 10:16
> |To: Shib Users
> |Cc: Shib Users
> |Subject: Re: cannot pull isMemberOf attribute
> |
> |Not sure about your LDAP, but we have a similar situation where the
> |attribute must be explicitly requested. You can specify the list of
> |attributes to request in attribute-resolver.xml
> |
> |Earlier in the log you should be able to see what attributes were pulled
> |from ldap.
> |
> |Cheers,
> |Cameron
> |
> |Sent from my iPhone
> |
> |> On 7/03/2014, at 11:45 am, "Qian, Yi" <yqian at ku.edu> wrote:
> |>
> |> Hello,
> |>
> |> In our LDAP contains isMemberOf attribute which is multi valued,
> |actual value is the group DN, such as "cn=group1,
> |ou=groups,dc=ku,dc=edu".
> |>
> |> In the shib log, I saw following
> |> 15:56:39.758 - DEBUG
> |[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.
> |ShibbolethAttributeResolver:314] - Resolving attribute isMemberOf for
> |principal yqian 15:56:39.758 - DEBUG
> |[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.
> |ShibbolethAttributeResolver:336] - Resolved attribute isMemberOf
> |containing 0 values
> |>
> |> Does anyone know why the isMemberOf did not return with values?
> |>
> |> Thanks
> |> Yi
> |> --
> |> To unsubscribe from this list send an email to users-
> |unsubscribe at shibboleth.net
> |--
> |To unsubscribe from this list send an email to users-
> |unsubscribe at shibboleth.net
> Charles Sturt University
> 
> | ALBURY-WODONGA | BATHURST | CANBERRA | DUBBO | GOULBURN | MELBOURNE | ONTARIO | ORANGE | PORT MACQUARIE | SYDNEY | WAGGA WAGGA |
> 
> LEGAL NOTICE
> This email (and any attachment) is confidential and is intended for the use of the addressee(s) only. If you are not the intended recipient of this email, you must not copy, distribute, take any action in reliance on it or disclose it to anyone. Any confidentiality is not waived or lost by reason of mistaken delivery. Email should be checked for viruses and defects before opening. Charles Sturt University (CSU) does not accept liability for viruses or any consequence which arise as a result of this email transmission. Email communications with CSU may be subject to automated email filtering, which could result in the delay or deletion of a legitimate email before it is read at CSU. The views expressed in this email are not necessarily those of CSU.
> 
> Charles Sturt University in Australia  http://www.csu.edu.au  The Grange Chancellery, Panorama Avenue, Bathurst NSW Australia 2795  (ABN: 83 878 708 551; CRICOS Provider Numbers: 00005F (NSW), 01947G (VIC), 02960B (ACT)). TEQSA Provider Number: PV12018
> 
> Charles Sturt University in Ontario  http://www.charlessturt.ca 860 Harrington Court, Burlington Ontario Canada L7N 3N4  Registration: www.peqab.ca
> 
> Consider the environment before printing this email.
> 
> Disclaimer added by CodeTwo Exchange Rules 2007
> http://www.codetwo.com
> 
> --
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list