Mapping kerberos principal to ldap connector
Morris, Andi
amorris at cardiffmet.ac.uk
Mon Nov 24 10:24:11 EST 2014
Hi all,
Kerberos authentication is now working well, and transparently through RemoteUser.
However I've now come to try to map some attributes to send and I'm using https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler+-+Attribute+resolver to do this within attribute-resolver.xml.
Modifying this for my own environment I have:
------------------------------------------------------------------------------------------------------------------------------
<resolver:AttributeDefinition id="principalName"
xsi:type="ad:PrincipalName"
dependencyOnly="true">
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="krb_principalname"
xsi:type="ad:Mapped"
sourceAttributeID="principalName"
dependencyOnly="true" >
<resolver:Dependency ref="principalName" />
<ad:ValueMap>
<ad:ReturnValue>$1</ad:ReturnValue>
<ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
</ad:ValueMap>
</resolver:AttributeDefinition>
<resolver:AttributeDefinition id="krb_domain"
xsi:type="ad:Mapped"
sourceAttributeID="principalName"
dependencyOnly="true" >
<resolver:Dependency ref="principalName" />
<ad:ValueMap>
<ad:ReturnValue>internal.uwic.ac.uk</ad:ReturnValue>
<ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
</ad:ValueMap>
</resolver:AttributeDefinition>
<resolver:DataConnector id="myLDAP"
xsi:type="dc:LDAPDirectory"
ldapURL="ldap://ldap.internal.domain.ac.uk"
baseDN="ou=User Accounts,dc=internal,dc=domain,dc=ac,dc=uk"
principal="shib at internal.domain.ac.uk<mailto:shib at internal.domain.ac.uk>"
principalCredential="password">
<resolver:Dependency ref="krb_principalname" />
<resolver:Dependency ref="krb_domain" />
<dc:FilterTemplate>
<!--
(mail=$requestContext.principalName) - matches UsernamePassword Principal
&(samaccountname=${})(msSFU30NisDomain=${}) - matches Kerberos Principal
-->
<![CDATA[
(&(|(mail=$requestContext.principalName)(&(samaccountname=${krb_principalname.get(0)})(msSFU30NisDomain=${krb_domain.get(0)})))(objectclass=user))
]]>
</dc:FilterTemplate>
<dc:LDAPProperty name="java.naming.referral" value="follow"/>
</resolver:DataConnector>
------------------------------------------------------------------------------------------------------------------------
Debug output shows:
----------------------------------------------------------------------------------------------------------------------
15:05:25.103 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:478] - Resolving attributes for principal 'username at INTERNAL.DOMAIN.AC.UK' for SAML request from relying party 'https://sp.testshib.org/shibboleth-sp'
15:05:25.103 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver resolving attributes for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:25.103 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK> were not requested, resolving all attributes.
15:05:25.103 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute eduPersonScopedAffiliation for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:25.103 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:354] - Resolving data connector myLDAP for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute krb_principalname for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute principalName for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.MappedAttributeDefinition:97] - Attribute Definition krb_principalname: mapping depdenency attribute value username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84] - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
15:05:25.105 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:99] - Performing regular expression based comparison
15:05:25.106 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105] - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular expression it will be mapped to 'username'
15:05:25.106 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.MappedAttributeDefinition:119] - Attribute Definition krb_principalname: mapped depdenency attribute value username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK> to the values [username]
15:05:25.106 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_principalname containing 1 values
15:05:25.106 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute krb_domain for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:25.106 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.MappedAttributeDefinition:97] - Attribute Definition krb_domain: mapping depdenency attribute value username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84] - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:99] - Performing regular expression based comparison
15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105] - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular expression it will be mapped to 'internal.DOMAIN.ac.uk'
15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.MappedAttributeDefinition:119] - Attribute Definition krb_DOMAIN: mapped depdenency attribute value username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK> to the values [internal.DOMAIN.ac.uk]
15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN containing 1 values
15:05:25.109 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter: (&(|(mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=username)(msSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))<mailto:mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=username)(msSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))>
15:05:25.109 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:363] - LDAP data connector myLDAP - Retrieving attributes from LDAP
15:05:30.118 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute eduPersonScopedAffiliation containing 0 values
15:05:30.118 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute transientId for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:97] - Building transient ID for request _75254f2685bd3e67f7856ebaf4b93743; outbound message issuer: https://idp.dev.cardiffmet.ac.uk/idp/shibboleth, inbound message issuer: https://sp.testshib.org/shibboleth-sp, principal identifer: username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:115] - Created transient ID _5f54a61906da93f401e5905676bf8874 for request _75254f2685bd3e67f7856ebaf4b93743
15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute transientId containing 1 values
15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute eduPersonTargetedID for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:354] - Resolving data connector computedID for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.119 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
15:05:30.120 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_principalname containing 1 values
15:05:30.120 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
15:05:30.121 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN containing 1 values
15:05:30.121 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.ComputedIDDataConnector:121] - Source attribute sAMAccountName for connector computedID provide no values
15:05:30.121 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute eduPersonTargetedID containing 0 values
15:05:30.121 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
15:05:30.121 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_principalname containing 1 values
15:05:30.122 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute eduPersonPrincipalName for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.122 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
15:05:30.122 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_principalname containing 1 values
15:05:30.122 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
15:05:30.126 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN containing 1 values
15:05:30.126 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute eduPersonPrincipalName containing 0 values
15:05:30.127 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
15:05:30.129 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute principalName containing 1 values
15:05:30.129 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN containing 1 values
15:05:30.129 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonScopedAffiliation from resolution result for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:473] - Attribute transientId has 1 values after post-processing
15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonTargetedID from resolution result for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute krb_principalname from resolution result for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>.
15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonPrincipalName from resolution result for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute principalName from resolution result for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>.
15:05:30.130 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute krb_DOMAIN from resolution result for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>.
15:05:30.131 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver resolved, for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>, the attributes: [transientId]
15:05:30.131 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:71] - shibboleth.AttributeFilterEngine filtering 1 attributes for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.131 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseTransientIdToAnyone is active for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.132 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy releaseTransientIdToAnyone is active for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.135 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute transientId for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.135 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter policy releaseBasicAttributesToAnyone is active for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.135 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:139] - Filter policy releaseBasicAttributesToAnyone is active for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.138 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute eduPersonScopedAffiliation for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.138 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute eduPersonAffiliation for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.138 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:163] - Processing permit value rule for attribute eduPersonTargetedID for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>
15:05:30.138 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:109] - Attribute transientId has 1 values after filtering
15:05:30.138 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for principal username at INTERNAL.DOMAIN.AC.UK<mailto:username at INTERNAL.DOMAIN.AC.UK>. The following attributes remain: [transientId]
15:05:30.139 - DEBUG [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:505] - Creating attribute statement in response to SAML request '_75254f2685bd3e67f7856ebaf4b93743' from relying party 'https://sp.testshib.org/shibboleth-sp'
15:05:30.139 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] - Attribute transientId was not encoded (filtered by query, or no SAML2AttributeEncoder attached).
15:05:30.139 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:129] - No attributes remained after encoding and filtering by value, no attribute statement built
------------------------------------------------------------------------------------------------------------------
I can see that the krb_principalname and krb_domain get mapped to the correct parts of the principal, but I'm having trouble then passing that to the LDAP connector. I think it's something up with the search filter.
Can anybody please point me in the right direction here:
Cheers,
Andi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141124/b21f61fa/attachment-0001.html
More information about the users
mailing list