Mapping kerberos principal to ldap connector

Morris, Andi amorris at cardiffmet.ac.uk
Tue Nov 25 04:23:51 EST 2014


Thanks Douglas,
I think I've resolved this now by using the below. I've also put in the check for a disabled account that you mentioned in a previous thread.

<dc:FilterTemplate>
            <![CDATA[
                (&(objectClass=user)(|(sAMAccountName=${krb_principalname.get(0)})(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
                ]]>
        </dc:FilterTemplate>
        <dc:LDAPProperty name="java.naming.referral" value="follow"/>

That seems to be pulling AD attributes now.

Cheers,
Andi

-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Douglas E Engert
Sent: 24 November 2014 18:14
To: users at shibboleth.net
Subject: Re: Mapping kerberos principal to ldap connector



On 11/24/2014 9:24 AM, Morris, Andi wrote:
> Hi all,
>
> Kerberos authentication is now working well, and transparently through RemoteUser.
>
> However I've now come to try to map some attributes to send and I'm 
> using https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler+-+Attribute+resolver to do this within attribute-resolver.xml.
>
> Modifying this for my own environment I have:
>
> ----------------------------------------------------------------------
> --------------------------------------------------------
>
>      <resolver:AttributeDefinition id="principalName"
>
>                                    xsi:type="ad:PrincipalName"
>
>                                    dependencyOnly="true">
>
>      </resolver:AttributeDefinition>
>
>      <resolver:AttributeDefinition id="krb_principalname"
>
>                                   xsi:type="ad:Mapped"
>
>                                   sourceAttributeID="principalName"
>
>                                   dependencyOnly="true" >
>
>       <resolver:Dependency ref="principalName" />
>
>       <ad:ValueMap>
>
>           <ad:ReturnValue>$1</ad:ReturnValue>
>
>           <ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
>
>       </ad:ValueMap>
>
>      </resolver:AttributeDefinition>
>
>      <resolver:AttributeDefinition id="krb_domain"
>
>                                   xsi:type="ad:Mapped"
>
>                                   sourceAttributeID="principalName"
>
>                                   dependencyOnly="true" >
>
>       <resolver:Dependency ref="principalName" />
>
>       <ad:ValueMap>
>
>           <ad:ReturnValue>internal.uwic.ac.uk</ad:ReturnValue>
>
>           <ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
>
>       </ad:ValueMap>
>
>      </resolver:AttributeDefinition>
>
>      <resolver:DataConnector id="myLDAP"
>
>          xsi:type="dc:LDAPDirectory"
>
>          ldapURL="ldap://ldap.internal.domain.ac.uk"
>
>          baseDN="ou=User Accounts,dc=internal,dc=domain,dc=ac,dc=uk"
>
>          principal="shib at internal.domain.ac.uk <mailto:shib at internal.domain.ac.uk>"
>
>          principalCredential="password">
>
>        <resolver:Dependency ref="krb_principalname" />
>
>        <resolver:Dependency ref="krb_domain" />
>
>          <dc:FilterTemplate>
>
> <!--
>
> (mail=$requestContext.principalName) - matches UsernamePassword 
> Principal
>
> &(samaccountname=${})(msSFU30NisDomain=${}) - matches Kerberos 
> Principal
>
> -->
>
>              <![CDATA[
>
>              
> (&(|(mail=$requestContext.principalName)(&(samaccountname=${krb_princi
> palname.get(0)})(msSFU30NisDomain=${krb_domain.get(0)})))(objectclass=
> user))
>
>                  ]]>
>
>          </dc:FilterTemplate>
>
>          <dc:LDAPProperty name="java.naming.referral" value="follow"/>
>
>      </resolver:DataConnector>

Wow, that is a weird example they have, expecting the msSFU30NisDomain to match the krb_realm.

If AD is acting as the KDC, then the Kerberos realm name is the uppercase of the AD domain name.
(Kerberos protocols and applications are case sensitive, AD is not, so this can cause confusion too.) In general you can search for <sAMAccountName>@<AD-DOMAIN-NAME>.
userPrincipalName at one time could be used, but AD overloaded it, for smart card/certificate use as subjectAltName:msUPN.)

It might work in your environment, if the AD admins have populated msSFU30BisDomain, and have turned on SFU.

Also in general, there is no guarantee that the mail attribute will match the kerberos principal name.

One way to see what gets returned is use the Unix ldapsearch command to see what LDAP returns.

A lot of the msDS attributes are not returned by AD by default. Not sure if  msSFU30NisDomain is.
Best bet is to list the attributes you want returnedsomething like:
      <dc:ReturnAttributes>
          sAMAccountName sn givenName displayName mail cn entryDN  userPrincipalName
      </dc:ReturnAttributes>

>
> ----------------------------------------------------------------------
> --------------------------------------------------
>
> Debug output shows:
>
> ----------------------------------------------------------------------
> ------------------------------------------------
>
> 15:05:25.103 - DEBUG 
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:478] - Resolving attributes for principal 'username at INTERNAL.DOMAIN.AC.UK' for SAML request from relying party 'https://sp.testshib.org/shibboleth-sp'
>
> 15:05:25.103 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver 
> resolving attributes for principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.103 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK> were not requested, resolving all attributes.
>
> 15:05:25.103 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:314] - Resolving attribute 
> eduPersonScopedAffiliation for principal 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.103 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:354] - Resolving data connector myLDAP 
> for principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.104 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:314] - Resolving attribute 
> krb_principalname for principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.104 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:314] - Resolving attribute principalName 
> for principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.104 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute principalName 
> containing 1 values
>
> 15:05:25.104 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.attributeDefinition.MappedAttributeDefinition:97] - Attribute 
> Definition krb_principalname: mapping depdenency attribute value 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84] - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
>
> 15:05:25.105 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.attributeDefinition.ValueMap:99] - Performing regular expression 
> based comparison
>
> 15:05:25.106 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105] - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular expression it will be mapped to 'username'
>
> 15:05:25.106 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.attributeDefinition.MappedAttributeDefinition:119] - Attribute 
> Definition krb_principalname: mapped depdenency attribute value 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK> 
> to the values [username]
>
> 15:05:25.106 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute 
> krb_principalname containing 1 values
>
> 15:05:25.106 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:314] - Resolving attribute krb_domain 
> for principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.106 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute principalName 
> containing 1 values
>
> 15:05:25.107 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.attributeDefinition.MappedAttributeDefinition:97] - Attribute 
> Definition krb_domain: mapping depdenency attribute value 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84] - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
>
> 15:05:25.107 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.attributeDefinition.ValueMap:99] - Performing regular expression 
> based comparison
>
> 15:05:25.107 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105] - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular expression it will be mapped to 'internal.DOMAIN.ac.uk'
>
> 15:05:25.107 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.attributeDefinition.MappedAttributeDefinition:119] - Attribute 
> Definition krb_DOMAIN: mapped depdenency attribute value 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK> 
> to the values [internal.DOMAIN.ac.uk]
>
> 15:05:25.107 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN 
> containing 1 values
>
> 15:05:25.109 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter:
> (&(|(mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=username)(m
> sSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))
> <mailto:mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=username
> )(msSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))>
>
> 15:05:25.109 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.dataConnector.LdapDataConnector:363] - LDAP data connector myLDAP - 
> Retrieving attributes from LDAP
>
> 15:05:30.118 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute 
> eduPersonScopedAffiliation containing 0 values
>
> 15:05:30.118 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:314] - Resolving attribute transientId 
> for principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.119 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:97] - Building transient ID for request _75254f2685bd3e67f7856ebaf4b93743; outbound message issuer: https://idp.dev.cardiffmet.ac.uk/idp/shibboleth, inbound message issuer: https://sp.testshib.org/shibboleth-sp, principal identifer:
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.119 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.attributeDefinition.TransientIdAttributeDefinition:115] - Created 
> transient ID
> _5f54a61906da93f401e5905676bf8874 for request 
> _75254f2685bd3e67f7856ebaf4b93743
>
> 15:05:30.119 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute transientId 
> containing 1 values
>
> 15:05:30.119 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:314] - Resolving attribute 
> eduPersonTargetedID for principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.119 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:354] - Resolving data connector 
> computedID for principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.119 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute principalName 
> containing 1 values
>
> 15:05:30.120 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute 
> krb_principalname containing 1 values
>
> 15:05:30.120 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute principalName 
> containing 1 values
>
> 15:05:30.121 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN 
> containing 1 values
>
> 15:05:30.121 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.dataConnector.ComputedIDDataConnector:121] - Source attribute 
> sAMAccountName for connector computedID provide no values


Looks like SAMAccountName was not returned... See above.

>
> 15:05:30.121 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute 
> eduPersonTargetedID containing 0 values
>
> 15:05:30.121 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute principalName 
> containing 1 values
>
> 15:05:30.121 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute 
> krb_principalname containing 1 values
>
> 15:05:30.122 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:314] - Resolving attribute 
> eduPersonPrincipalName for principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.122 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute principalName 
> containing 1 values
>
> 15:05:30.122 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute 
> krb_principalname containing 1 values
>
> 15:05:30.122 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute principalName 
> containing 1 values
>
> 15:05:30.126 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN 
> containing 1 values
>
> 15:05:30.126 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute 
> eduPersonPrincipalName containing 0 values
>
> 15:05:30.127 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute principalName 
> containing 1 values
>
> 15:05:30.129 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute principalName 
> containing 1 values
>
> 15:05:30.129 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN 
> containing 1 values
>
> 15:05:30.129 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonScopedAffiliation from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.  It contains no values.
>
> 15:05:30.130 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:473] - Attribute transientId has 1 
> values after post-processing
>
> 15:05:30.130 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonTargetedID from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.  It contains no values.
>
> 15:05:30.130 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute krb_principalname from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>
> 15:05:30.130 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonPrincipalName from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.  It contains no values.
>
> 15:05:30.130 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute principalName from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>
> 15:05:30.130 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute krb_DOMAIN from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>
> 15:05:30.131 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provide
> r.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver 
> resolved, for principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>, the attributes: [transientId]
>
> 15:05:30.131 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:71] - 
> shibboleth.AttributeFilterEngine filtering 1 attributes for principal 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.131 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter 
> policy releaseTransientIdToAnyone is active for principal 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.132 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:139] - Filter policy 
> releaseTransientIdToAnyone is active for principal 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.135 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:163] - Processing permit value 
> rule for attribute transientId for principal 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.135 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter 
> policy releaseBasicAttributesToAnyone is active for principal 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.135 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:139] - Filter policy 
> releaseBasicAttributesToAnyone is active for principal 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.138 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:163] - Processing permit value 
> rule for attribute eduPersonScopedAffiliation for principal 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.138 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:163] - Processing permit value 
> rule for attribute eduPersonAffiliation for principal 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.138 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:163] - Processing permit value 
> rule for attribute eduPersonTargetedID for principal 
> username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>
>
> 15:05:30.138 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:109] - Attribute transientId has 
> 1 values after filtering
>
> 15:05:30.138 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provid
> er.ShibbolethAttributeFilteringEngine:114] - Filtered attributes for 
> principal username at INTERNAL.DOMAIN.AC.UK 
> <mailto:username at INTERNAL.DOMAIN.AC.UK>.  The following attributes 
> remain: [transientId]
>
> 15:05:30.139 - DEBUG 
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:505] - Creating attribute statement in response to SAML request '_75254f2685bd3e67f7856ebaf4b93743' from relying party 'https://sp.testshib.org/shibboleth-sp'
>
> 15:05:30.139 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] - Attribute transientId was not encoded (filtered by query, or no SAML2AttributeEncoder attached).
>
> 15:05:30.139 - DEBUG 
> [edu.internet2.middleware.shibboleth.common.attribute.provider.Shibbol
> ethSAML2AttributeAuthority:129] - No attributes remained after 
> encoding and filtering by value, no attribute statement built
>
> ----------------------------------------------------------------------
> --------------------------------------------
>
> I can see that the krb_principalname and krb_domain get mapped to the 
> correct parts of the principal, but I'm having trouble then passing that to the LDAP connector. I think it's something up with the search filter.
>
> Can anybody please point me in the right direction here:
>
> Cheers,
>
> Andi
>
>
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net


More information about the users mailing list