Mapping kerberos principal to ldap connector
Morris, Andi
amorris at cardiffmet.ac.uk
Tue Nov 25 08:32:11 EST 2014
Interesting. It seems to be working as it is. Where would you put the extra | ?
-----Original Message-----
From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Douglas E Engert
Sent: 25 November 2014 13:05
To: users at shibboleth.net
Subject: Re: Mapping kerberos principal to ldap connector
On 11/25/2014 3:23 AM, Morris, Andi wrote:
> Thanks Douglas,
> I think I've resolved this now by using the below. I've also put in the check for a disabled account that you mentioned in a previous thread.
>
> <dc:FilterTemplate>
> <![CDATA[
>
> (&(objectClass=user)(|(sAMAccountName=${krb_principalname.get(0)})(!(u
> serAccountControl:1.2.840.113556.1.4.803:=2))))
^^ ^
Looks like an extra "(| ... )" in the filter that would allow any any active user account to work.
> ]]>
> </dc:FilterTemplate>
> <dc:LDAPProperty name="java.naming.referral" value="follow"/>
>
> That seems to be pulling AD attributes now.
>
> Cheers,
> Andi
>
> -----Original Message-----
> From: users-bounces at shibboleth.net
> [mailto:users-bounces at shibboleth.net] On Behalf Of Douglas E Engert
> Sent: 24 November 2014 18:14
> To: users at shibboleth.net
> Subject: Re: Mapping kerberos principal to ldap connector
>
>
>
> On 11/24/2014 9:24 AM, Morris, Andi wrote:
>> Hi all,
>>
>> Kerberos authentication is now working well, and transparently through RemoteUser.
>>
>> However I've now come to try to map some attributes to send and I'm
>> using https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler+-+Attribute+resolver to do this within attribute-resolver.xml.
>>
>> Modifying this for my own environment I have:
>>
>> ---------------------------------------------------------------------
>> -
>> --------------------------------------------------------
>>
>> <resolver:AttributeDefinition id="principalName"
>>
>> xsi:type="ad:PrincipalName"
>>
>> dependencyOnly="true">
>>
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition id="krb_principalname"
>>
>> xsi:type="ad:Mapped"
>>
>> sourceAttributeID="principalName"
>>
>> dependencyOnly="true" >
>>
>> <resolver:Dependency ref="principalName" />
>>
>> <ad:ValueMap>
>>
>> <ad:ReturnValue>$1</ad:ReturnValue>
>>
>>
>> <ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
>>
>> </ad:ValueMap>
>>
>> </resolver:AttributeDefinition>
>>
>> <resolver:AttributeDefinition id="krb_domain"
>>
>> xsi:type="ad:Mapped"
>>
>> sourceAttributeID="principalName"
>>
>> dependencyOnly="true" >
>>
>> <resolver:Dependency ref="principalName" />
>>
>> <ad:ValueMap>
>>
>> <ad:ReturnValue>internal.uwic.ac.uk</ad:ReturnValue>
>>
>>
>> <ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
>>
>> </ad:ValueMap>
>>
>> </resolver:AttributeDefinition>
>>
>> <resolver:DataConnector id="myLDAP"
>>
>> xsi:type="dc:LDAPDirectory"
>>
>> ldapURL="ldap://ldap.internal.domain.ac.uk"
>>
>> baseDN="ou=User Accounts,dc=internal,dc=domain,dc=ac,dc=uk"
>>
>> principal="shib at internal.domain.ac.uk <mailto:shib at internal.domain.ac.uk>"
>>
>> principalCredential="password">
>>
>> <resolver:Dependency ref="krb_principalname" />
>>
>> <resolver:Dependency ref="krb_domain" />
>>
>> <dc:FilterTemplate>
>>
>> <!--
>>
>> (mail=$requestContext.principalName) - matches UsernamePassword
>> Principal
>>
>> &(samaccountname=${})(msSFU30NisDomain=${}) - matches Kerberos
>> Principal
>>
>> -->
>>
>> <![CDATA[
>>
>>
>> (&(|(mail=$requestContext.principalName)(&(samaccountname=${krb_princ
>> i
>> palname.get(0)})(msSFU30NisDomain=${krb_domain.get(0)})))(objectclass
>> =
>> user))
>>
>> ]]>
>>
>> </dc:FilterTemplate>
>>
>> <dc:LDAPProperty name="java.naming.referral"
>> value="follow"/>
>>
>> </resolver:DataConnector>
>
> Wow, that is a weird example they have, expecting the msSFU30NisDomain to match the krb_realm.
>
> If AD is acting as the KDC, then the Kerberos realm name is the uppercase of the AD domain name.
> (Kerberos protocols and applications are case sensitive, AD is not, so this can cause confusion too.) In general you can search for <sAMAccountName>@<AD-DOMAIN-NAME>.
> userPrincipalName at one time could be used, but AD overloaded it, for
> smart card/certificate use as subjectAltName:msUPN.)
>
> It might work in your environment, if the AD admins have populated msSFU30BisDomain, and have turned on SFU.
>
> Also in general, there is no guarantee that the mail attribute will match the kerberos principal name.
>
> One way to see what gets returned is use the Unix ldapsearch command to see what LDAP returns.
>
> A lot of the msDS attributes are not returned by AD by default. Not sure if msSFU30NisDomain is.
> Best bet is to list the attributes you want returnedsomething like:
> <dc:ReturnAttributes>
> sAMAccountName sn givenName displayName mail cn entryDN userPrincipalName
> </dc:ReturnAttributes>
>
>>
>> ---------------------------------------------------------------------
>> -
>> --------------------------------------------------
>>
>> Debug output shows:
>>
>> ---------------------------------------------------------------------
>> -
>> ------------------------------------------------
>>
>> 15:05:25.103 - DEBUG
>> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:478] - Resolving attributes for principal 'username at INTERNAL.DOMAIN.AC.UK' for SAML request from relying party 'https://sp.testshib.org/shibboleth-sp'
>>
>> 15:05:25.103 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver
>> resolving attributes for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:25.103 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK> were not requested, resolving all attributes.
>>
>> 15:05:25.103 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>> eduPersonScopedAffiliation for principal
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:25.103 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:354] - Resolving data connector
>> myLDAP for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:25.104 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>> krb_principalname for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:25.104 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>> principalName for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:25.104 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> principalName containing 1 values
>>
>> 15:05:25.104 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.attributeDefinition.MappedAttributeDefinition:97] - Attribute
>> Definition krb_principalname: mapping depdenency attribute value
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84] - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
>>
>> 15:05:25.105 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.attributeDefinition.ValueMap:99] - Performing regular expression
>> based comparison
>>
>> 15:05:25.106 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105] - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular expression it will be mapped to 'username'
>>
>> 15:05:25.106 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.attributeDefinition.MappedAttributeDefinition:119] - Attribute
>> Definition krb_principalname: mapped depdenency attribute value
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>> to the values [username]
>>
>> 15:05:25.106 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> krb_principalname containing 1 values
>>
>> 15:05:25.106 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:314] - Resolving attribute krb_domain
>> for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:25.106 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> principalName containing 1 values
>>
>> 15:05:25.107 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.attributeDefinition.MappedAttributeDefinition:97] - Attribute
>> Definition krb_domain: mapping depdenency attribute value
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84] - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
>>
>> 15:05:25.107 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.attributeDefinition.ValueMap:99] - Performing regular expression
>> based comparison
>>
>> 15:05:25.107 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105] - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular expression it will be mapped to 'internal.DOMAIN.ac.uk'
>>
>> 15:05:25.107 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.attributeDefinition.MappedAttributeDefinition:119] - Attribute
>> Definition krb_DOMAIN: mapped depdenency attribute value
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>> to the values [internal.DOMAIN.ac.uk]
>>
>> 15:05:25.107 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
>> containing 1 values
>>
>> 15:05:25.109 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter:
>> (&(|(mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=username)(
>> m
>> sSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))
>> <mailto:mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=usernam
>> e )(msSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))>
>>
>> 15:05:25.109 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.dataConnector.LdapDataConnector:363] - LDAP data connector myLDAP
>> - Retrieving attributes from LDAP
>>
>> 15:05:30.118 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> eduPersonScopedAffiliation containing 0 values
>>
>> 15:05:30.118 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>> transientId for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.119 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:97] - Building transient ID for request _75254f2685bd3e67f7856ebaf4b93743; outbound message issuer: https://idp.dev.cardiffmet.ac.uk/idp/shibboleth, inbound message issuer: https://sp.testshib.org/shibboleth-sp, principal identifer:
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.119 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.attributeDefinition.TransientIdAttributeDefinition:115] - Created
>> transient ID
>> _5f54a61906da93f401e5905676bf8874 for request
>> _75254f2685bd3e67f7856ebaf4b93743
>>
>> 15:05:30.119 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute transientId
>> containing 1 values
>>
>> 15:05:30.119 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>> eduPersonTargetedID for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.119 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:354] - Resolving data connector
>> computedID for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.119 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> principalName containing 1 values
>>
>> 15:05:30.120 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> krb_principalname containing 1 values
>>
>> 15:05:30.120 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> principalName containing 1 values
>>
>> 15:05:30.121 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
>> containing 1 values
>>
>> 15:05:30.121 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.dataConnector.ComputedIDDataConnector:121] - Source attribute
>> sAMAccountName for connector computedID provide no values
>
>
> Looks like SAMAccountName was not returned... See above.
>
>>
>> 15:05:30.121 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> eduPersonTargetedID containing 0 values
>>
>> 15:05:30.121 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> principalName containing 1 values
>>
>> 15:05:30.121 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> krb_principalname containing 1 values
>>
>> 15:05:30.122 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>> eduPersonPrincipalName for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.122 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> principalName containing 1 values
>>
>> 15:05:30.122 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> krb_principalname containing 1 values
>>
>> 15:05:30.122 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> principalName containing 1 values
>>
>> 15:05:30.126 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
>> containing 1 values
>>
>> 15:05:30.126 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> eduPersonPrincipalName containing 0 values
>>
>> 15:05:30.127 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> principalName containing 1 values
>>
>> 15:05:30.129 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>> principalName containing 1 values
>>
>> 15:05:30.129 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
>> containing 1 values
>>
>> 15:05:30.129 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonScopedAffiliation from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
>>
>> 15:05:30.130 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:473] - Attribute transientId has 1
>> values after post-processing
>>
>> 15:05:30.130 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonTargetedID from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
>>
>> 15:05:30.130 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute krb_principalname from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>>
>> 15:05:30.130 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonPrincipalName from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
>>
>> 15:05:30.130 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute principalName from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>>
>> 15:05:30.130 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute krb_DOMAIN from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>>
>> 15:05:30.131 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>> e r.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver
>> resolved, for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>, the attributes:
>> [transientId]
>>
>> 15:05:30.131 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:71] -
>> shibboleth.AttributeFilterEngine filtering 1 attributes for principal
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.131 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter
>> policy releaseTransientIdToAnyone is active for principal
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.132 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:139] - Filter policy
>> releaseTransientIdToAnyone is active for principal
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.135 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
>> value rule for attribute transientId for principal
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.135 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter
>> policy releaseBasicAttributesToAnyone is active for principal
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.135 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:139] - Filter policy
>> releaseBasicAttributesToAnyone is active for principal
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.138 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
>> value rule for attribute eduPersonScopedAffiliation for principal
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.138 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
>> value rule for attribute eduPersonAffiliation for principal
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.138 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
>> value rule for attribute eduPersonTargetedID for principal
>> username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>
>> 15:05:30.138 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:109] - Attribute transientId
>> has
>> 1 values after filtering
>>
>> 15:05:30.138 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>> d er.ShibbolethAttributeFilteringEngine:114] - Filtered attributes
>> for principal username at INTERNAL.DOMAIN.AC.UK
>> <mailto:username at INTERNAL.DOMAIN.AC.UK>. The following attributes
>> remain: [transientId]
>>
>> 15:05:30.139 - DEBUG
>> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:505] - Creating attribute statement in response to SAML request '_75254f2685bd3e67f7856ebaf4b93743' from relying party 'https://sp.testshib.org/shibboleth-sp'
>>
>> 15:05:30.139 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] - Attribute transientId was not encoded (filtered by query, or no SAML2AttributeEncoder attached).
>>
>> 15:05:30.139 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.provider.Shibbo
>> l ethSAML2AttributeAuthority:129] - No attributes remained after
>> encoding and filtering by value, no attribute statement built
>>
>> ---------------------------------------------------------------------
>> -
>> --------------------------------------------
>>
>> I can see that the krb_principalname and krb_domain get mapped to the
>> correct parts of the principal, but I'm having trouble then passing that to the LDAP connector. I think it's something up with the search filter.
>>
>> Can anybody please point me in the right direction here:
>>
>> Cheers,
>>
>> Andi
>>
>>
>>
>
--
Douglas E. Engert <DEEngert at gmail.com>
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list