Mapping kerberos principal to ldap connector
Douglas E Engert
deengert at gmail.com
Tue Nov 25 09:36:27 EST 2014
On 11/25/2014 7:32 AM, Morris, Andi wrote:
> Interesting. It seems to be working as it is. Where would you put the extra | ?
Take out the extra (| and ) at the end.
What you have is : if ( objectClass==user && (sAMAccountName==user || !disabled)) then allow.
which allows any active account or a disabled account for user to pass.
(&(objectClass=user)(|(sAMAccountName=${krb_principalname.get(0)})(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
Try this:
(&(objectClass=user)(sAMAccountName=${krb_principalname.get(0)})(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
>
> -----Original Message-----
> From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net] On Behalf Of Douglas E Engert
> Sent: 25 November 2014 13:05
> To: users at shibboleth.net
> Subject: Re: Mapping kerberos principal to ldap connector
>
>
>
> On 11/25/2014 3:23 AM, Morris, Andi wrote:
>> Thanks Douglas,
>> I think I've resolved this now by using the below. I've also put in the check for a disabled account that you mentioned in a previous thread.
>>
>> <dc:FilterTemplate>
>> <![CDATA[
>>
>> (&(objectClass=user)(|(sAMAccountName=${krb_principalname.get(0)})(!(u
>> serAccountControl:1.2.840.113556.1.4.803:=2))))
> ^^ ^
>
> Looks like an extra "(| ... )" in the filter that would allow any any active user account to work.
>
>
>> ]]>
>> </dc:FilterTemplate>
>> <dc:LDAPProperty name="java.naming.referral" value="follow"/>
>>
>> That seems to be pulling AD attributes now.
>>
>> Cheers,
>> Andi
>>
>> -----Original Message-----
>> From: users-bounces at shibboleth.net
>> [mailto:users-bounces at shibboleth.net] On Behalf Of Douglas E Engert
>> Sent: 24 November 2014 18:14
>> To: users at shibboleth.net
>> Subject: Re: Mapping kerberos principal to ldap connector
>>
>>
>>
>> On 11/24/2014 9:24 AM, Morris, Andi wrote:
>>> Hi all,
>>>
>>> Kerberos authentication is now working well, and transparently through RemoteUser.
>>>
>>> However I've now come to try to map some attributes to send and I'm
>>> using https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler+-+Attribute+resolver to do this within attribute-resolver.xml.
>>>
>>> Modifying this for my own environment I have:
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> --------------------------------------------------------
>>>
>>> <resolver:AttributeDefinition id="principalName"
>>>
>>> xsi:type="ad:PrincipalName"
>>>
>>> dependencyOnly="true">
>>>
>>> </resolver:AttributeDefinition>
>>>
>>> <resolver:AttributeDefinition id="krb_principalname"
>>>
>>> xsi:type="ad:Mapped"
>>>
>>> sourceAttributeID="principalName"
>>>
>>> dependencyOnly="true" >
>>>
>>> <resolver:Dependency ref="principalName" />
>>>
>>> <ad:ValueMap>
>>>
>>> <ad:ReturnValue>$1</ad:ReturnValue>
>>>
>>>
>>> <ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
>>>
>>> </ad:ValueMap>
>>>
>>> </resolver:AttributeDefinition>
>>>
>>> <resolver:AttributeDefinition id="krb_domain"
>>>
>>> xsi:type="ad:Mapped"
>>>
>>> sourceAttributeID="principalName"
>>>
>>> dependencyOnly="true" >
>>>
>>> <resolver:Dependency ref="principalName" />
>>>
>>> <ad:ValueMap>
>>>
>>> <ad:ReturnValue>internal.uwic.ac.uk</ad:ReturnValue>
>>>
>>>
>>> <ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
>>>
>>> </ad:ValueMap>
>>>
>>> </resolver:AttributeDefinition>
>>>
>>> <resolver:DataConnector id="myLDAP"
>>>
>>> xsi:type="dc:LDAPDirectory"
>>>
>>> ldapURL="ldap://ldap.internal.domain.ac.uk"
>>>
>>> baseDN="ou=User Accounts,dc=internal,dc=domain,dc=ac,dc=uk"
>>>
>>> principal="shib at internal.domain.ac.uk <mailto:shib at internal.domain.ac.uk>"
>>>
>>> principalCredential="password">
>>>
>>> <resolver:Dependency ref="krb_principalname" />
>>>
>>> <resolver:Dependency ref="krb_domain" />
>>>
>>> <dc:FilterTemplate>
>>>
>>> <!--
>>>
>>> (mail=$requestContext.principalName) - matches UsernamePassword
>>> Principal
>>>
>>> &(samaccountname=${})(msSFU30NisDomain=${}) - matches Kerberos
>>> Principal
>>>
>>> -->
>>>
>>> <![CDATA[
>>>
>>>
>>> (&(|(mail=$requestContext.principalName)(&(samaccountname=${krb_princ
>>> i
>>> palname.get(0)})(msSFU30NisDomain=${krb_domain.get(0)})))(objectclass
>>> =
>>> user))
>>>
>>> ]]>
>>>
>>> </dc:FilterTemplate>
>>>
>>> <dc:LDAPProperty name="java.naming.referral"
>>> value="follow"/>
>>>
>>> </resolver:DataConnector>
>>
>> Wow, that is a weird example they have, expecting the msSFU30NisDomain to match the krb_realm.
>>
>> If AD is acting as the KDC, then the Kerberos realm name is the uppercase of the AD domain name.
>> (Kerberos protocols and applications are case sensitive, AD is not, so this can cause confusion too.) In general you can search for <sAMAccountName>@<AD-DOMAIN-NAME>.
>> userPrincipalName at one time could be used, but AD overloaded it, for
>> smart card/certificate use as subjectAltName:msUPN.)
>>
>> It might work in your environment, if the AD admins have populated msSFU30BisDomain, and have turned on SFU.
>>
>> Also in general, there is no guarantee that the mail attribute will match the kerberos principal name.
>>
>> One way to see what gets returned is use the Unix ldapsearch command to see what LDAP returns.
>>
>> A lot of the msDS attributes are not returned by AD by default. Not sure if msSFU30NisDomain is.
>> Best bet is to list the attributes you want returnedsomething like:
>> <dc:ReturnAttributes>
>> sAMAccountName sn givenName displayName mail cn entryDN userPrincipalName
>> </dc:ReturnAttributes>
>>
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> --------------------------------------------------
>>>
>>> Debug output shows:
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> ------------------------------------------------
>>>
>>> 15:05:25.103 - DEBUG
>>> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:478] - Resolving attributes for principal 'username at INTERNAL.DOMAIN.AC.UK' for SAML request from relying party 'https://sp.testshib.org/shibboleth-sp'
>>>
>>> 15:05:25.103 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver
>>> resolving attributes for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:25.103 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK> were not requested, resolving all attributes.
>>>
>>> 15:05:25.103 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>>> eduPersonScopedAffiliation for principal
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:25.103 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:354] - Resolving data connector
>>> myLDAP for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:25.104 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>>> krb_principalname for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:25.104 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>>> principalName for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:25.104 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> principalName containing 1 values
>>>
>>> 15:05:25.104 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.attributeDefinition.MappedAttributeDefinition:97] - Attribute
>>> Definition krb_principalname: mapping depdenency attribute value
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:25.104 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84] - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
>>>
>>> 15:05:25.105 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.attributeDefinition.ValueMap:99] - Performing regular expression
>>> based comparison
>>>
>>> 15:05:25.106 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105] - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular expression it will be mapped to 'username'
>>>
>>> 15:05:25.106 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.attributeDefinition.MappedAttributeDefinition:119] - Attribute
>>> Definition krb_principalname: mapped depdenency attribute value
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>> to the values [username]
>>>
>>> 15:05:25.106 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> krb_principalname containing 1 values
>>>
>>> 15:05:25.106 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:314] - Resolving attribute krb_domain
>>> for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:25.106 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> principalName containing 1 values
>>>
>>> 15:05:25.107 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.attributeDefinition.MappedAttributeDefinition:97] - Attribute
>>> Definition krb_domain: mapping depdenency attribute value
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:25.107 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84] - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
>>>
>>> 15:05:25.107 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.attributeDefinition.ValueMap:99] - Performing regular expression
>>> based comparison
>>>
>>> 15:05:25.107 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105] - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular expression it will be mapped to 'internal.DOMAIN.ac.uk'
>>>
>>> 15:05:25.107 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.attributeDefinition.MappedAttributeDefinition:119] - Attribute
>>> Definition krb_DOMAIN: mapped depdenency attribute value
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>> to the values [internal.DOMAIN.ac.uk]
>>>
>>> 15:05:25.107 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
>>> containing 1 values
>>>
>>> 15:05:25.109 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter:
>>> (&(|(mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=username)(
>>> m
>>> sSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))
>>> <mailto:mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=usernam
>>> e )(msSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))>
>>>
>>> 15:05:25.109 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.dataConnector.LdapDataConnector:363] - LDAP data connector myLDAP
>>> - Retrieving attributes from LDAP
>>>
>>> 15:05:30.118 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> eduPersonScopedAffiliation containing 0 values
>>>
>>> 15:05:30.118 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>>> transientId for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.119 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:97] - Building transient ID for request _75254f2685bd3e67f7856ebaf4b93743; outbound message issuer: https://idp.dev.cardiffmet.ac.uk/idp/shibboleth, inbound message issuer: https://sp.testshib.org/shibboleth-sp, principal identifer:
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.119 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.attributeDefinition.TransientIdAttributeDefinition:115] - Created
>>> transient ID
>>> _5f54a61906da93f401e5905676bf8874 for request
>>> _75254f2685bd3e67f7856ebaf4b93743
>>>
>>> 15:05:30.119 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute transientId
>>> containing 1 values
>>>
>>> 15:05:30.119 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>>> eduPersonTargetedID for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.119 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:354] - Resolving data connector
>>> computedID for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.119 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> principalName containing 1 values
>>>
>>> 15:05:30.120 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> krb_principalname containing 1 values
>>>
>>> 15:05:30.120 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> principalName containing 1 values
>>>
>>> 15:05:30.121 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
>>> containing 1 values
>>>
>>> 15:05:30.121 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.dataConnector.ComputedIDDataConnector:121] - Source attribute
>>> sAMAccountName for connector computedID provide no values
>>
>>
>> Looks like SAMAccountName was not returned... See above.
>>
>>>
>>> 15:05:30.121 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> eduPersonTargetedID containing 0 values
>>>
>>> 15:05:30.121 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> principalName containing 1 values
>>>
>>> 15:05:30.121 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> krb_principalname containing 1 values
>>>
>>> 15:05:30.122 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:314] - Resolving attribute
>>> eduPersonPrincipalName for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.122 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> principalName containing 1 values
>>>
>>> 15:05:30.122 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> krb_principalname containing 1 values
>>>
>>> 15:05:30.122 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> principalName containing 1 values
>>>
>>> 15:05:30.126 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
>>> containing 1 values
>>>
>>> 15:05:30.126 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> eduPersonPrincipalName containing 0 values
>>>
>>> 15:05:30.127 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> principalName containing 1 values
>>>
>>> 15:05:30.129 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute
>>> principalName containing 1 values
>>>
>>> 15:05:30.129 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
>>> containing 1 values
>>>
>>> 15:05:30.129 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonScopedAffiliation from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
>>>
>>> 15:05:30.130 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:473] - Attribute transientId has 1
>>> values after post-processing
>>>
>>> 15:05:30.130 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonTargetedID from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
>>>
>>> 15:05:30.130 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute krb_principalname from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>>>
>>> 15:05:30.130 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455] - Removing attribute eduPersonPrincipalName from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
>>>
>>> 15:05:30.130 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute principalName from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>>>
>>> 15:05:30.130 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447] - Removing dependency-only attribute krb_DOMAIN from resolution result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:username at INTERNAL.DOMAIN.AC.UK>.
>>>
>>> 15:05:30.131 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
>>> e r.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver
>>> resolved, for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>, the attributes:
>>> [transientId]
>>>
>>> 15:05:30.131 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:71] -
>>> shibboleth.AttributeFilterEngine filtering 1 attributes for principal
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.131 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter
>>> policy releaseTransientIdToAnyone is active for principal
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.132 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:139] - Filter policy
>>> releaseTransientIdToAnyone is active for principal
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.135 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
>>> value rule for attribute transientId for principal
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.135 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter
>>> policy releaseBasicAttributesToAnyone is active for principal
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.135 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:139] - Filter policy
>>> releaseBasicAttributesToAnyone is active for principal
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.138 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
>>> value rule for attribute eduPersonScopedAffiliation for principal
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.138 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
>>> value rule for attribute eduPersonAffiliation for principal
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.138 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
>>> value rule for attribute eduPersonTargetedID for principal
>>> username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>
>>>
>>> 15:05:30.138 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:109] - Attribute transientId
>>> has
>>> 1 values after filtering
>>>
>>> 15:05:30.138 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
>>> d er.ShibbolethAttributeFilteringEngine:114] - Filtered attributes
>>> for principal username at INTERNAL.DOMAIN.AC.UK
>>> <mailto:username at INTERNAL.DOMAIN.AC.UK>. The following attributes
>>> remain: [transientId]
>>>
>>> 15:05:30.139 - DEBUG
>>> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:505] - Creating attribute statement in response to SAML request '_75254f2685bd3e67f7856ebaf4b93743' from relying party 'https://sp.testshib.org/shibboleth-sp'
>>>
>>> 15:05:30.139 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263] - Attribute transientId was not encoded (filtered by query, or no SAML2AttributeEncoder attached).
>>>
>>> 15:05:30.139 - DEBUG
>>> [edu.internet2.middleware.shibboleth.common.attribute.provider.Shibbo
>>> l ethSAML2AttributeAuthority:129] - No attributes remained after
>>> encoding and filtering by value, no attribute statement built
>>>
>>> ---------------------------------------------------------------------
>>> -
>>> --------------------------------------------
>>>
>>> I can see that the krb_principalname and krb_domain get mapped to the
>>> correct parts of the principal, but I'm having trouble then passing that to the LDAP connector. I think it's something up with the search filter.
>>>
>>> Can anybody please point me in the right direction here:
>>>
>>> Cheers,
>>>
>>> Andi
>>>
>>>
>>>
>>
>
--
Douglas E. Engert <DEEngert at gmail.com>
More information about the users
mailing list