Mapping kerberos principal to ldap connector
John Hascall
john at iastate.edu
Tue Nov 25 08:59:00 EST 2014
No, I think he means there needs to be one less.
This:
(sAMAccountName=${krb_principalname.get(0)}
(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
instead of this:
(|(sAMAccountName=${krb_principalname.get(0)})
(!(userAccountControl:1.2.840.113556.1.4.803:=2))))
John
On Tue, Nov 25, 2014 at 7:32 AM, Morris, Andi <amorris at cardiffmet.ac.uk>
wrote:
> Interesting. It seems to be working as it is. Where would you put the
> extra | ?
>
> -----Original Message-----
> From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net]
> On Behalf Of Douglas E Engert
> Sent: 25 November 2014 13:05
> To: users at shibboleth.net
> Subject: Re: Mapping kerberos principal to ldap connector
>
>
>
> On 11/25/2014 3:23 AM, Morris, Andi wrote:
> > Thanks Douglas,
> > I think I've resolved this now by using the below. I've also put in the
> check for a disabled account that you mentioned in a previous thread.
> >
> > <dc:FilterTemplate>
> > <![CDATA[
> >
> > (&(objectClass=user)(|(sAMAccountName=${krb_principalname.get(0)})(!(u
> > serAccountControl:1.2.840.113556.1.4.803:=2))))
> ^^
> ^
>
> Looks like an extra "(| ... )" in the filter that would allow any any
> active user account to work.
>
>
> > ]]>
> > </dc:FilterTemplate>
> > <dc:LDAPProperty name="java.naming.referral" value="follow"/>
> >
> > That seems to be pulling AD attributes now.
> >
> > Cheers,
> > Andi
> >
> > -----Original Message-----
> > From: users-bounces at shibboleth.net
> > [mailto:users-bounces at shibboleth.net] On Behalf Of Douglas E Engert
> > Sent: 24 November 2014 18:14
> > To: users at shibboleth.net
> > Subject: Re: Mapping kerberos principal to ldap connector
> >
> >
> >
> > On 11/24/2014 9:24 AM, Morris, Andi wrote:
> >> Hi all,
> >>
> >> Kerberos authentication is now working well, and transparently through
> RemoteUser.
> >>
> >> However I've now come to try to map some attributes to send and I'm
> >> using
> https://wiki.shibboleth.net/confluence/display/SHIB2/Kerberos+Login+Handler+-+Attribute+resolver
> to do this within attribute-resolver.xml.
> >>
> >> Modifying this for my own environment I have:
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> --------------------------------------------------------
> >>
> >> <resolver:AttributeDefinition id="principalName"
> >>
> >> xsi:type="ad:PrincipalName"
> >>
> >> dependencyOnly="true">
> >>
> >> </resolver:AttributeDefinition>
> >>
> >> <resolver:AttributeDefinition id="krb_principalname"
> >>
> >> xsi:type="ad:Mapped"
> >>
> >> sourceAttributeID="principalName"
> >>
> >> dependencyOnly="true" >
> >>
> >> <resolver:Dependency ref="principalName" />
> >>
> >> <ad:ValueMap>
> >>
> >> <ad:ReturnValue>$1</ad:ReturnValue>
> >>
> >>
> >> <ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
> >>
> >> </ad:ValueMap>
> >>
> >> </resolver:AttributeDefinition>
> >>
> >> <resolver:AttributeDefinition id="krb_domain"
> >>
> >> xsi:type="ad:Mapped"
> >>
> >> sourceAttributeID="principalName"
> >>
> >> dependencyOnly="true" >
> >>
> >> <resolver:Dependency ref="principalName" />
> >>
> >> <ad:ValueMap>
> >>
> >> <ad:ReturnValue>internal.uwic.ac.uk</ad:ReturnValue>
> >>
> >>
> >> <ad:SourceValue>(.+)@INTERNAL.DOMAIN.AC.UK</ad:SourceValue>
> >>
> >> </ad:ValueMap>
> >>
> >> </resolver:AttributeDefinition>
> >>
> >> <resolver:DataConnector id="myLDAP"
> >>
> >> xsi:type="dc:LDAPDirectory"
> >>
> >> ldapURL="ldap://ldap.internal.domain.ac.uk"
> >>
> >> baseDN="ou=User Accounts,dc=internal,dc=domain,dc=ac,dc=uk"
> >>
> >> principal="shib at internal.domain.ac.uk <mailto:
> shib at internal.domain.ac.uk>"
> >>
> >> principalCredential="password">
> >>
> >> <resolver:Dependency ref="krb_principalname" />
> >>
> >> <resolver:Dependency ref="krb_domain" />
> >>
> >> <dc:FilterTemplate>
> >>
> >> <!--
> >>
> >> (mail=$requestContext.principalName) - matches UsernamePassword
> >> Principal
> >>
> >> &(samaccountname=${})(msSFU30NisDomain=${}) - matches Kerberos
> >> Principal
> >>
> >> -->
> >>
> >> <![CDATA[
> >>
> >>
> >> (&(|(mail=$requestContext.principalName)(&(samaccountname=${krb_princ
> >> i
> >> palname.get(0)})(msSFU30NisDomain=${krb_domain.get(0)})))(objectclass
> >> =
> >> user))
> >>
> >> ]]>
> >>
> >> </dc:FilterTemplate>
> >>
> >> <dc:LDAPProperty name="java.naming.referral"
> >> value="follow"/>
> >>
> >> </resolver:DataConnector>
> >
> > Wow, that is a weird example they have, expecting the msSFU30NisDomain
> to match the krb_realm.
> >
> > If AD is acting as the KDC, then the Kerberos realm name is the
> uppercase of the AD domain name.
> > (Kerberos protocols and applications are case sensitive, AD is not, so
> this can cause confusion too.) In general you can search for
> <sAMAccountName>@<AD-DOMAIN-NAME>.
> > userPrincipalName at one time could be used, but AD overloaded it, for
> > smart card/certificate use as subjectAltName:msUPN.)
> >
> > It might work in your environment, if the AD admins have populated
> msSFU30BisDomain, and have turned on SFU.
> >
> > Also in general, there is no guarantee that the mail attribute will
> match the kerberos principal name.
> >
> > One way to see what gets returned is use the Unix ldapsearch command to
> see what LDAP returns.
> >
> > A lot of the msDS attributes are not returned by AD by default. Not sure
> if msSFU30NisDomain is.
> > Best bet is to list the attributes you want returnedsomething like:
> > <dc:ReturnAttributes>
> > sAMAccountName sn givenName displayName mail cn entryDN
> userPrincipalName
> > </dc:ReturnAttributes>
> >
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> --------------------------------------------------
> >>
> >> Debug output shows:
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> ------------------------------------------------
> >>
> >> 15:05:25.103 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:478]
> - Resolving attributes for principal 'username at INTERNAL.DOMAIN.AC.UK' for
> SAML request from relying party 'https://sp.testshib.org/shibboleth-sp'
> >>
> >> 15:05:25.103 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver
> >> resolving attributes for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:25.103 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275]
> - Specific attributes for principal username at INTERNAL.DOMAIN.AC.UK
> <mailto:username at INTERNAL.DOMAIN.AC.UK> were not requested, resolving all
> attributes.
> >>
> >> 15:05:25.103 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:314] - Resolving attribute
> >> eduPersonScopedAffiliation for principal
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:25.103 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:354] - Resolving data connector
> >> myLDAP for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:25.104 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:314] - Resolving attribute
> >> krb_principalname for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:25.104 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:314] - Resolving attribute
> >> principalName for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:25.104 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> principalName containing 1 values
> >>
> >> 15:05:25.104 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.attributeDefinition.MappedAttributeDefinition:97] - Attribute
> >> Definition krb_principalname: mapping depdenency attribute value
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:25.104 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84]
> - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
> >>
> >> 15:05:25.105 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.attributeDefinition.ValueMap:99] - Performing regular expression
> >> based comparison
> >>
> >> 15:05:25.106 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105]
> - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular
> expression it will be mapped to 'username'
> >>
> >> 15:05:25.106 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.attributeDefinition.MappedAttributeDefinition:119] - Attribute
> >> Definition krb_principalname: mapped depdenency attribute value
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >> to the values [username]
> >>
> >> 15:05:25.106 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> krb_principalname containing 1 values
> >>
> >> 15:05:25.106 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:314] - Resolving attribute krb_domain
> >> for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:25.106 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> principalName containing 1 values
> >>
> >> 15:05:25.107 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.attributeDefinition.MappedAttributeDefinition:97] - Attribute
> >> Definition krb_domain: mapping depdenency attribute value
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:25.107 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:84]
> - Attempting to map attribute value 'username at INTERNAL.DOMAIN.AC.UK'
> >>
> >> 15:05:25.107 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.attributeDefinition.ValueMap:99] - Performing regular expression
> >> based comparison
> >>
> >> 15:05:25.107 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:105]
> - Attribute value 'username at INTERNAL.DOMAIN.AC.UK' matches regular
> expression it will be mapped to 'internal.DOMAIN.ac.uk'
> >>
> >> 15:05:25.107 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.attributeDefinition.MappedAttributeDefinition:119] - Attribute
> >> Definition krb_DOMAIN: mapped depdenency attribute value
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >> to the values [internal.DOMAIN.ac.uk]
> >>
> >> 15:05:25.107 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
> >> containing 1 values
> >>
> >> 15:05:25.109 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308]
> - Search filter:
> >> (&(|(mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=username)(
> >> m
> >> sSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))
> >> <mailto:mail=username at INTERNAL.DOMAIN.AC.UK)(&(samaccountname=usernam
> >> e )(msSFU30Nisdomain=internal.domain.ac.uk)))(objectclass=user))>
> >>
> >> 15:05:25.109 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.dataConnector.LdapDataConnector:363] - LDAP data connector myLDAP
> >> - Retrieving attributes from LDAP
> >>
> >> 15:05:30.118 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> eduPersonScopedAffiliation containing 0 values
> >>
> >> 15:05:30.118 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:314] - Resolving attribute
> >> transientId for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.119 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.TransientIdAttributeDefinition:97]
> - Building transient ID for request _75254f2685bd3e67f7856ebaf4b93743;
> outbound message issuer: https://idp.dev.cardiffmet.ac.uk/idp/shibboleth,
> inbound message issuer: https://sp.testshib.org/shibboleth-sp, principal
> identifer:
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.119 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.attributeDefinition.TransientIdAttributeDefinition:115] - Created
> >> transient ID
> >> _5f54a61906da93f401e5905676bf8874 for request
> >> _75254f2685bd3e67f7856ebaf4b93743
> >>
> >> 15:05:30.119 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute transientId
> >> containing 1 values
> >>
> >> 15:05:30.119 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:314] - Resolving attribute
> >> eduPersonTargetedID for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.119 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:354] - Resolving data connector
> >> computedID for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.119 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> principalName containing 1 values
> >>
> >> 15:05:30.120 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> krb_principalname containing 1 values
> >>
> >> 15:05:30.120 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> principalName containing 1 values
> >>
> >> 15:05:30.121 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
> >> containing 1 values
> >>
> >> 15:05:30.121 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.dataConnector.ComputedIDDataConnector:121] - Source attribute
> >> sAMAccountName for connector computedID provide no values
> >
> >
> > Looks like SAMAccountName was not returned... See above.
> >
> >>
> >> 15:05:30.121 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> eduPersonTargetedID containing 0 values
> >>
> >> 15:05:30.121 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> principalName containing 1 values
> >>
> >> 15:05:30.121 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> krb_principalname containing 1 values
> >>
> >> 15:05:30.122 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:314] - Resolving attribute
> >> eduPersonPrincipalName for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.122 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> principalName containing 1 values
> >>
> >> 15:05:30.122 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> krb_principalname containing 1 values
> >>
> >> 15:05:30.122 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> principalName containing 1 values
> >>
> >> 15:05:30.126 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
> >> containing 1 values
> >>
> >> 15:05:30.126 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> eduPersonPrincipalName containing 0 values
> >>
> >> 15:05:30.127 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> principalName containing 1 values
> >>
> >> 15:05:30.129 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute
> >> principalName containing 1 values
> >>
> >> 15:05:30.129 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:336] - Resolved attribute krb_DOMAIN
> >> containing 1 values
> >>
> >> 15:05:30.129 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455]
> - Removing attribute eduPersonScopedAffiliation from resolution result for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:
> username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
> >>
> >> 15:05:30.130 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:473] - Attribute transientId has 1
> >> values after post-processing
> >>
> >> 15:05:30.130 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455]
> - Removing attribute eduPersonTargetedID from resolution result for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:
> username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
> >>
> >> 15:05:30.130 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447]
> - Removing dependency-only attribute krb_principalname from resolution
> result for principal username at INTERNAL.DOMAIN.AC.UK <mailto:
> username at INTERNAL.DOMAIN.AC.UK>.
> >>
> >> 15:05:30.130 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:455]
> - Removing attribute eduPersonPrincipalName from resolution result for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:
> username at INTERNAL.DOMAIN.AC.UK>. It contains no values.
> >>
> >> 15:05:30.130 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447]
> - Removing dependency-only attribute principalName from resolution result
> for principal username at INTERNAL.DOMAIN.AC.UK <mailto:
> username at INTERNAL.DOMAIN.AC.UK>.
> >>
> >> 15:05:30.130 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:447]
> - Removing dependency-only attribute krb_DOMAIN from resolution result for
> principal username at INTERNAL.DOMAIN.AC.UK <mailto:
> username at INTERNAL.DOMAIN.AC.UK>.
> >>
> >> 15:05:30.131 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provid
> >> e r.ShibbolethAttributeResolver:137] - shibboleth.AttributeResolver
> >> resolved, for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>, the attributes:
> >> [transientId]
> >>
> >> 15:05:30.131 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:71] -
> >> shibboleth.AttributeFilterEngine filtering 1 attributes for principal
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.131 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter
> >> policy releaseTransientIdToAnyone is active for principal
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.132 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:139] - Filter policy
> >> releaseTransientIdToAnyone is active for principal
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.135 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
> >> value rule for attribute transientId for principal
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.135 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:130] - Evaluating if filter
> >> policy releaseBasicAttributesToAnyone is active for principal
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.135 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:139] - Filter policy
> >> releaseBasicAttributesToAnyone is active for principal
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.138 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
> >> value rule for attribute eduPersonScopedAffiliation for principal
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.138 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
> >> value rule for attribute eduPersonAffiliation for principal
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.138 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:163] - Processing permit
> >> value rule for attribute eduPersonTargetedID for principal
> >> username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>
> >>
> >> 15:05:30.138 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:109] - Attribute transientId
> >> has
> >> 1 values after filtering
> >>
> >> 15:05:30.138 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.filtering.provi
> >> d er.ShibbolethAttributeFilteringEngine:114] - Filtered attributes
> >> for principal username at INTERNAL.DOMAIN.AC.UK
> >> <mailto:username at INTERNAL.DOMAIN.AC.UK>. The following attributes
> >> remain: [transientId]
> >>
> >> 15:05:30.139 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.idp.profile.saml2.AbstractSAML2ProfileHandler:505]
> - Creating attribute statement in response to SAML request
> '_75254f2685bd3e67f7856ebaf4b93743' from relying party '
> https://sp.testshib.org/shibboleth-sp'
> >>
> >> 15:05:30.139 - DEBUG
> >>
> [edu.internet2.middleware.shibboleth.common.attribute.provider.ShibbolethSAML2AttributeAuthority:263]
> - Attribute transientId was not encoded (filtered by query, or no
> SAML2AttributeEncoder attached).
> >>
> >> 15:05:30.139 - DEBUG
> >> [edu.internet2.middleware.shibboleth.common.attribute.provider.Shibbo
> >> l ethSAML2AttributeAuthority:129] - No attributes remained after
> >> encoding and filtering by value, no attribute statement built
> >>
> >> ---------------------------------------------------------------------
> >> -
> >> --------------------------------------------
> >>
> >> I can see that the krb_principalname and krb_domain get mapped to the
> >> correct parts of the principal, but I'm having trouble then passing
> that to the LDAP connector. I think it's something up with the search
> filter.
> >>
> >> Can anybody please point me in the right direction here:
> >>
> >> Cheers,
> >>
> >> Andi
> >>
> >>
> >>
> >
>
> --
>
> Douglas E. Engert <DEEngert at gmail.com>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20141125/c9505115/attachment-0001.html
More information about the users
mailing list