Two dataconnectors (openldap and AD)

Douglas E Engert deengert at gmail.com
Thu May 14 18:21:46 EDT 2015 


On 5/13/2015 4:55 PM, Vignesh, Vanna G. wrote:
> I have a openldap data connector which works fine.  I am trying to write another dc for active directory just to pull the groups from AD of the authenticated users. Openldap us used for authentication
>
> First ,
>
> I am getting CommunicationException error.  Error connecting to LDAP URL: ldap://xyz.abc.edu    javax.naming.CommunicationException: xyz.abc. edu:389. I also see javax.naming.PartialResultException:
> Unprocessed Continuation Reference. Here is my dc. Should I use dependency as openldap?
>
>    <resolver:DataConnector id="mytestAD" xsi:type="LDAPDirectory"
>
>          xmlns="urn:mace:shibboleth:2.0:resolver:dc"
>
>          ldapURL=" ldap://xyz.abc.edu "
>
>          baseDN="dc=***,dc=local"
>
>          principal="CN=***,OU=***,OU=***,DC=***,DC=local"
>
>          principalCredential="****">
>
>          <FilterTemplate>
>
>              <![CDATA[
>
>                  (sAMAccountName=$requestContext.principalName)
>
>              ]]>
>
>          </FilterTemplate>
>
>          <ReturnAttributes>*</ReturnAttributes>
>
>      </resolver:DataConnector>

With AD, the dc=***,dc=local in the above does not look correct.
If the AD domain is xyz.abc.edu the DN of the BaseDN and principal should end in DC=xyz,DC=abc,DC=edu

In AD the principal for simple LDAP authentication can take other forms too. See:
   https://msdn.microsoft.com/en-us/library/cc223499.aspx

AD has hundreds of attributes for each user. You may want to request only the ones you need in ReturnAttributes.
for example:
<ReturnAttributes>
sAMAccountName sn givenName displayName mail cn entryDN title userPrincipalName company
</ReturnAttributes>

Two LDAP DataConnectors returning an attribute using the same name, may end up combining the values returned in to one BasicAttribute.
for example "cn" of a user from the "mytestAD" and cn of a group name from some other ldap dataconnecter.

If your DC is a member of a forest, there are other issues too.

>
> Second,
>
> Where else should I define the samAccountName? The principal name of openldap is uid and principal name of AD is samaccountname. How would I tie it together to return all the group names of the user
> from AD?

See:
https://msdn.microsoft.com/en-us/library/ms677943(v=vs.85).aspx

One way is to search for groups or a subset of groups that contain the user's DN, obtained from a previous search for the user.

   (&(objectclass=group)(member=$entryDN.get(0)))

AD has a lot of groups too, you may wnat to refinethe search.


>
> Third,
>
> To return the groups of the authenticated user from another dataconnector AD , should I use the following attribute definition? i.e. passing MemberOf to isMemberOf
>
> <resolver:AttributeDefinition id="isMemberOf" xsi:type="Simple" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
>
>          sourceAttributeID="MemberOf">
>
>          <resolver:Dependency ref="mytestAD" />
>
>          <resolver:AttributeEncoder xsi:type="SAML2String" xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
>
>              name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="isMemberOf" />
>
>       </resolver:AttributeDefinition>
>
>
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the users mailing list