Get list of groups in which user has membership in shibboleth with openLDAP

Douglas E Engert deengert at gmail.com
Tue May 3 13:40:07 EDT 2016 

member:1.2.840.113556.1.4.1941 is a Microsoft filter option, is the LDAP server AD?
I don't know if you can use that matching rule with non AD LDAP servers.

https://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx

You may want to request the entryDN  To see why, see:
https://tools.ietf.org/html/rfc5020

In the main data connector I was requesting:
  <dc:ReturnAttributes>
   sAMAccountName sn givenName displayName mail cn entryDN
  </dc:ReturnAttributes>



Then in the dataconector to get the goups the user is a member of:
(&(objectclass=group)(CN=XXXXX.*)(member=$entryDN.get(0)))

(The (CN=xxxxx.*) was to limit the groups returned to a specific set of groups.)

On 5/3/2016 10:35 AM, Chaitanya Kumar Ch wrote:
> Hi,
>
> I tried to get list of groups of a user by following https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinitionExamples
>
> but I am getting error in idp-process.log as distinguishedName always returning nothing.
>
> attribute-resolver.xml:
> <!-- get the user's DN from the main LDAP connector (myLDAP) for searching
>     the groups the user is in -->
> <resolver:AttributeDefinition id="distinguishedName"
>     xsi:type="ad:Simple" sourceAttributeID="distinguishedName">
>     <resolver:Dependency ref="myLDAP" />
>     <!-- no encoder needed -->
> </resolver:AttributeDefinition>
>
> <!-- search for all groups the user is recursively in - and flatten the distinguishedName(s)
>     of all the groups into a single multivalued attribute -->
> <resolver:DataConnector id="groupLDAP" xsi:type="dc:LDAPDirectory"
>     ldapURL="ldap://192.XXXXXXXX:389" baseDN="OU=Groups and Resources,DC=test,DC=com"
>     principal="CN=admin,DC=test,DC=com" principalCredential="XXXXXXX">
>     <resolver:Dependency ref="distinguishedName" />
>     <dc:FilterTemplate>
>         <![CDATA[
>             (member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})
>         ]]>
>     </dc:FilterTemplate>
>     <dc:ReturnAttributes>distinguishedName</dc:ReturnAttributes>
>     <dc:LDAPProperty name="java.naming.referral" value="follow" />
> </resolver:DataConnector>
>
> <!-- define the memberOf attribute based on the distinguishedName attribute
>     returned by the groupLDAP connector - names of all groups the user is in -->
> <resolver:AttributeDefinition id="memberOf"
>     xsi:type="ad:Simple" sourceAttributeID="distinguishedName">
>     <resolver:Dependency ref="groupLDAP" />
>     <!-- no encoder needed -->
> </resolver:AttributeDefinition>
>
> Please help me.
>
> --
> Thank You,
> Chaitanya Kumar Ch,
> +91 9550837582
>
>

-- 

  Douglas E. Engert  <DEEngert at gmail.com>

More information about the users mailing list