attribute-resolver-ldap.xml and attribute-resolver.xml

Shweta Kautia skautia at northcarolina.edu
Wed May 4 12:55:17 EDT 2016 

Hello,

We are setting up 3.2.1 from scratch. We’re moving up from V2, and I’m fairly new at this setup. Quick question(s)- do attribute-resolver-ldap.xml and attribute-resolver.xml work in coexistence or only either is to be used? if they do exist together, where does “myLDAP” DC need to be defined and attribute definitions that depend on myLDAP? either or both? Is there anything special to be done with settings/files?
I’ve looked at the examples, and attribute-resolver-full.xml, tried it too without success. DC does not have any attributes when placed in resolver.xml. Can someone send an example of their setup with attribute-resolver-ldap.xml and resolver.xml, link to documentation or suggest otherwise?

With much appreciation, Thanks!


Detailed description:

We have a DataConnector “myLDAP" defined in attribute-resolver-ldap.xml. We also have an attribute-resolver.xml that use attribs from -ldap.xml, as dependency/sourceAttribute. This seems to work only for 2 attributes though. For others, like sn,displayName,givenName etc I have tried the following with either no results or breaking the attribute-resolver itself.

  1.  defined attribute in attribute-resolver-ldap.xml, then defined same in attribute-resolver to use the previously defined as a sourceAttributeId and/or dependency.
     *   If IDs are same in both files, log says “Attribute Resolver 'ShibbolethAttributeResolver': Plugin 'displayName' and plugin 'displayName' have a circular dependecy on each other"
     *   if I change ID in ar -ldap.xm (dispName) l and use it as a sourceAttributeID and/or dependency ref=“dispName”,  log says “Attribute Resolver 'ShibbolethAttributeResolver': Plugin 'displayName' has a dependency on plugin 'dispName' which doesn't exist"
  2.  Removed all attribute definitions and DataConnector from attribute-resolver-ldap.xml, and tried to use attribute-resolver.xml exclusively with DC -“myLDAP” and making dependency ref=“myLDAP” changes.  This doesn’t even pick up the previously working attributes like uid/eppn/mail.


File snippet: uid/eppn/mail work. However, sn,displayName etc do not work that need to be exactly as they are in LDAP, and not manipulated.

<!—in attribute-resolver-ldap.xml—>
<resolver:AttributeDefinition id="uid" xsi:type="ad:Simple" sourceAttributeID="uid">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
    </resolver:AttributeDefinition>

 <resolver:AttributeDefinition id="mail" xsi:type="ad:Simple" sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
    </resolver:AttributeDefinition>

  <!--  *********   displayName   ********** -->
    <resolver:AttributeDefinition id="displayName" xsi:type="ad:Simple" sourceAttributeID="displayName">
        <resolver:Dependency ref="myLDAP" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
    </resolver:AttributeDefinition>





<!—in attribute-resolver.xml—>
  <resolver:AttributeDefinition id="eduPersonPrincipalName" xsi:type="ad:Scoped" scope="%{idp.scope}" sourceAttributeID="uid">
        <resolver:Dependency ref="uid" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonPrincipalName" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" friendlyName="eduPersonPrincipalName" encodeType="false" />
    </resolver:AttributeDefinition>

<resolver:AttributeDefinition id="uid" xsi:type="ad:PrincipalName">
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:uid" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="uid" encodeType="false" />
    </resolver:AttributeDefinition>

<resolver:AttributeDefinition id="mail" xsi:type="ad:Template">
        <resolver:Dependency ref="uid" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:mail" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:0.9.2342.19200300.100.1.3" friendlyName="mail" encodeType="false" />
        <ad:Template>
          <![CDATA[
               ${uid}@%{idp.scope}
          ]]>
        </ad:Template>
        <ad:SourceAttribute>uid</ad:SourceAttribute>
    </resolver:AttributeDefinition>

 <!--  *********   displayName   ********** -->
    <resolver:AttributeDefinition id="displayName" xsi:type="ad:Simple" sourceAttributeID="displayName">
        <resolver:Dependency ref="displayName" />
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" />
    </resolver:AttributeDefinition>


Thanks,

Shweta Kautia


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160504/81cb2bf4/attachment.html>

More information about the users mailing list