Get list of groups in which user has membership in shibboleth with openLDAP

Chaitanya Kumar Ch chaitu381923 at gmail.com
Thu May 5 00:27:20 EDT 2016 

overaly is enough for me.
Followed this
<http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay-ubuntu-12-04/>link
to add memberOf attribute but I am not getting memberOf result
whilesearching for attribute using below query:
ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=ddharma)" -b dc=test,dc=com
memberO

*Query Result*:
SASL/EXTERNAL authentication started
SASL username:
gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1

dn: cn=dharma,ou=people,dc=test,dc=com

*Please find the below attachments:*
1. ldap-structure.PNG : My ldap architecture. user "dharma" is member of
twitter, historical, powertarck groups.
2. backend.memberof.ldif
3. backend.refint.ldif

ldap-structure.PNG
<http://shibboleth.1660669.n2.nabble.com/file/n7625251/ldap-structure.PNG>
backend.ldif
<http://shibboleth.1660669.n2.nabble.com/file/n7625251/backend.ldif>
backend.ldif
<http://shibboleth.1660669.n2.nabble.com/file/n7625251/backend.ldif>


On Tue, May 3, 2016 at 9:05 PM, Chaitanya Kumar Ch <chaitu381923 at gmail.com>
wrote:

> Hi,
>
> I tried to get list of groups of a user by following
> https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinitionExamples
>
> but I am getting error in idp-process.log as distinguishedName always
> returning nothing.
>
> attribute-resolver.xml:
> <!-- get the user's DN from the main LDAP connector (myLDAP) for searching
>     the groups the user is in -->
> <resolver:AttributeDefinition id="distinguishedName"
>     xsi:type="ad:Simple" sourceAttributeID="distinguishedName">
>     <resolver:Dependency ref="myLDAP" />
>     <!-- no encoder needed -->
> </resolver:AttributeDefinition>
>
> <!-- search for all groups the user is recursively in - and flatten the
> distinguishedName(s)
>     of all the groups into a single multivalued attribute -->
> <resolver:DataConnector id="groupLDAP" xsi:type="dc:LDAPDirectory"
>     ldapURL="ldap://192.XXXXXXXX:389" baseDN="OU=Groups and
> Resources,DC=test,DC=com"
>     principal="CN=admin,DC=test,DC=com" principalCredential="XXXXXXX">
>     <resolver:Dependency ref="distinguishedName" />
>     <dc:FilterTemplate>
>         <![CDATA[
>             (member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})
>         ]]>
>     </dc:FilterTemplate>
>     <dc:ReturnAttributes>distinguishedName</dc:ReturnAttributes>
>     <dc:LDAPProperty name="java.naming.referral" value="follow" />
> </resolver:DataConnector>
>
> <!-- define the memberOf attribute based on the distinguishedName
> attribute
>     returned by the groupLDAP connector - names of all groups the user is
> in -->
> <resolver:AttributeDefinition id="memberOf"
>     xsi:type="ad:Simple" sourceAttributeID="distinguishedName">
>     <resolver:Dependency ref="groupLDAP" />
>     <!-- no encoder needed -->
> </resolver:AttributeDefinition>
>
> Please help me.
>
> --
> Thank You,
> Chaitanya Kumar Ch,
> +91 9550837582
>



-- 
Thank You,
Chaitanya Kumar Ch,
+91 9550837582
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160505/cb23afce/attachment.html>

More information about the users mailing list