Get list of groups in which user has membership in shibboleth with openLDAP
Brian Biggs
brian.biggs at sonoma.edu
Thu May 5 11:38:52 EDT 2016
The memberOf overlay will not "catch-up" (it will not go through your
groups and add data to the memberOf attribute).
The overlay will only make changes when group memberships change going
forward.
To handle your existing group memberships you'd need to write a script
(or something) that goes through your groups and removes and re-adds
users. This will trigger the overlay and your memberOf data will be
filled in.
-Brian
On 05/04/2016 09:27 PM, Chaitanya Kumar Ch wrote:
> overaly is enough for me.
> Followed this
> <http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overlay-ubuntu-12-04/>link
> to add memberOf attribute but I am not getting memberOf result
> whilesearching for attribute using below query:
> ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=ddharma)" -b
> dc=test,dc=com memberO
>
> *Query Result*:
> SASL/EXTERNAL authentication started
> SASL username:
> gidNumber=1000+uidNumber=1000,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> version: 1
>
> dn: cn=dharma,ou=people,dc=test,dc=com
>
> *Please find the below attachments:*
> 1. ldap-structure.PNG : My ldap architecture. user "dharma" is member
> of twitter, historical, powertarck groups.
> 2. backend.memberof.ldif
> 3. backend.refint.ldif
>
> ldap-structure.PNG
> <http://shibboleth.1660669.n2.nabble.com/file/n7625251/ldap-structure.PNG>
> backend.ldif
> <http://shibboleth.1660669.n2.nabble.com/file/n7625251/backend.ldif>
> backend.ldif
> <http://shibboleth.1660669.n2.nabble.com/file/n7625251/backend.ldif>
>
>
> On Tue, May 3, 2016 at 9:05 PM, Chaitanya Kumar Ch
> <chaitu381923 at gmail.com <mailto:chaitu381923 at gmail.com>> wrote:
>
> Hi,
>
> I tried to get list of groups of a user by following
> https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinitionExamples
>
> but I am getting error in idp-process.log as distinguishedName
> always returning nothing.
>
> attribute-resolver.xml:
> <!-- get the user's DN from the main LDAP connector (myLDAP) for
> searching
> the groups the user is in -->
> <resolver:AttributeDefinition id="distinguishedName"
> xsi:type="ad:Simple" sourceAttributeID="distinguishedName">
> <resolver:Dependency ref="myLDAP" />
> <!-- no encoder needed -->
> </resolver:AttributeDefinition>
>
> <!-- search for all groups the user is recursively in - and
> flatten the distinguishedName(s)
> of all the groups into a single multivalued attribute -->
> <resolver:DataConnector id="groupLDAP" xsi:type="dc:LDAPDirectory"
> ldapURL="ldap://192.XXXXXXXX:389" baseDN="OU=Groups and
> Resources,DC=test,DC=com"
> principal="CN=admin,DC=test,DC=com" principalCredential="XXXXXXX">
> <resolver:Dependency ref="distinguishedName" />
> <dc:FilterTemplate>
> <![CDATA[
> (member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})
> ]]>
> </dc:FilterTemplate>
> <dc:ReturnAttributes>distinguishedName</dc:ReturnAttributes>
> <dc:LDAPProperty name="java.naming.referral" value="follow" />
> </resolver:DataConnector>
>
> <!-- define the memberOf attribute based on the distinguishedName
> attribute
> returned by the groupLDAP connector - names of all groups the
> user is in -->
> <resolver:AttributeDefinition id="memberOf"
> xsi:type="ad:Simple" sourceAttributeID="distinguishedName">
> <resolver:Dependency ref="groupLDAP" />
> <!-- no encoder needed -->
> </resolver:AttributeDefinition>
>
> Please help me.
>
> --
> Thank You,
> Chaitanya Kumar Ch,
> +91 9550837582
>
>
>
>
> --
> Thank You,
> Chaitanya Kumar Ch,
> +91 9550837582
>
>
--
Brian Biggs
Sonoma State University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20160505/402d99f1/attachment-0001.html>
More information about the users
mailing list