Authenticated memberof group
IAM David Bantz
dabantz at alaska.edu
Wed May 3 17:15:42 EDT 2017
DataConnectors are used in attribute-resolver.xml and as Scott has stated 2
or 3 times, attribute resolution occurs AFTER user authentication and
cannot retroactively fail the (previously successful) user authentication.
Edit the ldap filter used in the authentication phase. I provided an
example filter in the case you're using ldap authentication in jaas.config:
userFilter="(&(sAMAccountName={user})(memberOf=CN=MyGroup,CN
=Users,DC=umass,DC=net)"
David Bantz
On Wed, May 3, 2017 at 12:54 PM, Cantor, Scott <cantor.2 at osu.edu> wrote:
> On 5/3/17, 4:30 PM, "users on behalf of Daniel McDonald" <
> users-bounces at shibboleth.net on behalf of daniel.mcdonald at umb.edu> wrote:
>
> > Right now I have this as my CDATA section within my DataConnector which
> successfully matches on the mail attribute.
>
> That's not about authentication, so you're still going about this wrong.
>
> > This is successfully authenticating:
>
> No, it's successfully getting attributes (or not).
>
> > I tried this next line but it didnt seem to work, users not in the group
> are able to login:
>
> Because that has nothing to do with authentication, that's happening
> afterwards. It presupposes authentication happened (excepting attribute
> queries, but leave that aside).
>
> -- Scott
>
>
>
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170503/4521f8b8/attachment.html>
More information about the users
mailing list