Authenticated memberof group
Domingues, Michael D
michael-domingues at uiowa.edu
Thu May 4 08:46:36 EDT 2017
General documentation on LDAP Authentication can be found on the Shibboleth wiki here . You'll want to set the idp.authn.LDAP.userFilter configuration property (in conf/ldap.properties) if you're not using the JAAS LDAP setup like David is.
From: users <users-bounces at shibboleth.net> on behalf of IAM David Bantz <dabantz at alaska.edu>
Sent: Wednesday, May 3, 2017 4:15:42 PM
To: Shib Users
Subject: Re: Authenticated memberof group
DataConnectors are used in attribute-resolver.xml and as Scott has stated 2 or 3 times, attribute resolution occurs AFTER user authentication and cannot retroactively fail the (previously successful) user authentication.
Edit the ldap filter used in the authentication phase. I provided an example filter in the case you're using ldap authentication in jaas.config:
On Wed, May 3, 2017 at 12:54 PM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
On 5/3/17, 4:30 PM, "users on behalf of Daniel McDonald" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of daniel.mcdonald at umb.edu<mailto:daniel.mcdonald at umb.edu>> wrote:
> Right now I have this as my CDATA section within my DataConnector which successfully matches on the mail attribute.
That's not about authentication, so you're still going about this wrong.
> This is successfully authenticating:
No, it's successfully getting attributes (or not).
> I tried this next line but it didnt seem to work, users not in the group are able to login:
Because that has nothing to do with authentication, that's happening afterwards. It presupposes authentication happened (excepting attribute queries, but leave that aside).
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users