Authenticated memberof group

Domingues, Michael D michael-domingues at uiowa.edu
Thu May 4 08:46:36 EDT 2017 

General documentation on LDAP Authentication can be found on the Shibboleth wiki here [1]. You'll want to set the idp.authn.LDAP.userFilter configuration property (in conf/ldap.properties) if you're not using the JAAS LDAP setup like David is.


[1] https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration

________________________________
From: users <users-bounces at shibboleth.net> on behalf of IAM David Bantz <dabantz at alaska.edu>
Sent: Wednesday, May 3, 2017 4:15:42 PM
To: Shib Users
Subject: Re: Authenticated memberof group

DataConnectors are used in attribute-resolver.xml and as Scott has stated 2 or 3 times, attribute resolution occurs AFTER user authentication and cannot retroactively fail the (previously successful) user authentication.

Edit the ldap filter used in the authentication phase. I provided an example filter in the case you're using ldap authentication in jaas.config:
userFilter="(&(sAMAccountName={user})(memberOf=CN=MyGroup,CN=Users,DC=umass,DC=net)"

David Bantz


On Wed, May 3, 2017 at 12:54 PM, Cantor, Scott <cantor.2 at osu.edu<mailto:cantor.2 at osu.edu>> wrote:
On 5/3/17, 4:30 PM, "users on behalf of Daniel McDonald" <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net> on behalf of daniel.mcdonald at umb.edu<mailto:daniel.mcdonald at umb.edu>> wrote:

> Right now I have this as my CDATA section within my DataConnector which successfully matches on the mail attribute.

That's not about authentication, so you're still going about this wrong.

> This is successfully authenticating:

No, it's successfully getting attributes (or not).

> I tried this next line but it didnt seem to work, users not in the group are able to login:

Because that has nothing to do with authentication, that's happening afterwards. It presupposes authentication happened (excepting attribute queries, but leave that aside).

-- Scott




--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170504/7ec5444a/attachment-0001.html>

More information about the users mailing list