Authenticated memberof group

Daniel McDonald daniel.mcdonald at umb.edu
Thu May 4 11:56:52 EDT 2017 

I misunderstood Scott the first time he said I was barking up the wrong 
tree. My apologies.

In ldap.properties I was modifying 
idp.attribute.resolver.LDAP.searchFilter which obviously was way off....

I set idp.authn.LDAP.userFilter to 
(&(mail=$requestContext.principalName)(memberOf=CN=MyGroup,CN=Users,DC=school,DC=net)) 
and it works great.

Thanks for all your help shib users :)

On 05/03/2017 05:15 PM, IAM David Bantz wrote:
> DataConnectors are used in attribute-resolver.xml and as Scott has 
> stated 2 or 3 times, attribute resolution occurs AFTER user 
> authentication and cannot retroactively fail the (previously 
> successful) user authentication.
>
> Edit the ldap filter used in the authentication phase. I provided an 
> example filter in the case you're using ldap authentication in 
> jaas.config:
> userFilter="(&(sAMAccountName={user})(memberOf=CN=MyGroup,CN=Users,DC=umass,DC=net)"
>
> David Bantz
>
>
> On Wed, May 3, 2017 at 12:54 PM, Cantor, Scott <cantor.2 at osu.edu 
> <mailto:cantor.2 at osu.edu>> wrote:
>
>     On 5/3/17, 4:30 PM, "users on behalf of Daniel McDonald"
>     <users-bounces at shibboleth.net
>     <mailto:users-bounces at shibboleth.net> on behalf of
>     daniel.mcdonald at umb.edu <mailto:daniel.mcdonald at umb.edu>> wrote:
>
>     > Right now I have this as my CDATA section within my
>     DataConnector which successfully matches on the mail attribute.
>
>     That's not about authentication, so you're still going about this
>     wrong.
>
>     > This is successfully authenticating:
>
>     No, it's successfully getting attributes (or not).
>
>     > I tried this next line but it didnt seem to work, users not in
>     the group are able to login:
>
>     Because that has nothing to do with authentication, that's
>     happening afterwards. It presupposes authentication happened
>     (excepting attribute queries, but leave that aside).
>
>     -- Scott
>
>
>
>
>     --
>     To unsubscribe from this list send an email to
>     users-unsubscribe at shibboleth.net
>     <mailto:users-unsubscribe at shibboleth.net>
>
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20170504/53d511dd/attachment.html>

More information about the users mailing list