problem resolving recursive group memberships in AD

Guenther, Dean R. guenther at wsu.edu
Mon Jul 9 12:57:48 EDT 2018 

I’ve been working with Vladimir Mencl’s documentation for resolving recursive group memberships from Active Directory.

https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinitionExamples

It seems straightforward. I’m not getting an error, but I’m also not getting any groups returned. “mergeResults” has been deprecated in shib v3 so I’ve omitted that. Here is what I have. Any ideas what the problem is with my definitions?
thanks – dean


<!-- get the user's DN from the main LDAP connector (myLDAP) for searching the groups the user is in -->
<AttributeDefinition id="distinguishedName" xsi:type="Simple"
         sourceAttributeID="distinguishedName">
    <Dependency ref="myLDAP"/>
<!-- no encoder needed -->
</AttributeDefinition>

<!-- search for all groups the user is recursively in - and flatten the distinguishedName(s) of all the groups into a single multivalued attribute -->

<DataConnector id="groupLDAP" xsi:type="LDAPDirectory" useStartTLS="%{idp.authn.LDAP.useStartTLS}"
                 ldapURL="%{idp.authn.LDAP.ldapURL}" baseDN="%{idp.authn.LDAP.baseDN}"
                 principal="%{idp.authn.LDAP.bindDN}" principalCredential="%{idp.authn.LDAP.bindDNCredential}"
                 maxResultSize="1000"
                 searchTimeLimit="PT10.000S"
                 >
     <Dependency ref="distinguishedName" />
  <FilterTemplate>
        <![CDATA[
            (member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})
        ]]>
  </FilterTemplate>
   <ReturnAttributes>distinguishedName</ReturnAttributes>
    <LDAPProperty name="java.naming.referral" value="follow"/>
</DataConnector>
<!-- define the memberOf attribute based on the distinguishedName attribute returned by the groupLDAP connector - names of all groups the user is in -->

<AttributeDefinition id="memberOf" xsi:type="Simple"
          sourceAttributeID="distinguishedName">
    <Dependency ref="groupLDAP" />
</AttributeDefinition>


<AttributeDefinition xsi:type="ScriptedAttribute" id="ITSTechPro">
    <Dependency ref="memberOf"/>
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ITSTechPro"/>
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.15733.1.4.8" friendlyName="ITSTechPro"/>
    <Script><![CDATA[
          if (typeof memberOf != "undefined" && memberOf != null ) {
              for (i=0; memberOf != null && i < memberOf.getValues().size(); i++) {
                value = memberOf.getValues().get(i).toLowerCase();
                if (value.contains("its_techpro")) {
                        ITSTechPro.getValues().add("member"); }
             }
          }
   ]]></Script>
  </AttributeDefinition>




Dean Guenther                          dean.guenther at wsu.edu<mailto:dean.guenther at wsu.edu>
Washington State University    Phone:    509 335-0433
Pullman, WA. 99164-1222        fax:      509 335-0540
Identity and Access Management Manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180709/8b67bd2f/attachment.html>

More information about the users mailing list