AW: problem resolving recursive group memberships in AD

Rosenfeld, Waldemar (extern) waldemar.rosenfeld.extern at gv.mpg.de
Tue Jul 10 03:52:49 EDT 2018 

Maybe it’s the source attribute from isMemberOf. That’s my working configuration in attribute resolver:

    <AttributeDefinition xsi:type="Simple" id="distinguishedName" sourceAttributeID="distinguishedName">
        <Dependency ref="AD" />
        <AttributeEncoder xsi:type="SAML1String" name="urn:oid:1.3.6.1.4.1.1466.115.121.1.12" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.1466.115.121.1.12" friendlyName="distinguishedName" />
    </AttributeDefinition>
    <AttributeDefinition xsi:type="Simple" id="isMemberOf" sourceAttributeID="cn">
        <Dependency ref="ADGroup" />
        <AttributeEncoder xsi:type="SAML1String" name="urn:oid:1.3.6.1.4.1.20462.5.1.9" />
        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.20462.5.1.9" friendlyName="isMemberOf" />
    </AttributeDefinition>

    <DataConnector id="ADGroup" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        principal="%{idp.attribute.resolver.LDAP.bindDN}"
        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
        trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
        responseTimeout="PT30S"
        maxResultSize="1000">
        <Dependency ref="distinguishedName"/>
        <Dependency ref="ADGV" />
        <FilterTemplate>
            <![CDATA[
        (member:1.2.840.113556.1.4.1941:=$distinguishedName.get(0))
        ]]>
        </FilterTemplate>
        <ReturnAttributes>cn</ReturnAttributes>
    <LDAPProperty name="java.naming.referral" value="follow"/>
    </DataConnector>

Von: users [mailto:users-bounces at shibboleth.net] Im Auftrag von Guenther, Dean R.
Gesendet: Montag, 9. Juli 2018 18:58
An: Shib Users <users at shibboleth.net>
Betreff: problem resolving recursive group memberships in AD

I’ve been working with Vladimir Mencl’s documentation for resolving recursive group memberships from Active Directory.

https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinitionExamples

It seems straightforward. I’m not getting an error, but I’m also not getting any groups returned. “mergeResults” has been deprecated in shib v3 so I’ve omitted that. Here is what I have. Any ideas what the problem is with my definitions?
thanks – dean


<!-- get the user's DN from the main LDAP connector (myLDAP) for searching the groups the user is in -->
<AttributeDefinition id="distinguishedName" xsi:type="Simple"
         sourceAttributeID="distinguishedName">
    <Dependency ref="myLDAP"/>
<!-- no encoder needed -->
</AttributeDefinition>

<!-- search for all groups the user is recursively in - and flatten the distinguishedName(s) of all the groups into a single multivalued attribute -->

<DataConnector id="groupLDAP" xsi:type="LDAPDirectory" useStartTLS="%{idp.authn.LDAP.useStartTLS}"
                 ldapURL="%{idp.authn.LDAP.ldapURL}" baseDN="%{idp.authn.LDAP.baseDN}"
                 principal="%{idp.authn.LDAP.bindDN}" principalCredential="%{idp.authn.LDAP.bindDNCredential}"
                 maxResultSize="1000"
                 searchTimeLimit="PT10.000S"
                 >
     <Dependency ref="distinguishedName" />
  <FilterTemplate>
        <![CDATA[
            (member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})
        ]]>
  </FilterTemplate>
   <ReturnAttributes>distinguishedName</ReturnAttributes>
    <LDAPProperty name="java.naming.referral" value="follow"/>
</DataConnector>

<!-- define the memberOf attribute based on the distinguishedName attribute returned by the groupLDAP connector - names of all groups the user is in -->

<AttributeDefinition id="memberOf" xsi:type="Simple"
          sourceAttributeID="distinguishedName">
    <Dependency ref="groupLDAP" />
</AttributeDefinition>


<AttributeDefinition xsi:type="ScriptedAttribute" id="ITSTechPro">
    <Dependency ref="memberOf"/>
    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ITSTechPro"/>
    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.15733.1.4.8" friendlyName="ITSTechPro"/>
    <Script><![CDATA[
          if (typeof memberOf != "undefined" && memberOf != null ) {
              for (i=0; memberOf != null && i < memberOf.getValues().size(); i++) {
                value = memberOf.getValues().get(i).toLowerCase();

                if (value.contains("its_techpro")) {
                        ITSTechPro.getValues().add("member"); }
             }
          }
   ]]></Script>
  </AttributeDefinition>




Dean Guenther                          dean.guenther at wsu.edu<mailto:dean.guenther at wsu.edu>
Washington State University    Phone:    509 335-0433
Pullman, WA. 99164-1222        fax:      509 335-0540
Identity and Access Management Manager

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20180710/60d3ad90/attachment.html>

More information about the users mailing list