variables in FilterTemplate (recursive group membership MS-AD)
Peter Schober
peter.schober at univie.ac.at
Wed Nov 28 09:04:30 EST 2018
Hi,
I'm trying to help an institution make use of the contributed example
from the IDPv2 docs that performs recursive group membership lookups
using MS-AD extensions:
https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinitionExamples
More or less using that example as is (simply adjusting XML
namespaces etc) it fails because the variable in the FilterTemplate
isn't replaced but used verbatim:
2018-11-28 14:15:28,157 - DEBUG
[net.shibboleth.idp.attribute.resolver.dc.ldap.impl.TemplatedExecutableSearchFilterBuilder:212]
- Template text
(member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)}) yields
(member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})
So consequently nothing is found:
2018-11-28 14:15:28,239 - DEBUG
[net.shibboleth.idp.attribute.resolver.AbstractDataConnector:136] -
groupLDAP no attributes were produced during resolution
An internal attribute with distinguishedName exists and has the
expected value (I can see it in aacli if I attach an encoder and
release it to an SP).
Writing the DN value into the FilterTemplate verbatim also works as
expected.
Any pointers where to RTFM? From
https://wiki.shibboleth.net/confluence/display/IDP30/FilterTemplate
I tried leaving out the wrapping curly brackets but that didn't help, either.
-peter
More information about the users
mailing list