Unable to get memberOf (OpenLDAP, using memberof overlay)

Simon Lundström simlu at su.se
Wed Dec 11 04:57:39 EST 2019

How is your IDP authenticating against your LDAP-servers? At all?

Did you authenticate when using ldapsearch?

Does `ldapsearch -h ldap.domain.tld -x mail=michael.stevens at boku.com 
memberof` give you the results you want?

It might be an ACL issue.

- Simon

On Wed, 2019-12-11 at 00:43:25 +0100, Stevens, M wrote:
>The first examples are from ldapsearch. If I specify "* +" with ldapsearch, I
>get user attributes and operational attributes, the latter including
>"memberOf" data.
>If I use "* +" in IDP/ReturnAttributes, I get user attributes and
>operational attributes ... but no memberOf.
>I have IDP logging set to debug, and can clearly see it returning 15 user
>attributes when I only include "*" in ReturnAttributes, and 25 user and
>operational attributes with I use "* +" in ReturnAttributes. I've tried
>explicitly including memberOf in ReturnAttributes, but it has no effect.
>Hopefully that's clear ... for whatever reason, ldapsearch thinks "memberOf"
>is an operational attribute, the IDP doesn't appear to.
>Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

More information about the users mailing list