Troubles with idp.authn.LDAP.returnAttributes property
Guillaume Rousse
guillaume.rousse at renater.fr
Thu Oct 3 09:38:28 EDT 2019
Hello list.
While debugging an authentication issue this morning, I discovered that
our IdP actually stores a full copy of each user LDAP account, including
password hashes, as a JSON string, in its database.
It seems to be caused by the combination of database storage for IdP
sessions, and an udefined value for the idp.authn.LDAP.returnAttributes
property.
Our current configuration uses the default ldap.properties file content:
## Return attributes during authentication
idp.authn.LDAP.returnAttributes =
AFAIK, this results in a property with an undefined value.
The ldap-authn-config.xml configuration file, the only place where this
property is used, also has default content:
<bean id="shibboleth.authn.LDAP.returnAttributes"
parent="shibboleth.CommaDelimStringArray">
<constructor-arg type="java.lang.String"
value="%{idp.authn.LDAP.returnAttributes:1.1}" />
</bean>
According to my understanding of (Spring|Velocity|whatever templating
system used) syntax, this should result in a default value of "1.1" for
the value attribute, as the idp.authn.LDAP.returnAttribute property is
undefined. And according to the documentation
(https://wiki.shibboleth.net/confluence/display/IDP30/LDAPAuthnConfiguration),
it should result in no attribute fetching at all.
However, all attributes are currently being retrieved. Which is both
fragile (the authentication issue was caused by an JPEG image stored in
an LDAP attribute, triggering a 'maximum request size exceded' error)
and undesirable, as it exposes sensible informations.
I'm obviously missing something here, but I can't find what exactly :/
Regards.
--
Guillaume Rousse
Pôle SSI
Tel: +33 1 53 94 20 45
www.renater.fr
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <http://shibboleth.net/pipermail/users/attachments/20191003/4c67f841/attachment.p7s>
More information about the users
mailing list