Troubles with idp.authn.LDAP.returnAttributes property

Guillaume Rousse guillaume.rousse at
Thu Oct 3 09:38:28 EDT 2019

Hello list.

While debugging an authentication issue this morning, I discovered that 
our IdP actually stores a full copy of each user LDAP account, including 
password hashes, as a JSON string, in its database.

It seems to be caused by the combination of database storage for IdP 
sessions, and an udefined value for the idp.authn.LDAP.returnAttributes 

Our current configuration uses the default file content:
## Return attributes during authentication
idp.authn.LDAP.returnAttributes =

AFAIK, this results in a property with an undefined value.

The ldap-authn-config.xml configuration file, the only place where this 
property is used, also has default content:
<bean id="shibboleth.authn.LDAP.returnAttributes" 
     <constructor-arg type="java.lang.String" 
value="%{idp.authn.LDAP.returnAttributes:1.1}" />

According to my understanding of (Spring|Velocity|whatever templating 
system used) syntax, this should result in a default value of "1.1" for 
the value attribute, as the idp.authn.LDAP.returnAttribute property is 
undefined. And according to the documentation 
it should result in no attribute fetching at all.

However, all attributes are currently being retrieved. Which is both 
fragile (the authentication issue was caused by an JPEG image stored in 
an LDAP attribute, triggering a 'maximum request size exceded' error) 
and undesirable, as it exposes sensible informations.

I'm obviously missing something here, but I can't find what exactly :/

Guillaume Rousse
Pôle SSI

Tel: +33 1 53 94 20 45

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3637 bytes
Desc: Signature cryptographique S/MIME
URL: <>

More information about the users mailing list