Troubles with idp.authn.LDAP.returnAttributes property

Lohr, Donald lohrda at
Thu Oct 3 10:20:53 EDT 2019

Is it getting the password from the ldapsearch'd returned attributes and 
storing that or is it keeping the password that the user provides at 
login and storing that?

On 10/3/19 9:38 AM, Guillaume Rousse wrote:
> Hello list.
> While debugging an authentication issue this morning, I discovered 
> that our IdP actually stores a full copy of each user LDAP account, 
> including password hashes, as a JSON string, in its database.
> It seems to be caused by the combination of database storage for IdP 
> sessions, and an udefined value for the 
> idp.authn.LDAP.returnAttributes property.
> Our current configuration uses the default file content:
> ## Return attributes during authentication
> idp.authn.LDAP.returnAttributes =
> AFAIK, this results in a property with an undefined value.
> The ldap-authn-config.xml configuration file, the only place where 
> this property is used, also has default content:
> <bean id="shibboleth.authn.LDAP.returnAttributes" 
> parent="shibboleth.CommaDelimStringArray">
>     <constructor-arg type="java.lang.String" 
> value="%{idp.authn.LDAP.returnAttributes:1.1}" />
>  </bean>
> According to my understanding of (Spring|Velocity|whatever templating 
> system used) syntax, this should result in a default value of "1.1" 
> for the value attribute, as the idp.authn.LDAP.returnAttribute 
> property is undefined. And according to the documentation 
> (, 
> it should result in no attribute fetching at all.
> However, all attributes are currently being retrieved. Which is both 
> fragile (the authentication issue was caused by an JPEG image stored 
> in an LDAP attribute, triggering a 'maximum request size exceded' 
> error) and undesirable, as it exposes sensible informations.
> I'm obviously missing something here, but I can't find what exactly :/
> Regards.

D o n a l d   L o h r
  I n f o r m a t i o n   S y s t e m s
  J a m e s   M a d i s o n   U n i v e r s i t y
  5 4 0 . 5 6 8 . 3 7 3 0

  DOS:  Bad command or file name
  bash: command not found

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list