Troubles with idp.authn.LDAP.returnAttributes property
Peter Schober
peter.schober at univie.ac.at
Thu Oct 3 11:16:50 EDT 2019
* Cantor, Scott <cantor.2 at osu.edu> [2019-10-03 16:55]:
> On 10/3/19, 10:48 AM, "users on behalf of Peter Schober" <users-bounces at shibboleth.net on behalf of peter.schober at univie.ac.at> wrote:
>
> > Having said that I do agree that it would be a good precaution for the
> > IDP to default to something else if that property was unset by the
> > deployer, however that would work, essentially forcing the depolyer to
> > set that property to "1.1" when they really mean "give me all
> > attributes I have access to".
>
> ...is that what "1.1" means? That did seem odd, but I thought that was just a stand-in for a non-existent attribute name to avoid getting anything.
My bad. I mixed that up, "1.1" actually means "no attributes:
https://www.rfc-editor.org/rfc/rfc4511.html#section-4.5.1.8
Asterisk is "all" but not asking for anything (not even asterisk) is
equivalent to that, which is the source of the issue (when
misconfiguring both the property and the LDAP server).
So what I should have written is forcing the deployer to set that
property to "*" if they literally mean "get me everything" by falling
back to something else if the property is set to (empty).
> If we're defaulting an empty/unset property to actually deliberately
> "get everything", that's definitely not what we should do.
I meant that if it was possible to default properties explicitly set
to (empty) by the deployer that the ideally the IDP should translate
that into asking for "1.1".
Sorry for the confusion,
-peter
More information about the users
mailing list