Reading groups membership in Shibboleth 4.0.1

Feinstein, Moses moses.feinstein at touro.edu
Tue Dec 1 15:35:11 UTC 2020 

The issue appears to be with reading any operational attributes from the LDAP (opendj)

The issue is definitely not with permissions since I am using Directory Manager and I am able to run ldapsearch and extract these attributes.

I can extract “standard” attribute (uid, sn, givenName) but not operational (createTimestamp, isMemberOf)

Not sure why shibboleth does not pull operational attributes from ldap when explicitly specified.

Ldap.properties:
                              idp.attribute.resolver.LDAP.returnAttributes         = mail displayName sn givenName uid cn isMemberOf createTimestamp


attribute-resolvver:
<AttributeDefinition xsi:type="Simple" id="isMemberOf">
    <InputDataConnector ref="myLDAP" attributeNames="isMemberOf" />
</AttributeDefinition>

<AttributeDefinition id="membership" xsi:type="Mapped">
    <InputAttributeDefinition ref="isMemberOf" />
    <DefaultValue passThru="true"/>

               <ValueMap>
                              <ReturnValue>return_membership</ReturnValue>
                              <SourceValue caseSensitive="false">cn=testgroup,ou=Groups,dc=example,dc=org</SourceValue>
               </ValueMap>

    <AttributeEncoder xsi:type="SAML2String" name="membership" friendlyName="membership" encodeType="false" />
</AttributeDefinition>

               <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
                              ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
                              baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
                              principal="%{idp.attribute.resolver.LDAP.bindDN}"
                              principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
                              useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:false}"
                              connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
                              trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
                              responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
                              exportAttributes="%{idp.attribute.resolver.LDAP.returnAttributes}">


                              <FilterTemplate>
                                             <![CDATA[
                                                            %{idp.attribute.resolver.LDAP.searchFilter}
                                             ]]>
                              </FilterTemplate>

                              <ConnectionPool
                                             minPoolSize="%{idp.pool.LDAP.minSize:3}"
                                             maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
                                             blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
                                             validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
                                             validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
                                             validateDN="%{idp.pool.LDAP.validateDN:}"
                                             validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
                                             expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
               </DataConnector>


I am able to perform ldap search and return these attributes without any issues using the same account.
sh ldapsearch --port 1636 --hostname localhost --trustAll --useSSL --bindDN "cn=Directory Manager" -b "dc=example,dc=org" "(uid=awong)" uid mail isMemberOf createTimestamp

dn: uid=awong,ou=People,dc=example,dc=org
mail: awong at example.org
uid: awong
createTimestamp: 20201126184936Z
isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org



Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>


From: users <users-bounces at shibboleth.net> On Behalf Of Daniel Fisher
Sent: Monday, November 30, 2020 5:11 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Reading groups membership in Shibboleth 4.0.1

External Email
On Mon, Nov 30, 2020 at 10:01 AM Feinstein, Moses <moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>> wrote:

Below configuration works, if I substitute “isMemberOf” in attribute resolver with any other attribute (displayName for example), however for some reason it is unable to read “isMemberOf”, it returns nothing for the group membership even though the user is a member of the group (cn=testgroup,ou=Groups,dc=example,dc=org).

Since “isMemberOf” is part of operational attributes, I am not sure if there is anything else that needs to be configured on Shibboleth side.

Am I missing something in my configuration below to be able to read operational attribute “isMemberOf” from the LDAP?

What does your DataConnector configuration look like? Assuming the permissions are correct, requesting isMemberOf specifically is all you need to do.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201201/0c3d86b3/attachment.htm>

More information about the users mailing list