Reading groups membership in Shibboleth 4.0.1

[Feinstein, Moses]

I believe this was replaced with exportAttributes in 4.0.1, however I add try to add returnAttribute previously as well, got a deprecated warning, but no error, however operational attributes did not come in.
exportAttributes="%{idp.attribute.resolver.LDAP.returnAttributes}">
<returneAttribtues> mail displayName sn givenName uid cn isMemberOf createTimestamp</returnAttributes>






Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>


From: users <users-bounces at shibboleth.net> On Behalf Of Daniel Fisher
Sent: Tuesday, December 1, 2020 11:17 AM
To: Shib Users <users at shibboleth.net>
Subject: Re: Reading groups membership in Shibboleth 4.0.1

External Email
On Tue, Dec 1, 2020 at 10:35 AM Feinstein, Moses <moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>> wrote:

               <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
                              ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
                              baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
                              principal="%{idp.attribute.resolver.LDAP.bindDN}"
                              principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
                              useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:false}"
                              connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
                              trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
                              responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
                              exportAttributes="%{idp.attribute.resolver.LDAP.returnAttributes}">


                              <FilterTemplate>
                                             <![CDATA[
                                                            %{idp.attribute.resolver.LDAP.searchFilter}
                                             ]]>
                              </FilterTemplate>

                              <ConnectionPool
                                             minPoolSize="%{idp.pool.LDAP.minSize:3}"
                                             maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
                                             blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
                                             validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
                                             validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
                                             validateDN="%{idp.pool.LDAP.validateDN:}"
                                             validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
                                             expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
               </DataConnector>

I believe you need to add a <ReturnAttributes /> element to your DataConnector which includes the operational attribute.

--Daniel Fisher

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201201/5b7736d7/attachment.htm>