Reading groups membership in Shibboleth 4.0.1

Tue Dec 1 16:31:41 UTC 2020

** remove log file, the size was too large. 

Thank you Scott. Yea, the ldapsearch example was to rule out that the account in use has sufficient permissions to pull those attributes, + extracts all operational attributes, however specifying them individually does it as well. In 4.0.1 for some reasons I simply can't get it to pull them out, it works for me in 3.3.2 version, which is almost identical in configuration minus the differences in the attribute-resolver config. 

I enabled debugger for LDAP, however even in response I don't see operational attributes show up.
idp.attribute.resolver.LDAP.returnAttributes	= mail displayName sn givenName uid cn isMemberOf createTimestamp

This is the response I get in debug mode: 
2020-12-01 11:17:43,187 - 192.168.50.245 - DEBUG [org.ldaptive.SearchOperation:154] - execute response=[org.ldaptive.Response at 707708292::result=[org.ldaptive.SearchResult at 1972159575::entries=[[dn=uid=awong,ou=People,dc=example,dc=org[[uid[awong]], [mail[awong at example.org]], [givenName[Ada]], [displayName[some_display_name]], [cn[Ada D. Wong]], [sn[Wong]], [objectClass[top, person, organizationalPerson, inetOrgPerson]], [entryDN[uid=awong,ou=People,dc=example,dc=org]], [userPassword[{SSHA512}qbX9IGEjiPQsOdcHhuBNdxMmjhzrrCrxGIODgnFe5UCzo7fDSFV7mwV0KMNF9LaUz3CzxjTTO/HsiOPTNy6SrElwY9IkNUDU]]], responseControls=null, messageId=2]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=2] for request=[org.ldaptive.SearchRequest at 778858510::baseDn=ou=People,dc=example,dc=org, searchFilter=[org.ldaptive.SearchFilter at -2000959517::filter=(uid=awong), parameters={}], returnAttributes=[], searchScope=SUBTREE, timeLimit=PT3S, sizeLimit=1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=[[org.ldaptive.handler.DnAttributeEntryHandler at -1580910376::dnAttributeName=entryDN, addIfExists=false]], searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1476293674::config=[org.ldaptive.ConnectionConfig at 742418862::ldapUrl=ldaps://centos.example.org:1636, connectTimeout=PT3S, responseTimeout=PT3S, sslConfig=[org.ldaptive.ssl.SslConfig at 945795630::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$$Lambda$315/0x00000001006adc40 at 2e9549d0, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 917687149::bindDn=cn=Directory Manager, bindSaslConfig=null, bindControls=null], connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 1910d90c], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory at 1095538092::metadata=[ldapUrl=ldaps://centos.example.org:1636, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig at 2008506547::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor at 1019f8d8, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection at 46c1ef9e]

Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu

-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, December 1, 2020 10:38 AM
To: Shib Users <users at shibboleth.net>
Subject: RE: Reading groups membership in Shibboleth 4.0.1

External Email

Shibboleth doesn't do LDAP, the library it uses on top of the UnboundID client does. Nothing ldapsearch shows has anything to do with what a totally different set of code will do, it's pointless for comparison.

I thought OpenLDAP required specifying + as a returned attribute to get operational attributes (whatever those are). Maybe other LDAP servers do.

-- Scott

--
For Consortium Member technical support, see https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!HoV-yHU!93H4zEgXjdtvyU-VDtUMpiyabwh5Kfmr75R-ebArTQdk5tizzyEXLWVDcgfhcVjJ_Tmw0w$
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net