Reading groups membership in Shibboleth 4.0.1

Donald Lohr lohrda at jmu.edu
Tue Dec 1 18:35:44 UTC 2020 

If you break apart your log data, here's what I see referring to the 
following portion of your log:

[org.ldaptive.SearchOperation:154] - execute response=

You see this:

[[dn=uid=awong,ou=People,dc=example,dc=org[[uid[awong]], 
[mail[awong at example.org]], [givenName[Ada]], 
[displayName[some_display_name]], [cn[Ada D. Wong]], [sn[Wong]], 
[objectClass[top, person, organizationalPerson, inetOrgPerson]], 
[entryDN[uid=awong,ou=People,dc=example,dc=org]], 
[userPassword[{SSHA512}qbX9IGEjiPQsOdcHhuBNdxMmjhzrrCrxGIODgnFe5UCzo7fDSFV7mwV0KMNF9LaUz3CzxjTTO/HsiOPTNy6SrElwY9IkNUDU]]],

...if you break it down and make it look similar to the results returned 
from a command-line ldapsearch, you will find:

dn=uid=awong,ou=People,dc=example,dc=org
uid[awong]
mail[awong at example.org]
givenName[Ada]
displayName[some_display_name]
cn[Ada D. Wong]
sn[Wong]
*objectClass*[top, person, organizationalPerson, inetOrgPerson]
*entryDN*[uid=awong,ou=People,dc=example,dc=org]
*userPassword*[{SSHA512}qbX9IGEjiPQsOdcHhuBNdxMmjhzrrCrxGIODgnFe5UCzo7fDSFV7mwV0KMNF9LaUz3CzxjTTO/HsiOPTNy6SrElwY9IkNUDU]

Based on the attribute list you say you are asking for:

mail displayName sn givenName uid cn isMemberOf createTimestamp

...your shib/ldap config is ONLY getting back the normal attributes that 
are available.  I say that because, objectClass, entryDN and 
userPassword are in the returned results and these were not asked for.

So this tells me your Shib/ldap config is not asking for what you want.

If you look at another portion of your log, you will see:

baseDn=ou=People,dc=example,dc=org, 
searchFilter=[org.ldaptive.SearchFilter at -2000959517::filter=(uid=awong), 
parameters={}], returnAttributes=[], searchScope=SUBTREE, 
timeLimit=PT3S, sizeLimit=1,

...if you break it down, you see the following:

baseDn=ou=People,dc=example,dc=org
filter=(uid=awong)
*returnAttributes*=[]
searchScope=SUBTREE
timeLimit=PT3S
sizeLimit=1

Note, that the *returnAttributes* line is not listing the attributes you 
require, thus you are ONLY getting normal attributes.

Don

On 12/1/20 11:31 AM, Feinstein, Moses wrote:
> CAUTION: This email originated from outside of JMU. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> ________________________________
>
> ** remove log file, the size was too large.
>
> Thank you Scott. Yea, the ldapsearch example was to rule out that the account in use has sufficient permissions to pull those attributes, + extracts all operational attributes, however specifying them individually does it as well. In 4.0.1 for some reasons I simply can't get it to pull them out, it works for me in 3.3.2 version, which is almost identical in configuration minus the differences in the attribute-resolver config.
>
> I enabled debugger for LDAP, however even in response I don't see operational attributes show up.
> idp.attribute.resolver.LDAP.returnAttributes    = mail displayName sn givenName uid cn isMemberOf createTimestamp
>
> This is the response I get in debug mode:
> 2020-12-01 11:17:43,187 - 192.168.50.245 - DEBUG [org.ldaptive.SearchOperation:154] - execute response=[org.ldaptive.Response at 707708292::result=[org.ldaptive.SearchResult at 1972159575::entries=[[dn=uid=awong,ou=People,dc=example,dc=org[[uid[awong]], [mail[awong at example.org]], [givenName[Ada]], [displayName[some_display_name]], [cn[Ada D. Wong]], [sn[Wong]], [objectClass[top, person, organizationalPerson, inetOrgPerson]], [entryDN[uid=awong,ou=People,dc=example,dc=org]], [userPassword[{SSHA512}qbX9IGEjiPQsOdcHhuBNdxMmjhzrrCrxGIODgnFe5UCzo7fDSFV7mwV0KMNF9LaUz3CzxjTTO/HsiOPTNy6SrElwY9IkNUDU]]], responseControls=null, messageId=2]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=2] for request=[org.ldaptive.SearchRequest at 778858510::baseDn=ou=People,dc=example,dc=org, searchFilter=[org.ldaptive.SearchFilter at -2000959517::filter=(uid=awong), parameters={}], returnAttributes=[], searchScope=SUBTREE, timeLimit=PT3S, sizeLimit=
>   1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=[[org.ldaptive.handler.DnAttributeEntryHandler at -1580910376::dnAttributeName=entryDN, addIfExists=false]], searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1476293674::config=[org.ldaptive.ConnectionConfig at 742418862::ldapUrl=ldaps://centos.example.org:1636, connectTimeout=PT3S, responseTimeout=PT3S, sslConfig=[org.ldaptive.ssl.SslConfig at 945795630::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$$Lambda$315/0x00000001006adc40 at 2e9549d0, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 917687149::bindDn=cn=Directory Manager, bindSaslConfig=null, bindC
>   ontrols=null], connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 1910d90c], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory at 1095538092::metadata=[ldapUrl=ldaps://centos.example.org:1636, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig at 2008506547::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor at 1019f8d8, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection at 46c1ef9e]
>
>
>
>
> Moses Feinstein
> Sr. Software / IAM Engineer, App Dev Dept
> Emaill: moses.feinstein at touro.edu
>
>
> -----Original Message-----
> From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
> Sent: Tuesday, December 1, 2020 10:38 AM
> To: Shib Users <users at shibboleth.net>
> Subject: RE: Reading groups membership in Shibboleth 4.0.1
>
> External Email
>
> Shibboleth doesn't do LDAP, the library it uses on top of the UnboundID client does. Nothing ldapsearch shows has anything to do with what a totally different set of code will do, it's pointless for comparison.
>
> I thought OpenLDAP required specifying + as a returned attribute to get operational attributes (whatever those are). Maybe other LDAP servers do.
>
> -- Scott
>
> --
> For Consortium Member technical support, see https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!HoV-yHU!93H4zEgXjdtvyU-VDtUMpiyabwh5Kfmr75R-ebArTQdk5tizzyEXLWVDcgfhcVjJ_Tmw0w$
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> --
> For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=Pa2DB88IW_s2TyLfktHtWA&m=jIblbqS-kt0teE94XSZ4JuAfp2qJ8UkZVahy0JPh5po&s=VrafAoAUkzOhl8MMr1AV5Skwm3Zu-xZPVSyEUEfr7jE&e=
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201201/5d67ce62/attachment.htm>

More information about the users mailing list