Reading groups membership in Shibboleth 4.0.1

Donald Lohr lohrda at
Tue Dec 1 18:35:44 UTC 2020

If you break apart your log data, here's what I see referring to the 
following portion of your log:

[org.ldaptive.SearchOperation:154] - execute response=

You see this:

[mail[awong at]], [givenName[Ada]], 
[displayName[some_display_name]], [cn[Ada D. Wong]], [sn[Wong]], 
[objectClass[top, person, organizationalPerson, inetOrgPerson]], 

...if you break it down and make it look similar to the results returned 
from a command-line ldapsearch, you will find:

mail[awong at]
cn[Ada D. Wong]
*objectClass*[top, person, organizationalPerson, inetOrgPerson]

Based on the attribute list you say you are asking for:

mail displayName sn givenName uid cn isMemberOf createTimestamp

...your shib/ldap config is ONLY getting back the normal attributes that 
are available.  I say that because, objectClass, entryDN and 
userPassword are in the returned results and these were not asked for.

So this tells me your Shib/ldap config is not asking for what you want.

If you look at another portion of your log, you will see:

searchFilter=[org.ldaptive.SearchFilter at -2000959517::filter=(uid=awong), 
parameters={}], returnAttributes=[], searchScope=SUBTREE, 
timeLimit=PT3S, sizeLimit=1,

...if you break it down, you see the following:


Note, that the *returnAttributes* line is not listing the attributes you 
require, thus you are ONLY getting normal attributes.


On 12/1/20 11:31 AM, Feinstein, Moses wrote:
> CAUTION: This email originated from outside of JMU. Do not click links or open attachments unless you recognize the sender and know the content is safe.
> ________________________________
> ** remove log file, the size was too large.
> Thank you Scott. Yea, the ldapsearch example was to rule out that the account in use has sufficient permissions to pull those attributes, + extracts all operational attributes, however specifying them individually does it as well. In 4.0.1 for some reasons I simply can't get it to pull them out, it works for me in 3.3.2 version, which is almost identical in configuration minus the differences in the attribute-resolver config.
> I enabled debugger for LDAP, however even in response I don't see operational attributes show up.
> idp.attribute.resolver.LDAP.returnAttributes    = mail displayName sn givenName uid cn isMemberOf createTimestamp
> This is the response I get in debug mode:
> 2020-12-01 11:17:43,187 - - DEBUG [org.ldaptive.SearchOperation:154] - execute response=[org.ldaptive.Response at 707708292::result=[org.ldaptive.SearchResult at 1972159575::entries=[[dn=uid=awong,ou=People,dc=example,dc=org[[uid[awong]], [mail[awong at]], [givenName[Ada]], [displayName[some_display_name]], [cn[Ada D. Wong]], [sn[Wong]], [objectClass[top, person, organizationalPerson, inetOrgPerson]], [entryDN[uid=awong,ou=People,dc=example,dc=org]], [userPassword[{SSHA512}qbX9IGEjiPQsOdcHhuBNdxMmjhzrrCrxGIODgnFe5UCzo7fDSFV7mwV0KMNF9LaUz3CzxjTTO/HsiOPTNy6SrElwY9IkNUDU]]], responseControls=null, messageId=2]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=2] for request=[org.ldaptive.SearchRequest at 778858510::baseDn=ou=People,dc=example,dc=org, searchFilter=[org.ldaptive.SearchFilter at -2000959517::filter=(uid=awong), parameters={}], returnAttributes=[], searchScope=SUBTREE, timeLimit=PT3S, sizeLimit=
>   1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=[[org.ldaptive.handler.DnAttributeEntryHandler at -1580910376::dnAttributeName=entryDN, addIfExists=false]], searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1476293674::config=[org.ldaptive.ConnectionConfig at 742418862::ldapUrl=ldaps://, connectTimeout=PT3S, responseTimeout=PT3S, sslConfig=[org.ldaptive.ssl.SslConfig at 945795630::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$$Lambda$315/0x00000001006adc40 at 2e9549d0, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 917687149::bindDn=cn=Directory Manager, bindSaslConfig=null, bindC
>   ontrols=null], connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 1910d90c], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory at 1095538092::metadata=[ldapUrl=ldaps://, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig at 2008506547::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor at 1019f8d8, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection at 46c1ef9e]
> Moses Feinstein
> Sr. Software / IAM Engineer, App Dev Dept
> Emaill: moses.feinstein at
> -----Original Message-----
> From: users <users-bounces at> On Behalf Of Cantor, Scott
> Sent: Tuesday, December 1, 2020 10:38 AM
> To: Shib Users <users at>
> Subject: RE: Reading groups membership in Shibboleth 4.0.1
> External Email
> Shibboleth doesn't do LDAP, the library it uses on top of the UnboundID client does. Nothing ldapsearch shows has anything to do with what a totally different set of code will do, it's pointless for comparison.
> I thought OpenLDAP required specifying + as a returned attribute to get operational attributes (whatever those are). Maybe other LDAP servers do.
> -- Scott
> --
> For Consortium Member technical support, see;!!HoV-yHU!93H4zEgXjdtvyU-VDtUMpiyabwh5Kfmr75R-ebArTQdk5tizzyEXLWVDcgfhcVjJ_Tmw0w$
> To unsubscribe from this list send an email to users-unsubscribe at
> --
> For Consortium Member technical support, see
> To unsubscribe from this list send an email to users-unsubscribe at

D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list