Reading groups membership in Shibboleth 4.0.1

Donald Lohr lohrda at jmu.edu
Tue Dec 1 18:37:26 UTC 2020 

See my last 1:35pm reply. What you are reporting is not a openldap vs 
opendj issue.

On 12/1/20 11:24 AM, Feinstein, Moses wrote:
> ________________________________
>
> I see. Yes, my next step was to attempt the same with openldap instead of opendj, I'll give it a shot. Thanks.
>
>
>
>
> Moses Feinstein
> Sr. Software / IAM Engineer, App Dev Dept
> Emaill: moses.feinstein at touro.edu
>
>
> -----Original Message-----
> From: users <users-bounces at shibboleth.net> On Behalf Of John C. Pfeifer
> Sent: Tuesday, December 1, 2020 11:06 AM
> To: Shib Users <users at shibboleth.net>
> Subject: Re: Reading groups membership in Shibboleth 4.0.1
>
> External Email
>
> I make extensive use of the memberOf attribute (pulled from OpenLDAP) in my attribute resolver without any issue.
>
> It may help to follow the documented method for specifying the attributes to request from LDAP in your data connector:
>
>          https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/display/IDP4/ReturnAttributes__;!!HoV-yHU!6-HrQ_k0MuUO54PT0aLAa5i8DXiYtgil-cfiMgqjsQzsiT-01JQZ3AsZTPjjR63MdvMULA$
>
>> On Dec 1, 2020, at 10:35 AM, Feinstein, Moses <moses.feinstein at touro.edu> wrote:
>>
>>
>> The issue appears to be with reading any operational attributes from
>> the LDAP (opendj)
>>
>> The issue is definitely not with permissions since I am using Directory Manager and I am able to run ldapsearch and extract these attributes.
>>
>> I can extract “standard” attribute (uid, sn, givenName) but not
>> operational (createTimestamp, isMemberOf)
>>
>> Not sure why shibboleth does not pull operational attributes from ldap when explicitly specified.
>>
>> Ldap.properties:
>>                                idp.attribute.resolver.LDAP.returnAttributes         = mail displayName sn givenName uid cn isMemberOf createTimestamp
>>
>>
>> attribute-resolvver:
>> <AttributeDefinition xsi:type="Simple" id="isMemberOf">
>>      <InputDataConnector ref="myLDAP" attributeNames="isMemberOf" />
>> </AttributeDefinition>
>>
>> <AttributeDefinition id="membership" xsi:type="Mapped">
>>      <InputAttributeDefinition ref="isMemberOf" />
>>      <DefaultValue passThru="true"/>
>>
>>                 <ValueMap>
>>                                <ReturnValue>return_membership</ReturnValue>
>>                                <SourceValue caseSensitive="false">cn=testgroup,ou=Groups,dc=example,dc=org</SourceValue>
>>                 </ValueMap>
>>
>>      <AttributeEncoder xsi:type="SAML2String" name="membership"
>> friendlyName="membership" encodeType="false" /> </AttributeDefinition>
>>
>>                 <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
>>                                ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
>>                                baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
>>                                principal="%{idp.attribute.resolver.LDAP.bindDN}"
>>                                principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
>>                                useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:false}"
>>                                connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
>>                                trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
>>                                responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
>>
>> exportAttributes="%{idp.attribute.resolver.LDAP.returnAttributes}">
>>
>>
>>                                <FilterTemplate>
>>                                               <![CDATA[
>>                                                              %{idp.attribute.resolver.LDAP.searchFilter}
>>                                               ]]>
>>                                </FilterTemplate>
>>
>>                                <ConnectionPool
>>                                               minPoolSize="%{idp.pool.LDAP.minSize:3}"
>>                                               maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
>>                                               blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
>>                                               validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
>>                                               validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
>>                                               validateDN="%{idp.pool.LDAP.validateDN:}"
>>                                               validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
>>                                               expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
>>                 </DataConnector>
>>
>>
>> I am able to perform ldap search and return these attributes without any issues using the same account.
>> sh ldapsearch --port 1636 --hostname localhost --trustAll --useSSL
>> --bindDN "cn=Directory Manager" -b "dc=example,dc=org" "(uid=awong)"
>> uid mail isMemberOf createTimestamp
>>
>> dn: uid=awong,ou=People,dc=example,dc=org
>> mail: awong at example.org
>> uid: awong
>> createTimestamp: 20201126184936Z
>> isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org
>>
>>
>>
>> Moses Feinstein
>> Sr. Software / IAM Engineer, App Dev Dept
>> Emaill: moses.feinstein at touro.edu
>>
>>
>> From: users <users-bounces at shibboleth.net> On Behalf Of Daniel Fisher
>> Sent: Monday, November 30, 2020 5:11 PM
>> To: Shib Users <users at shibboleth.net>
>> Subject: Re: Reading groups membership in Shibboleth 4.0.1
>>
>> External Email
>> On Mon, Nov 30, 2020 at 10:01 AM Feinstein, Moses <moses.feinstein at touro.edu> wrote:
>>
>> Below configuration works, if I substitute “isMemberOf” in attribute resolver with any other attribute (displayName for example), however for some reason it is unable to read “isMemberOf”, it returns nothing for the group membership even though the user is a member of the group (cn=testgroup,ou=Groups,dc=example,dc=org).
>>
>> Since “isMemberOf” is part of operational attributes, I am not sure if there is anything else that needs to be configured on Shibboleth side.
>>
>> Am I missing something in my configuration below to be able to read operational attribute “isMemberOf” from the LDAP?
>>
>> What does your DataConnector configuration look like? Assuming the permissions are correct, requesting isMemberOf specifically is all you need to do.
>>
>> --Daniel Fisher
>> --
>> For Consortium Member technical support, see
>> https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/c
>> oFAAg__;!!HoV-yHU!6-HrQ_k0MuUO54PT0aLAa5i8DXiYtgil-cfiMgqjsQzsiT-01JQZ
>> 3AsZTPjjR62joBLQ2g$ To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>
> //
> John Pfeifer
> Division of Information Technology
> University of Maryland, College Park
>
> --
> For Consortium Member technical support, see https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!HoV-yHU!6-HrQ_k0MuUO54PT0aLAa5i8DXiYtgil-cfiMgqjsQzsiT-01JQZ3AsZTPjjR62joBLQ2g$
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
> --
> For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwIGaQ&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=Pa2DB88IW_s2TyLfktHtWA&m=U7YJAtZSWOWnAODzCvSHTvXR5TTVII_nDoPuTWuyVzk&s=Wm1bmVELw1eWEtTjbmH7fZ4hNBNXIDKPkB2R9CVAB_k&e=
> To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

-- 
D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0

More information about the users mailing list