Reading groups membership in Shibboleth 4.0.1

Feinstein, Moses moses.feinstein at
Tue Dec 1 23:39:04 UTC 2020

Thank you for elaborate explanation.

Yes, the issue indeed was with the query not passing specified attributes

Below configuration works just fine, and now I see “isMemberOf” attribute, to release all operational attribute you can also use “ +“ as previously noted by Scott.

Scott clarified that “exportAttributes” is not a substitute for “returnAttributes” I have used default file available in 4.0.1 (attribute-resolver-ldap.xml) as a sample which provided only “exportAttributes” leading me to believe that it serves the same purpose.

Brent Putman noted that there was an issue in my XML for return attributes statement, which is what prevented attributes to be specified in the query.

Thank you for helping me to resolve this issue. This is a wonderful community to be a part of.

               <DataConnector id="myLDAP" xsi:type="LDAPDirectory"

                              <ReturnAttributes>mail displayName sn givenName uid cn isMemberOf createTimestamp</ReturnAttributes>

Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at<mailto:moses.feinstein at>

From: users <users-bounces at> On Behalf Of Donald Lohr
Sent: Tuesday, December 1, 2020 1:36 PM
To: users at
Subject: Re: Reading groups membership in Shibboleth 4.0.1

External Email
If you break apart your log data, here's what I see referring to the following portion of your log:

[org.ldaptive.SearchOperation:154] - execute response=

You see this:

[[dn=uid=awong,ou=People,dc=example,dc=org[[uid[awong]], [mail[awong at<mailto:awong at>]], [givenName[Ada]], [displayName[some_display_name]], [cn[Ada D. Wong]], [sn[Wong]], [objectClass[top, person, organizationalPerson, inetOrgPerson]], [entryDN[uid=awong,ou=People,dc=example,dc=org]], [userPassword[{SSHA512}qbX9IGEjiPQsOdcHhuBNdxMmjhzrrCrxGIODgnFe5UCzo7fDSFV7mwV0KMNF9LaUz3CzxjTTO/HsiOPTNy6SrElwY9IkNUDU]]],

...if you break it down and make it look similar to the results returned from a command-line ldapsearch, you will find:

mail[awong at<mailto:awong at>]
cn[Ada D. Wong]
objectClass[top, person, organizationalPerson, inetOrgPerson]

Based on the attribute list you say you are asking for:

mail displayName sn givenName uid cn isMemberOf createTimestamp
...your shib/ldap config is ONLY getting back the normal attributes that are available.  I say that because, objectClass, entryDN and userPassword are in the returned results and these were not asked for.

So this tells me your Shib/ldap config is not asking for what you want.

If you look at another portion of your log, you will see:

baseDn=ou=People,dc=example,dc=org, searchFilter=[org.ldaptive.SearchFilter at -2000959517::filter=(uid=awong), parameters={}], returnAttributes=[], searchScope=SUBTREE, timeLimit=PT3S, sizeLimit=1,

...if you break it down, you see the following:


Note, that the returnAttributes line is not listing the attributes you require, thus you are ONLY getting normal attributes.

On 12/1/20 11:31 AM, Feinstein, Moses wrote:

CAUTION: This email originated from outside of JMU. Do not click links or open attachments unless you recognize the sender and know the content is safe.


** remove log file, the size was too large.

Thank you Scott. Yea, the ldapsearch example was to rule out that the account in use has sufficient permissions to pull those attributes, + extracts all operational attributes, however specifying them individually does it as well. In 4.0.1 for some reasons I simply can't get it to pull them out, it works for me in 3.3.2 version, which is almost identical in configuration minus the differences in the attribute-resolver config.

I enabled debugger for LDAP, however even in response I don't see operational attributes show up.

idp.attribute.resolver.LDAP.returnAttributes    = mail displayName sn givenName uid cn isMemberOf createTimestamp

This is the response I get in debug mode:

2020-12-01 11:17:43,187 - - DEBUG [org.ldaptive.SearchOperation:154] - execute response=[org.ldaptive.Response at 707708292::result=[org.ldaptive.SearchResult at 1972159575::entries=[[dn=uid=awong,ou=People,dc=example,dc=org[[uid[awong]], [mail[awong at<mailto:awong at>]], [givenName[Ada]], [displayName[some_display_name]], [cn[Ada D. Wong]], [sn[Wong]], [objectClass[top, person, organizationalPerson, inetOrgPerson]], [entryDN[uid=awong,ou=People,dc=example,dc=org]], [userPassword[{SSHA512}qbX9IGEjiPQsOdcHhuBNdxMmjhzrrCrxGIODgnFe5UCzo7fDSFV7mwV0KMNF9LaUz3CzxjTTO/HsiOPTNy6SrElwY9IkNUDU]]], responseControls=null, messageId=2]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=2] for request=[org.ldaptive.SearchRequest at 778858510::baseDn=ou=People,dc=example,dc=org, searchFilter=[org.ldaptive.SearchFilter at -2000959517::filter=(uid=awong), parameters={}], returnAttributes=[], searchScope=SUBTREE, timeLimit=PT3S, sizeLimit=

 1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=[[org.ldaptive.handler.DnAttributeEntryHandler at -1580910376::dnAttributeName=entryDN, addIfExists=false]], searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1476293674::config=[org.ldaptive.ConnectionConfig at 742418862::ldapUrl=ldaps://<mailto:org.ldaptive.ConnectionConfig@742418862::ldapUrl=ldaps://>, connectTimeout=PT3S, responseTimeout=PT3S, sslConfig=[org.ldaptive.ssl.SslConfig at 945795630::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$$Lambda$315/0x00000001006adc40 at 2e9549d0<mailto:org.ldaptive.ssl.SslConfig at 945795630::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$$Lambda$315/0x00000001006adc40 at 2e9549d0>, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 917687149::bindDn=cn=Directory Manager, bindSaslConfig=null, bindC

 ontrols=null], connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 1910d90c<mailto:connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 1910d90c>], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory at 1095538092::metadata=[ldapUrl=ldaps://, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig at 2008506547::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor at 1019f8d8<mailto:controlProcessor=org.ldaptive.provider.ControlProcessor at 1019f8d8>, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection at 46c1ef9e<mailto:providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection at 46c1ef9e>]

Moses Feinstein

Sr. Software / IAM Engineer, App Dev Dept

Emaill: moses.feinstein at<mailto:moses.feinstein at>

-----Original Message-----

From: users <users-bounces at><mailto:users-bounces at> On Behalf Of Cantor, Scott

Sent: Tuesday, December 1, 2020 10:38 AM

To: Shib Users <users at><mailto:users at>

Subject: RE: Reading groups membership in Shibboleth 4.0.1

External Email

Shibboleth doesn't do LDAP, the library it uses on top of the UnboundID client does. Nothing ldapsearch shows has anything to do with what a totally different set of code will do, it's pointless for comparison.

I thought OpenLDAP required specifying + as a returned attribute to get operational attributes (whatever those are). Maybe other LDAP servers do.

-- Scott


For Consortium Member technical support, see;!!HoV-yHU!93H4zEgXjdtvyU-VDtUMpiyabwh5Kfmr75R-ebArTQdk5tizzyEXLWVDcgfhcVjJ_Tmw0w$<;!!HoV-yHU!93H4zEgXjdtvyU-VDtUMpiyabwh5Kfmr75R-ebArTQdk5tizzyEXLWVDcgfhcVjJ_Tmw0w$>

To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>


For Consortium Member technical support, see

To unsubscribe from this list send an email to users-unsubscribe at<mailto:users-unsubscribe at>


D o n a l d   L o h r

I n f o r m a t i o n   S y s t e m s

J a m e s   M a d i s o n   U n i v e r s i t y

5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list