Reading groups membership in Shibboleth 4.0.1
Feinstein, Moses
moses.feinstein at touro.edu
Tue Dec 1 23:39:04 UTC 2020
Thank you for elaborate explanation.
Yes, the issue indeed was with the query not passing specified attributes
Below configuration works just fine, and now I see “isMemberOf” attribute, to release all operational attribute you can also use “ +“ as previously noted by Scott.
Scott clarified that “exportAttributes” is not a substitute for “returnAttributes” I have used default file available in 4.0.1 (attribute-resolver-ldap.xml) as a sample which provided only “exportAttributes” leading me to believe that it serves the same purpose.
Brent Putman noted that there was an issue in my XML for return attributes statement, which is what prevented attributes to be specified in the query.
Thank you for helping me to resolve this issue. This is a wonderful community to be a part of.
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:false}"
connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
responseTimeout="%{idp.attribute.resolver.LDAP.responseTimeout}"
exportAttributes="%{idp.attribute.resolver.LDAP.returnAttributes}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ReturnAttributes>mail displayName sn givenName uid cn isMemberOf createTimestamp</ReturnAttributes>
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
validateDN="%{idp.pool.LDAP.validateDN:}"
validateFilter="%{idp.pool.LDAP.validateFilter:(objectClass=*)}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"/>
</DataConnector>
Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>
From: users <users-bounces at shibboleth.net> On Behalf Of Donald Lohr
Sent: Tuesday, December 1, 2020 1:36 PM
To: users at shibboleth.net
Subject: Re: Reading groups membership in Shibboleth 4.0.1
External Email
If you break apart your log data, here's what I see referring to the following portion of your log:
[org.ldaptive.SearchOperation:154] - execute response=
You see this:
[[dn=uid=awong,ou=People,dc=example,dc=org[[uid[awong]], [mail[awong at example.org<mailto:awong at example.org>]], [givenName[Ada]], [displayName[some_display_name]], [cn[Ada D. Wong]], [sn[Wong]], [objectClass[top, person, organizationalPerson, inetOrgPerson]], [entryDN[uid=awong,ou=People,dc=example,dc=org]], [userPassword[{SSHA512}qbX9IGEjiPQsOdcHhuBNdxMmjhzrrCrxGIODgnFe5UCzo7fDSFV7mwV0KMNF9LaUz3CzxjTTO/HsiOPTNy6SrElwY9IkNUDU]]],
...if you break it down and make it look similar to the results returned from a command-line ldapsearch, you will find:
dn=uid=awong,ou=People,dc=example,dc=org
uid[awong]
mail[awong at example.org<mailto:awong at example.org>]
givenName[Ada]
displayName[some_display_name]
cn[Ada D. Wong]
sn[Wong]
objectClass[top, person, organizationalPerson, inetOrgPerson]
entryDN[uid=awong,ou=People,dc=example,dc=org]
userPassword[{SSHA512}qbX9IGEjiPQsOdcHhuBNdxMmjhzrrCrxGIODgnFe5UCzo7fDSFV7mwV0KMNF9LaUz3CzxjTTO/HsiOPTNy6SrElwY9IkNUDU]
Based on the attribute list you say you are asking for:
mail displayName sn givenName uid cn isMemberOf createTimestamp
...your shib/ldap config is ONLY getting back the normal attributes that are available. I say that because, objectClass, entryDN and userPassword are in the returned results and these were not asked for.
So this tells me your Shib/ldap config is not asking for what you want.
If you look at another portion of your log, you will see:
baseDn=ou=People,dc=example,dc=org, searchFilter=[org.ldaptive.SearchFilter at -2000959517::filter=(uid=awong), parameters={}], returnAttributes=[], searchScope=SUBTREE, timeLimit=PT3S, sizeLimit=1,
...if you break it down, you see the following:
baseDn=ou=People,dc=example,dc=org
filter=(uid=awong)
returnAttributes=[]
searchScope=SUBTREE
timeLimit=PT3S
sizeLimit=1
Note, that the returnAttributes line is not listing the attributes you require, thus you are ONLY getting normal attributes.
Don
On 12/1/20 11:31 AM, Feinstein, Moses wrote:
CAUTION: This email originated from outside of JMU. Do not click links or open attachments unless you recognize the sender and know the content is safe.
________________________________
** remove log file, the size was too large.
Thank you Scott. Yea, the ldapsearch example was to rule out that the account in use has sufficient permissions to pull those attributes, + extracts all operational attributes, however specifying them individually does it as well. In 4.0.1 for some reasons I simply can't get it to pull them out, it works for me in 3.3.2 version, which is almost identical in configuration minus the differences in the attribute-resolver config.
I enabled debugger for LDAP, however even in response I don't see operational attributes show up.
idp.attribute.resolver.LDAP.returnAttributes = mail displayName sn givenName uid cn isMemberOf createTimestamp
This is the response I get in debug mode:
2020-12-01 11:17:43,187 - 192.168.50.245 - DEBUG [org.ldaptive.SearchOperation:154] - execute response=[org.ldaptive.Response at 707708292::result=[org.ldaptive.SearchResult at 1972159575::entries=[[dn=uid=awong,ou=People,dc=example,dc=org[[uid[awong]], [mail[awong at example.org<mailto:awong at example.org>]], [givenName[Ada]], [displayName[some_display_name]], [cn[Ada D. Wong]], [sn[Wong]], [objectClass[top, person, organizationalPerson, inetOrgPerson]], [entryDN[uid=awong,ou=People,dc=example,dc=org]], [userPassword[{SSHA512}qbX9IGEjiPQsOdcHhuBNdxMmjhzrrCrxGIODgnFe5UCzo7fDSFV7mwV0KMNF9LaUz3CzxjTTO/HsiOPTNy6SrElwY9IkNUDU]]], responseControls=null, messageId=2]], references=[]], resultCode=SUCCESS, message=null, matchedDn=null, responseControls=null, referralURLs=[], messageId=2] for request=[org.ldaptive.SearchRequest at 778858510::baseDn=ou=People,dc=example,dc=org, searchFilter=[org.ldaptive.SearchFilter at -2000959517::filter=(uid=awong), parameters={}], returnAttributes=[], searchScope=SUBTREE, timeLimit=PT3S, sizeLimit=
1, derefAliases=null, typesOnly=false, binaryAttributes=null, sortBehavior=UNORDERED, searchEntryHandlers=[[org.ldaptive.handler.DnAttributeEntryHandler at -1580910376::dnAttributeName=entryDN, addIfExists=false]], searchReferenceHandlers=null, controls=null, referralHandler=null, intermediateResponseHandlers=null] with connection=[org.ldaptive.DefaultConnectionFactory$DefaultConnection at 1476293674::config=[org.ldaptive.ConnectionConfig at 742418862::ldapUrl=ldaps://centos.example.org:1636<mailto:org.ldaptive.ConnectionConfig@742418862::ldapUrl=ldaps://centos.example.org:1636>, connectTimeout=PT3S, responseTimeout=PT3S, sslConfig=[org.ldaptive.ssl.SslConfig at 945795630::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$$Lambda$315/0x00000001006adc40 at 2e9549d0<mailto:org.ldaptive.ssl.SslConfig at 945795630::credentialConfig=org.ldaptive.ssl.CredentialConfigFactory$$Lambda$315/0x00000001006adc40 at 2e9549d0>, trustManagers=null, hostnameVerifier=null, hostnameVerifierConfig=null, enabledCipherSuites=null, enabledProtocols=null, handshakeCompletedListeners=null], useSSL=false, useStartTLS=false, connectionInitializer=[org.ldaptive.BindConnectionInitializer at 917687149::bindDn=cn=Directory Manager, bindSaslConfig=null, bindC
ontrols=null], connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 1910d90c<mailto:connectionStrategy=org.ldaptive.ActivePassiveConnectionStrategy at 1910d90c>], providerConnectionFactory=[org.ldaptive.provider.unboundid.UnboundIDConnectionFactory at 1095538092::metadata=[ldapUrl=ldaps://centos.example.org:1636, count=1], providerConfig=[org.ldaptive.provider.unboundid.UnboundIDProviderConfig at 2008506547::operationExceptionResultCodes=[SERVER_DOWN], properties={}, controlProcessor=org.ldaptive.provider.ControlProcessor at 1019f8d8<mailto:controlProcessor=org.ldaptive.provider.ControlProcessor at 1019f8d8>, connectionOptions=null, socketFactory=null, sslSocketFactory=null, searchIgnoreResultCodes=[TIME_LIMIT_EXCEEDED, SIZE_LIMIT_EXCEEDED, REFERRAL]]], providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection at 46c1ef9e<mailto:providerConnection=org.ldaptive.provider.unboundid.UnboundIDConnection at 46c1ef9e>]
Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>
-----Original Message-----
From: users <users-bounces at shibboleth.net><mailto:users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: Tuesday, December 1, 2020 10:38 AM
To: Shib Users <users at shibboleth.net><mailto:users at shibboleth.net>
Subject: RE: Reading groups membership in Shibboleth 4.0.1
External Email
Shibboleth doesn't do LDAP, the library it uses on top of the UnboundID client does. Nothing ldapsearch shows has anything to do with what a totally different set of code will do, it's pointless for comparison.
I thought OpenLDAP required specifying + as a returned attribute to get operational attributes (whatever those are). Maybe other LDAP servers do.
-- Scott
--
For Consortium Member technical support, see https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!HoV-yHU!93H4zEgXjdtvyU-VDtUMpiyabwh5Kfmr75R-ebArTQdk5tizzyEXLWVDcgfhcVjJ_Tmw0w$<https://urldefense.com/v3/__https:/wiki.shibboleth.net/confluence/x/coFAAg__;!!HoV-yHU!93H4zEgXjdtvyU-VDtUMpiyabwh5Kfmr75R-ebArTQdk5tizzyEXLWVDcgfhcVjJ_Tmw0w$>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
For Consortium Member technical support, see https://urldefense.proofpoint.com/v2/url?u=https-3A__wiki.shibboleth.net_confluence_x_coFAAg&d=DwICAg&c=eLbWYnpnzycBCgmb7vCI4uqNEB9RSjOdn_5nBEmmeq0&r=Pa2DB88IW_s2TyLfktHtWA&m=jIblbqS-kt0teE94XSZ4JuAfp2qJ8UkZVahy0JPh5po&s=VrafAoAUkzOhl8MMr1AV5Skwm3Zu-xZPVSyEUEfr7jE&e=
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
D o n a l d L o h r
I n f o r m a t i o n S y s t e m s
J a m e s M a d i s o n U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201201/09cd7022/attachment.htm>
More information about the users
mailing list