Flatten out nested ADS groups with Shibboleth IDP
Matt Brennan
brennanma at gmail.com
Wed Mar 4 19:22:31 EST 2020
Someone's probably going to say I'm doing this wrong, but this is what I
have:
attribute-resolver.xml:
<AttributeDefinition id="distinguishedName" xsi:type="Simple">
<InputDataConnector ref="AD" attributeNames="distinguishedName" />
<AttributeEncoder xsi:type="SAML2ScopedString"
name="urn:oid:1.3.6.1.4.1.1466.115.121.1.12"
friendlyName="distinguishedName" encodeType="false" />
</AttributeDefinition>
<AttributeDefinition id="isMemberOfRecursive" xsi:type="Simple">
<InputDataConnector ref="ADGroup" attributeNames="cn" />
<AttributeEncoder xsi:type="SAML2String"
name="urn:oid:1.3.6.1.4.1.20462.5.1.9" friendlyName="isMemberOf" />
</AttributeDefinition>
<!-- Active Directory -->
<DataConnector id="AD" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ReturnAttributes>%{idp.attribute.resolver.LDAP.returnAttributes}</ReturnAttributes>
<LDAPProperty name="java.naming.ldap.attributes.binary"
value="objectGUID" />
</DataConnector>
<!-- AD Group Recursive Resolver -->
<DataConnector id="ADGroup" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="<group base DN>"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
maxResultSize="1000">
<InputDataConnector ref="AD" attributeNames="distinguishedName" />
<FilterTemplate>
<![CDATA[
(member:1.2.840.113556.1.4.1941:=$distinguishedName.get(0))
]]>
</FilterTemplate>
<ReturnAttributes>cn</ReturnAttributes>
<LDAPProperty name="java.naming.referral" value="follow" />
</DataConnector>
On Wed, Mar 4, 2020 at 6:13 PM Robert Rust <robert.j.rust at uwrf.edu> wrote:
> From: "Bickel, David" <jdbickel at iu.edu>
> To: Shib Users <users at shibboleth.net>
> Subject: Flatten out nested ADS groups with Shibboleth IDP
>
> Hello fellow shibboleth IDP users,
>
>
> Does the newer IDP 3.4.6+ have a better way to retrieve and flatten
> nested ADS groups from active directory??? The process documented in this
> legacy post
> https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.1660669.n2.nabble.com%2FAD-nested-groups-td7634561.html&data=02%7C01%7Crobert.j.rust%40uwrf.edu%7Cdd51d4f5af9b46ffafe708d7bf94560f%7Cdbdf23c73f3a4bbeae76d7310a527fd8%7C1%7C0%7C637188516141969970&sdata=6uwgVY7xB9ysUGYwqse0VL2JHVrbrmwyNbV%2BvetNdVE%3D&reserved=0
> uses several depreciated pieces like ?mergeResults?.? I appreciate any
> guidance on a better way to accomplish this task.
>
> ===============
> I would be interested in any ideas for improving nested group lookup
> behavior as well. I'm not using mergeResults but otherwise my connector
> looks substantially similar. I'm currently battling issues with group
> lookups timing out periodically, which I'm sure is LDAP load related, but
> my Shib servers aren't distributing the load particularly well and I
> haven't come up with a way to load balance AD comfortably yet in the
> particular environment where these servers live.
>
> -Robert
>
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200304/21d61bde/attachment.html>
More information about the users
mailing list