config memberOf in idpv4

leosimon leosimon at digital-nirvana.com
Mon May 4 19:32:36 UTC 2020 

Can someone guide me to do group membership config with Shibboleth IDP V4.

http://shibboleth.net/pipermail/users/2016-May/029164.html - referred this
and made changes to my config and it failed.

attribute-resolver.xml
--------------------------------------------------------------------------------
    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        principal="%{idp.attribute.resolver.LDAP.bindDN}"
       
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
        exportAttributes="mail givenName uid gidNumber">
        <FilterTemplate>
            
        </FilterTemplate>
    </DataConnector>

this myLDAP - works fine for usual authentication and releasing needed
attributes.
---------------------------------------------------------------------------------

These configs are for groupmembership.
	
	 <AttributeDefinition id="distinguishedName" xsi:type="Simple" >
        <InputDataConnector ref="myLDAP"
attributeNames="distinguishedName"/>
    </AttributeDefinition>
	
    <DataConnector id="groupLDAP" xsi:type="LDAPDirectory"
        ldapURL="ldap://192.168.x.x:389"
        baseDN="ou=groups,dc=example,dc=com"
        principal="cn=admin,dc=example,dc=com"
        principalCredential="xxxxx"
        exportAttributes="distinguishedName">
        
        <FilterTemplate>
            
        </FilterTemplate>
        <LDAPProperty name="java.naming.referral" value="follow"/>
    </DataConnector>

    <AttributeDefinition id="memberOf" xsi:type="Simple" >
        <InputDataConnector ref="groupLDAP"
attributeNames="distinguishedName"/>
    </AttributeDefinition>

-------------------------------------------------------------------
After making the above changes, the usual authentication happened with just
myLDAP is also not working and I can notice the below-given error in
idp-process.log.

********************************************
2020-05-04 14:57:08,296 - 10.1.1.2 - ERROR
[net.shibboleth.idp.profile.impl.ResolveAttributes:293] - Profile Action
ResolveAttributes: Error resolving attributes
net.shibboleth.idp.attribute.resolver.ResolutionException: Data Connector
'groupLDAP': Unable to execute LDAP search at
net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector.retrieveAttributes(LDAPDataConnector.java:225)
Caused by: org.ldaptive.LdapException: LDAPException(resultCode=87 (filter
error), numEntries=0, numReferences=0, errorMessage='Unable to parse string
'(member:2.5.4.31:=${distinguishedName.get(0)})' as an LDAP filter because
it contains an unexpected opening parenthesis at position 42.',
ldapSDKVersion=4.0.14, revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')
********************************************



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html

More information about the users mailing list