config memberOf in idpv4
Boyd, Todd M.
tmboyd1 at ccis.edu
Wed May 13 21:05:50 UTC 2020
I do this with our IdP installation, but unraveling nested groups has proven to be too much CPU load on our domain controllers due to our directory topology. Our config looks like this:
<AttributeDefinition xsi:type="Simple" id="memberOf">
<InputDataConnector ref="myLDAPGroup" attributeNames="cn" />
<AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ismemberof" encodeType="false" />
<AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.5.1.1" friendlyName="memberOf" encodeType="false" />
</AttributeDefinition>
...
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
responseTimeout="%{idp.authn.LDAP.responseTimeout}">
<FilterTemplate>
<![CDATA[
%{idp.attribute.resolver.LDAP.searchFilter}
]]>
</FilterTemplate>
<ReturnAttributes>%{idp.authn.LDAP.returnAttributes}</ReturnAttributes>
<LDAPProperty name="java.naming.referral" value="follow" />
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
</DataConnector>
...
<DataConnector id="myLDAPGroup" xsi:type="LDAPDirectory"
ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
principal="%{idp.attribute.resolver.LDAP.bindDN}"
principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
responseTimeout="%{idp.authn.LDAP.responseTimeout}"
searchTimeLimit="0" maxResultSize="0">
<InputDataConnector ref="myLDAP" attributeNames="distinguishedName" />
<FilterTemplate>
<![CDATA[
(&(objectCategory=group)(objectClass=group)(member=$distinguishedName.get(0)))
]]>
</FilterTemplate>
<ReturnAttributes>cn</ReturnAttributes>
<LDAPProperty name="java.naming.referral" value="follow" />
<ConnectionPool
minPoolSize="%{idp.pool.LDAP.minSize:3}"
maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"
validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
expirationTime="%{idp.pool.LDAP.idleTime:PT10M}"
failFastInitialize="%{idp.pool.LDAP.failFastInitialize:false}" />
</DataConnector>
This is for our v3.x installation. Is v4 config really so drastically different from v3? I think all of this was pieced together from examples in the documentation.
-Todd
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Wednesday, May 13, 2020 9:56:27 AM
To: Shib Users
Subject: Re: config memberOf in idpv4
CAUTION!: This email originated from outside of Columbia College.
On 5/13/20, 10:52 AM, "users on behalf of leosimon" <users-bounces at shibboleth.net on behalf of leosimon at digital-nirvana.com> wrote:
> Any ideas on how to do this?
Mapped? Scripted?
Review the documentation and examine the existing AttributeDefinition types to see which ones might apply.
-- Scott
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
More information about the users
mailing list