Reading groups membership in Shibboleth 4.0.1

Mon Nov 30 17:24:15 UTC 2020

The isMemberOF attribute is an operational attribute on the user. The 
uniquemember (or member) attribute is an attribute on the group (showing 
all user's that are in the group).

You should be able to use the LDAP service/utility account that you've 
configured Shibboleth to use and perform an ldapsearch against your LDAP 
service and ask the ldapsearch to return "returnAttributes" you are 
listing below.

Using OpenLDAP's ldapsearch in this example:

ldapsearch -x -LLL -h yourLDAPserver -p 389 -D 
myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org 
"(uid=awong)" displayName mail uid sn givenName isMemberOf

The search should return the 6 requested attributes. You might have to 
add an ACL for the isMemberOf attribute to your LDAP server so your 
Shibboleth service/utility account can see it.

Don

On 11/30/20 10:01 AM, Feinstein, Moses wrote:
> ------------------------------------------------------------------------
>
> I am trying to return group membership for the user who is 
> authenticating via Shibboleth 4.0.1
>
> Below configuration works, if I substitute “isMemberOf” in attribute 
> resolver with any other attribute (displayName for example), however 
> for some reason it is unable to read “isMemberOf”, it returns nothing 
> for the group membership even though the user is a member of the group 
> (cn=testgroup,ou=Groups,dc=example,dc=org).
>
> Since “isMemberOf” is part of operational attributes, I am not sure if 
> there is anything else that needs to be configured on Shibboleth side.
>
> Am I missing something in my configuration below to be able to read 
> operational attribute “isMemberOf” from the LDAP?
>
> If anyone has a good example on how to read group membership it would 
> be very helpful. Thanks.
>
> Attribute-filter:
>
>  <AttributeRule attributeID="membership" permitAny="true" />
>
> Ldap.properties:
>
> idp.attribute.resolver.LDAP.returnAttributes         = 
> displayName,mail,uid,sn,givenName,isMemberOf
>
> Attribute-resolver:
>
> <AttributeDefinition xsi:type="Simple" id="isMemberOf">
>
> <InputDataConnector ref="myLDAP" attributeNames="isMemberOf" />
>
> </AttributeDefinition>
>
> <AttributeDefinition id="membership" xsi:type="Mapped">
>
> <InputAttributeDefinition ref="isMemberOf" />
>
>   <DefaultValue passThru="true"/>
>
> <ValueMap>
>
> <ReturnValue>return_membership</ReturnValue>
>
> <SourceValue 
> caseSensitive="false">cn=testgroup,ou=Groups,dc=example,dc=org</SourceValue>
>
> </ValueMap>
>
> <AttributeEncoder xsi:type="SAML2String" name="membership" 
> friendlyName="membership" encodeType="false" />
>
> </AttributeDefinition>
>
> Ldap user is part of this group:
>
> uid=awong,ou=People,dc=example,dc=org
>
> isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org
>
> **
>
> **
>
> **
>
> *Moses Feinstein*
>
> Touro College and University System
>
>

-- 
D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201130/7d490710/attachment.htm>