Reading groups membership in Shibboleth 4.0.1

Mon Nov 30 17:28:52 UTC 2020

OOPS:

ldapsearch -x -LLL -h yourLDAPserver -p 389 -D 
uid=myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org 
"(uid=awong)" displayName mail uid sn givenName isMemberOf

On 11/30/20 12:24 PM, Donald Lohr wrote:
> ------------------------------------------------------------------------
> The isMemberOF attribute is an operational attribute on the user. The 
> uniquemember (or member) attribute is an attribute on the group 
> (showing all user's that are in the group).
>
> You should be able to use the LDAP service/utility account that you've 
> configured Shibboleth to use and perform an ldapsearch against your 
> LDAP service and ask the ldapsearch to return "returnAttributes" you 
> are listing below.
>
>
> Using OpenLDAP's ldapsearch in this example:
>
> ldapsearch -x -LLL -h yourLDAPserver -p 389 -D 
> myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org 
> "(uid=awong)" displayName mail uid sn givenName isMemberOf
>
> The search should return the 6 requested attributes. You might have to 
> add an ACL for the isMemberOf attribute to your LDAP server so your 
> Shibboleth service/utility account can see it.
>
> Don
>
> On 11/30/20 10:01 AM, Feinstein, Moses wrote:
>> ------------------------------------------------------------------------
>>
>> I am trying to return group membership for the user who is 
>> authenticating via Shibboleth 4.0.1
>>
>> Below configuration works, if I substitute “isMemberOf” in attribute 
>> resolver with any other attribute (displayName for example), however 
>> for some reason it is unable to read “isMemberOf”, it returns nothing 
>> for the group membership even though the user is a member of the 
>> group (cn=testgroup,ou=Groups,dc=example,dc=org).
>>
>> Since “isMemberOf” is part of operational attributes, I am not sure 
>> if there is anything else that needs to be configured on Shibboleth side.
>>
>> Am I missing something in my configuration below to be able to read 
>> operational attribute “isMemberOf” from the LDAP?
>>
>> If anyone has a good example on how to read group membership it would 
>> be very helpful. Thanks.
>>
>> Attribute-filter:
>>
>>  <AttributeRule attributeID="membership" permitAny="true" />
>>
>> Ldap.properties:
>>
>> idp.attribute.resolver.LDAP.returnAttributes         = 
>> displayName,mail,uid,sn,givenName,isMemberOf
>>
>> Attribute-resolver:
>>
>> <AttributeDefinition xsi:type="Simple" id="isMemberOf">
>>
>> <InputDataConnector ref="myLDAP" attributeNames="isMemberOf" />
>>
>> </AttributeDefinition>
>>
>> <AttributeDefinition id="membership" xsi:type="Mapped">
>>
>> <InputAttributeDefinition ref="isMemberOf" />
>>
>>   <DefaultValue passThru="true"/>
>>
>> <ValueMap>
>>
>> <ReturnValue>return_membership</ReturnValue>
>>
>> <SourceValue 
>> caseSensitive="false">cn=testgroup,ou=Groups,dc=example,dc=org</SourceValue>
>>
>> </ValueMap>
>>
>> <AttributeEncoder xsi:type="SAML2String" name="membership" 
>> friendlyName="membership" encodeType="false" />
>>
>> </AttributeDefinition>
>>
>> Ldap user is part of this group:
>>
>> uid=awong,ou=People,dc=example,dc=org
>>
>> isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org
>>
>> **
>>
>> **
>>
>> **
>>
>> *Moses Feinstein*
>>
>> Touro College and University System
>>
>>
>
> -- 
> D o n a l d   L o h r
> I n f o r m a t i o n   S y s t e m s
> J a m e s   M a d i s o n   U n i v e r s i t y
> 5 4 0 . 5 6 8 . 3 7 3 0
>

-- 
D o n a l d   L o h r
I n f o r m a t i o n   S y s t e m s
J a m e s   M a d i s o n   U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201130/f3aef96f/attachment.htm>