Reading groups membership in Shibboleth 4.0.1
Donald Lohr
lohrda at jmu.edu
Mon Nov 30 17:28:52 UTC 2020
OOPS:
ldapsearch -x -LLL -h yourLDAPserver -p 389 -D
uid=myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org
"(uid=awong)" displayName mail uid sn givenName isMemberOf
On 11/30/20 12:24 PM, Donald Lohr wrote:
> ------------------------------------------------------------------------
> The isMemberOF attribute is an operational attribute on the user. The
> uniquemember (or member) attribute is an attribute on the group
> (showing all user's that are in the group).
>
> You should be able to use the LDAP service/utility account that you've
> configured Shibboleth to use and perform an ldapsearch against your
> LDAP service and ask the ldapsearch to return "returnAttributes" you
> are listing below.
>
>
> Using OpenLDAP's ldapsearch in this example:
>
> ldapsearch -x -LLL -h yourLDAPserver -p 389 -D
> myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org
> "(uid=awong)" displayName mail uid sn givenName isMemberOf
>
> The search should return the 6 requested attributes. You might have to
> add an ACL for the isMemberOf attribute to your LDAP server so your
> Shibboleth service/utility account can see it.
>
> Don
>
> On 11/30/20 10:01 AM, Feinstein, Moses wrote:
>> ------------------------------------------------------------------------
>>
>> I am trying to return group membership for the user who is
>> authenticating via Shibboleth 4.0.1
>>
>> Below configuration works, if I substitute “isMemberOf” in attribute
>> resolver with any other attribute (displayName for example), however
>> for some reason it is unable to read “isMemberOf”, it returns nothing
>> for the group membership even though the user is a member of the
>> group (cn=testgroup,ou=Groups,dc=example,dc=org).
>>
>> Since “isMemberOf” is part of operational attributes, I am not sure
>> if there is anything else that needs to be configured on Shibboleth side.
>>
>> Am I missing something in my configuration below to be able to read
>> operational attribute “isMemberOf” from the LDAP?
>>
>> If anyone has a good example on how to read group membership it would
>> be very helpful. Thanks.
>>
>> Attribute-filter:
>>
>> <AttributeRule attributeID="membership" permitAny="true" />
>>
>> Ldap.properties:
>>
>> idp.attribute.resolver.LDAP.returnAttributes =
>> displayName,mail,uid,sn,givenName,isMemberOf
>>
>> Attribute-resolver:
>>
>> <AttributeDefinition xsi:type="Simple" id="isMemberOf">
>>
>> <InputDataConnector ref="myLDAP" attributeNames="isMemberOf" />
>>
>> </AttributeDefinition>
>>
>> <AttributeDefinition id="membership" xsi:type="Mapped">
>>
>> <InputAttributeDefinition ref="isMemberOf" />
>>
>> <DefaultValue passThru="true"/>
>>
>> <ValueMap>
>>
>> <ReturnValue>return_membership</ReturnValue>
>>
>> <SourceValue
>> caseSensitive="false">cn=testgroup,ou=Groups,dc=example,dc=org</SourceValue>
>>
>> </ValueMap>
>>
>> <AttributeEncoder xsi:type="SAML2String" name="membership"
>> friendlyName="membership" encodeType="false" />
>>
>> </AttributeDefinition>
>>
>> Ldap user is part of this group:
>>
>> uid=awong,ou=People,dc=example,dc=org
>>
>> isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org
>>
>> **
>>
>> **
>>
>> **
>>
>> *Moses Feinstein*
>>
>> Touro College and University System
>>
>>
>
> --
> D o n a l d L o h r
> I n f o r m a t i o n S y s t e m s
> J a m e s M a d i s o n U n i v e r s i t y
> 5 4 0 . 5 6 8 . 3 7 3 0
>
--
D o n a l d L o h r
I n f o r m a t i o n S y s t e m s
J a m e s M a d i s o n U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201130/f3aef96f/attachment.htm>
More information about the users
mailing list