Reading groups membership in Shibboleth 4.0.1

Feinstein, Moses moses.feinstein at touro.edu
Mon Nov 30 18:31:36 UTC 2020


Yes, equivalent to openldap in opendj I am able to perform similar query with the same account that I am using, which is a root account for this test to eliminate any permissions related issues:

My query successfully returns "IsMemberOf". I do have openldap implementation as well and actually wanted to test if I can get it to work with openldap. Although, I do have it working just fine in Shib 3.4 with opendj.

QUERY:
sh ldapsearch --port 1636 --hostname localhost --trustAll --useSSL --bindDN "cn=Directory Manager" --useSSL -b "dc=example,dc=org" "(uid=awong)" uid mail isMemberOf


RESPONSE LOOKS LIKE THIS:
dn: uid=awong,ou=People,dc=example,dc=org
mail: awong at example.org
uid: awong
isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org


I simply don't understand why Shib is able to read all other attributes, but not "isMemberOf"....




Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>


From: users <users-bounces at shibboleth.net> On Behalf Of Donald Lohr
Sent: Monday, November 30, 2020 12:29 PM
To: users at shibboleth.net
Subject: Re: Reading groups membership in Shibboleth 4.0.1

External Email
OOPS:

ldapsearch -x -LLL -h yourLDAPserver -p 389 -D uid=myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org "(uid=awong)" displayName mail uid sn givenName isMemberOf
On 11/30/20 12:24 PM, Donald Lohr wrote:
________________________________
The isMemberOF attribute is an operational attribute on the user. The uniquemember (or member) attribute is an attribute on the group (showing all user's that are in the group).

You should be able to use the LDAP service/utility account that you've configured Shibboleth to use and perform an ldapsearch against your LDAP service and ask the ldapsearch to return "returnAttributes" you are listing below.


Using OpenLDAP's ldapsearch in this example:

ldapsearch -x -LLL -h yourLDAPserver -p 389 -D myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org "(uid=awong)" displayName mail uid sn givenName isMemberOf

The search should return the 6 requested attributes. You might have to add an ACL for the isMemberOf attribute to your LDAP server so your Shibboleth service/utility account can see it.

Don
On 11/30/20 10:01 AM, Feinstein, Moses wrote:
________________________________

I am trying to return group membership for the user who is authenticating via Shibboleth 4.0.1

Below configuration works, if I substitute "isMemberOf" in attribute resolver with any other attribute (displayName for example), however for some reason it is unable to read "isMemberOf", it returns nothing for the group membership even though the user is a member of the group (cn=testgroup,ou=Groups,dc=example,dc=org).

Since "isMemberOf" is part of operational attributes, I am not sure if there is anything else that needs to be configured on Shibboleth side.

Am I missing something in my configuration below to be able to read operational attribute "isMemberOf" from the LDAP?

If anyone has a good example on how to read group membership it would be very helpful. Thanks.


Attribute-filter:
                               <AttributeRule attributeID="membership" permitAny="true" />

Ldap.properties:
                              idp.attribute.resolver.LDAP.returnAttributes         = displayName,mail,uid,sn,givenName,isMemberOf


Attribute-resolver:
<AttributeDefinition xsi:type="Simple" id="isMemberOf">
    <InputDataConnector ref="myLDAP" attributeNames="isMemberOf" />
</AttributeDefinition>

<AttributeDefinition id="membership" xsi:type="Mapped">
    <InputAttributeDefinition ref="isMemberOf" />
    <DefaultValue passThru="true"/>

               <ValueMap>
                              <ReturnValue>return_membership</ReturnValue>
                              <SourceValue caseSensitive="false">cn=testgroup,ou=Groups,dc=example,dc=org</SourceValue>
               </ValueMap>

    <AttributeEncoder xsi:type="SAML2String" name="membership" friendlyName="membership" encodeType="false" />
</AttributeDefinition>


Ldap user is part of this group:
               uid=awong,ou=People,dc=example,dc=org
isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org



Moses Feinstein
Touro College and University System







--

D o n a l d   L o h r

I n f o r m a t i o n   S y s t e m s

J a m e s   M a d i s o n   U n i v e r s i t y

5 4 0 . 5 6 8 . 3 7 3 0





--

D o n a l d   L o h r

I n f o r m a t i o n   S y s t e m s

J a m e s   M a d i s o n   U n i v e r s i t y

5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201130/4f6724fa/attachment.htm>


More information about the users mailing list