Reading groups membership in Shibboleth 4.0.1

Feinstein, Moses moses.feinstein at
Mon Nov 30 18:31:36 UTC 2020

Yes, equivalent to openldap in opendj I am able to perform similar query with the same account that I am using, which is a root account for this test to eliminate any permissions related issues:

My query successfully returns "IsMemberOf". I do have openldap implementation as well and actually wanted to test if I can get it to work with openldap. Although, I do have it working just fine in Shib 3.4 with opendj.

sh ldapsearch --port 1636 --hostname localhost --trustAll --useSSL --bindDN "cn=Directory Manager" --useSSL -b "dc=example,dc=org" "(uid=awong)" uid mail isMemberOf

dn: uid=awong,ou=People,dc=example,dc=org
mail: awong at
uid: awong
isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org

I simply don't understand why Shib is able to read all other attributes, but not "isMemberOf"....

Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at<mailto:moses.feinstein at>

From: users <users-bounces at> On Behalf Of Donald Lohr
Sent: Monday, November 30, 2020 12:29 PM
To: users at
Subject: Re: Reading groups membership in Shibboleth 4.0.1

External Email

ldapsearch -x -LLL -h yourLDAPserver -p 389 -D uid=myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org "(uid=awong)" displayName mail uid sn givenName isMemberOf
On 11/30/20 12:24 PM, Donald Lohr wrote:
The isMemberOF attribute is an operational attribute on the user. The uniquemember (or member) attribute is an attribute on the group (showing all user's that are in the group).

You should be able to use the LDAP service/utility account that you've configured Shibboleth to use and perform an ldapsearch against your LDAP service and ask the ldapsearch to return "returnAttributes" you are listing below.

Using OpenLDAP's ldapsearch in this example:

ldapsearch -x -LLL -h yourLDAPserver -p 389 -D myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org "(uid=awong)" displayName mail uid sn givenName isMemberOf

The search should return the 6 requested attributes. You might have to add an ACL for the isMemberOf attribute to your LDAP server so your Shibboleth service/utility account can see it.

On 11/30/20 10:01 AM, Feinstein, Moses wrote:

I am trying to return group membership for the user who is authenticating via Shibboleth 4.0.1

Below configuration works, if I substitute "isMemberOf" in attribute resolver with any other attribute (displayName for example), however for some reason it is unable to read "isMemberOf", it returns nothing for the group membership even though the user is a member of the group (cn=testgroup,ou=Groups,dc=example,dc=org).

Since "isMemberOf" is part of operational attributes, I am not sure if there is anything else that needs to be configured on Shibboleth side.

Am I missing something in my configuration below to be able to read operational attribute "isMemberOf" from the LDAP?

If anyone has a good example on how to read group membership it would be very helpful. Thanks.

                               <AttributeRule attributeID="membership" permitAny="true" />
                              idp.attribute.resolver.LDAP.returnAttributes         = displayName,mail,uid,sn,givenName,isMemberOf

<AttributeDefinition xsi:type="Simple" id="isMemberOf">
    <InputDataConnector ref="myLDAP" attributeNames="isMemberOf" />

<AttributeDefinition id="membership" xsi:type="Mapped">
    <InputAttributeDefinition ref="isMemberOf" />
    <DefaultValue passThru="true"/>

                              <SourceValue caseSensitive="false">cn=testgroup,ou=Groups,dc=example,dc=org</SourceValue>

    <AttributeEncoder xsi:type="SAML2String" name="membership" friendlyName="membership" encodeType="false" />

Ldap user is part of this group:
isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org

Moses Feinstein
Touro College and University System


D o n a l d   L o h r

I n f o r m a t i o n   S y s t e m s

J a m e s   M a d i s o n   U n i v e r s i t y

5 4 0 . 5 6 8 . 3 7 3 0


D o n a l d   L o h r

I n f o r m a t i o n   S y s t e m s

J a m e s   M a d i s o n   U n i v e r s i t y

5 4 0 . 5 6 8 . 3 7 3 0
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the users mailing list