Reading groups membership in Shibboleth 4.0.1

IAM David Bantz dabantz at alaska.edu
Mon Nov 30 19:40:45 UTC 2020 

 Isn’t the attribute “memberOf” in AD, not “isMemberOf” ?

David St. Pierre Bantz
U Alaska IAM

On 30Nov, 2020 at 09:31:36, Feinstein, Moses <moses.feinstein at touro.edu>
wrote:

> Yes, equivalent to openldap in opendj I am able to perform similar query
> with the same account that I am using, which is a root account for this
> test to eliminate any permissions related issues:
>
>
>
> My query successfully returns “IsMemberOf”. I do have openldap
> implementation as well and actually wanted to test if I can get it to work
> with openldap. Although, I do have it working just fine in Shib 3.4 with
> opendj.
>
>
>
> QUERY:
>
> sh ldapsearch --port 1636 --hostname localhost --trustAll --useSSL
> --bindDN "cn=Directory Manager" --useSSL -b "dc=example,dc=org"
> "(uid=awong)" uid mail isMemberOf
>
>
>
>
>
> RESPONSE LOOKS LIKE THIS:
>
> dn: uid=awong,ou=People,dc=example,dc=org
>
> mail: awong at example.org
>
> uid: awong
>
> isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org
>
>
>
>
>
> I simply don’t understand why Shib is able to read all other attributes,
> but not “isMemberOf”….
>
>
>
>
>
>
>
>
>
> *Moses Feinstein*
>
> *Sr. Software / IAM Engineer, App Dev Dept*
>
> *Emaill*: moses.feinstein at touro.edu
>
>
>
>
>
> *From:* users <users-bounces at shibboleth.net> *On Behalf Of *Donald Lohr
> *Sent:* Monday, November 30, 2020 12:29 PM
> *To:* users at shibboleth.net
> *Subject:* Re: Reading groups membership in Shibboleth 4.0.1
>
>
>
> *External Email*
>
> OOPS:
>
> ldapsearch -x -LLL -h yourLDAPserver -p 389 -D
> uid=myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org
> "(uid=awong)" displayName mail uid sn givenName isMemberOf
>
> On 11/30/20 12:24 PM, Donald Lohr wrote:
>
> ------------------------------
>
> The isMemberOF attribute is an operational attribute on the user. The
> uniquemember (or member) attribute is an attribute on the group (showing
> all user's that are in the group).
>
> You should be able to use the LDAP service/utility account that you've
> configured Shibboleth to use and perform an ldapsearch against your LDAP
> service and ask the ldapsearch to return "returnAttributes" you are listing
> below.
>
>
> Using OpenLDAP's ldapsearch in this example:
>
> ldapsearch -x -LLL -h yourLDAPserver -p 389 -D myShibbolethServiceAccount
> -W -Z -b ou=People,dc=example,dc=org "(uid=awong)" displayName mail uid sn
> givenName isMemberOf
>
> The search should return the 6 requested attributes. You might have to add
> an ACL for the isMemberOf attribute to your LDAP server so your Shibboleth
> service/utility account can see it.
>
> Don
>
> On 11/30/20 10:01 AM, Feinstein, Moses wrote:
>
> ------------------------------
>
>
>
> I am trying to return group membership for the user who is authenticating
> via Shibboleth 4.0.1
>
>
>
> Below configuration works, if I substitute “isMemberOf” in attribute
> resolver with any other attribute (displayName for example), however for
> some reason it is unable to read “isMemberOf”, it returns nothing for the
> group membership even though the user is a member of the group
> (cn=testgroup,ou=Groups,dc=example,dc=org).
>
>
>
> Since “isMemberOf” is part of operational attributes, I am not sure if
> there is anything else that needs to be configured on Shibboleth side.
>
>
>
> Am I missing something in my configuration below to be able to read
> operational attribute “isMemberOf” from the LDAP?
>
>
>
> If anyone has a good example on how to read group membership it would be
> very helpful. Thanks.
>
>
>
>
>
> Attribute-filter:
>
>                                <AttributeRule attributeID="membership"
> permitAny="true" />
>
>
>
> Ldap.properties:
>
>
> idp.attribute.resolver.LDAP.returnAttributes         =
> displayName,mail,uid,sn,givenName,isMemberOf
>
>
>
>
>
> Attribute-resolver:
>
> <AttributeDefinition xsi:type="Simple" id="isMemberOf">
>
>     <InputDataConnector ref="myLDAP" attributeNames="isMemberOf" />
>
> </AttributeDefinition>
>
>
>
> <AttributeDefinition id="membership" xsi:type="Mapped">
>
>     <InputAttributeDefinition ref="isMemberOf" />
>
>     <DefaultValue passThru="true"/>
>
>
>
>                <ValueMap>
>
>                               <ReturnValue>return_membership</ReturnValue>
>
>                               <SourceValue
> caseSensitive="false">cn=testgroup,ou=Groups,dc=example,dc=org</SourceValue>
>
>                </ValueMap>
>
>
>
>     <AttributeEncoder xsi:type="SAML2String" name="membership"
> friendlyName="membership" encodeType="false" />
>
> </AttributeDefinition>
>
>
>
>
>
> Ldap user is part of this group:
>
>                uid=awong,ou=People,dc=example,dc=org
>
> isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org
>
>
>
>
>
>
>
> *Moses Feinstein*
>
> Touro College and University System
>
>
>
>
>
>
>
>
>
> --
>
> D o n a l d   L o h r
>
> I n f o r m a t i o n   S y s t e m s
>
> J a m e s   M a d i s o n   U n i v e r s i t y
>
> 5 4 0 . 5 6 8 . 3 7 3 0
>
>
>
>
>
> --
>
> D o n a l d   L o h r
>
> I n f o r m a t i o n   S y s t e m s
>
> J a m e s   M a d i s o n   U n i v e r s i t y
>
> 5 4 0 . 5 6 8 . 3 7 3 0
>
> --
> For Consortium Member technical support, see
> https://wiki.shibboleth.net/confluence/x/coFAAg
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201130/7189f28d/attachment.htm>

More information about the users mailing list