Reading groups membership in Shibboleth 4.0.1
Feinstein, Moses
moses.feinstein at touro.edu
Mon Nov 30 21:07:16 UTC 2020
It’s different from MS AD or openldap
This is ForgeRock OpenDJ LDAP, the default group membership attribute is “isMemberOf”
dn: uid=awong,ou=People,dc=example,dc=org
uid: awong
isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org
Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>
From: users <users-bounces at shibboleth.net> On Behalf Of IAM David Bantz
Sent: Monday, November 30, 2020 2:41 PM
To: Shib Users <users at shibboleth.net>
Subject: RE: Reading groups membership in Shibboleth 4.0.1
External Email
Isn’t the attribute “memberOf” in AD, not “isMemberOf” ?
David St. Pierre Bantz
U Alaska IAM
On 30Nov, 2020 at 09:31:36, Feinstein, Moses <moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>> wrote:
Yes, equivalent to openldap in opendj I am able to perform similar query with the same account that I am using, which is a root account for this test to eliminate any permissions related issues:
My query successfully returns “IsMemberOf”. I do have openldap implementation as well and actually wanted to test if I can get it to work with openldap. Although, I do have it working just fine in Shib 3.4 with opendj.
QUERY:
sh ldapsearch --port 1636 --hostname localhost --trustAll --useSSL --bindDN "cn=Directory Manager" --useSSL -b "dc=example,dc=org" "(uid=awong)" uid mail isMemberOf
RESPONSE LOOKS LIKE THIS:
dn: uid=awong,ou=People,dc=example,dc=org
mail: awong at example.org<mailto:awong at example.org>
uid: awong
isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org
I simply don’t understand why Shib is able to read all other attributes, but not “isMemberOf”….
Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>
From: users <users-bounces at shibboleth.net<mailto:users-bounces at shibboleth.net>> On Behalf Of Donald Lohr
Sent: Monday, November 30, 2020 12:29 PM
To: users at shibboleth.net<mailto:users at shibboleth.net>
Subject: Re: Reading groups membership in Shibboleth 4.0.1
External Email
OOPS:
ldapsearch -x -LLL -h yourLDAPserver -p 389 -D uid=myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org "(uid=awong)" displayName mail uid sn givenName isMemberOf
On 11/30/20 12:24 PM, Donald Lohr wrote:
________________________________
The isMemberOF attribute is an operational attribute on the user. The uniquemember (or member) attribute is an attribute on the group (showing all user's that are in the group).
You should be able to use the LDAP service/utility account that you've configured Shibboleth to use and perform an ldapsearch against your LDAP service and ask the ldapsearch to return "returnAttributes" you are listing below.
Using OpenLDAP's ldapsearch in this example:
ldapsearch -x -LLL -h yourLDAPserver -p 389 -D myShibbolethServiceAccount -W -Z -b ou=People,dc=example,dc=org "(uid=awong)" displayName mail uid sn givenName isMemberOf
The search should return the 6 requested attributes. You might have to add an ACL for the isMemberOf attribute to your LDAP server so your Shibboleth service/utility account can see it.
Don
On 11/30/20 10:01 AM, Feinstein, Moses wrote:
________________________________
I am trying to return group membership for the user who is authenticating via Shibboleth 4.0.1
Below configuration works, if I substitute “isMemberOf” in attribute resolver with any other attribute (displayName for example), however for some reason it is unable to read “isMemberOf”, it returns nothing for the group membership even though the user is a member of the group (cn=testgroup,ou=Groups,dc=example,dc=org).
Since “isMemberOf” is part of operational attributes, I am not sure if there is anything else that needs to be configured on Shibboleth side.
Am I missing something in my configuration below to be able to read operational attribute “isMemberOf” from the LDAP?
If anyone has a good example on how to read group membership it would be very helpful. Thanks.
Attribute-filter:
<AttributeRule attributeID="membership" permitAny="true" />
Ldap.properties:
idp.attribute.resolver.LDAP.returnAttributes = displayName,mail,uid,sn,givenName,isMemberOf
Attribute-resolver:
<AttributeDefinition xsi:type="Simple" id="isMemberOf">
<InputDataConnector ref="myLDAP" attributeNames="isMemberOf" />
</AttributeDefinition>
<AttributeDefinition id="membership" xsi:type="Mapped">
<InputAttributeDefinition ref="isMemberOf" />
<DefaultValue passThru="true"/>
<ValueMap>
<ReturnValue>return_membership</ReturnValue>
<SourceValue caseSensitive="false">cn=testgroup,ou=Groups,dc=example,dc=org</SourceValue>
</ValueMap>
<AttributeEncoder xsi:type="SAML2String" name="membership" friendlyName="membership" encodeType="false" />
</AttributeDefinition>
Ldap user is part of this group:
uid=awong,ou=People,dc=example,dc=org
isMemberOf: cn=testgroup,ou=Groups,dc=example,dc=org
Moses Feinstein
Touro College and University System
--
D o n a l d L o h r
I n f o r m a t i o n S y s t e m s
J a m e s M a d i s o n U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
--
D o n a l d L o h r
I n f o r m a t i o n S y s t e m s
J a m e s M a d i s o n U n i v e r s i t y
5 4 0 . 5 6 8 . 3 7 3 0
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg<https://urldefense.com/v3/__https:/wiki.shibboleth.net/confluence/x/coFAAg__;!!HoV-yHU!6CZ-MKgWVlKLpENXCAjY2PUufTzMD29H21txjKRP-rrSeCRXU2S1m63ytzKrfpHVP3W5KA$>
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201130/669067d6/attachment.htm>
More information about the users
mailing list