Reading groups membership in Shibboleth 4.0.1

[Feinstein, Moses]

For ldap.properties, I do have “isMemberOf” listed.

idp.attribute.resolver.LDAP.returnAttributes         = displayName,mail,uid,sn,givenName,isMemberOf

I am able to return all other listed attributes without any issues, it’s just “isMemberOf” that is not returning.

If you have attribute resolver configuration for openldap membership relase, that would be helpful as well. I am going to try the same in openldap and see if I can I parse group membership.






Moses Feinstein
Sr. Software / IAM Engineer, App Dev Dept
Emaill: moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>


From: users <users-bounces at shibboleth.net> On Behalf Of Daniel Fisher
Sent: Monday, November 30, 2020 5:11 PM
To: Shib Users <users at shibboleth.net>
Subject: Re: Reading groups membership in Shibboleth 4.0.1

External Email
On Mon, Nov 30, 2020 at 10:01 AM Feinstein, Moses <moses.feinstein at touro.edu<mailto:moses.feinstein at touro.edu>> wrote:

Below configuration works, if I substitute “isMemberOf” in attribute resolver with any other attribute (displayName for example), however for some reason it is unable to read “isMemberOf”, it returns nothing for the group membership even though the user is a member of the group (cn=testgroup,ou=Groups,dc=example,dc=org).

Since “isMemberOf” is part of operational attributes, I am not sure if there is anything else that needs to be configured on Shibboleth side.

Am I missing something in my configuration below to be able to read operational attribute “isMemberOf” from the LDAP?

What does your DataConnector configuration look like? Assuming the permissions are correct, requesting isMemberOf specifically is all you need to do.

--Daniel Fisher
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20201130/93c26016/attachment.htm>