Ldap nested Groups membership not working as expected

Armando Martins armando.mart1s at gmail.com
Fri Jun 11 08:42:12 UTC 2021 

Hi,

i'm trying to set up Ldap nested groups on my Shibboleth 4.1.2 but it seems
that the value of $distinguishedName.get(0) is never replaced by the
attribute resolved by my dependent LDAP DataConnector.

The first Ldap Data Connector retrieve the distinguishedName from my
OpenLDAP and that work fine because in the OpenLDAP logs i see the request
with no errors (i have also done the same request with ldapsearch) :

slapd[765]: conn=1975922 op=1 SRCH base="dc=example,dc=com" scope=2 deref=0
filter="(uid=testuser)"
slapd[765]: conn=1975922 op=1 SRCH attr=distinguishedName
slapd[765]: conn=1975922 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

But on my Shibboleth logs i always have this error :

ERROR [net.shibboleth.idp.profile.impl.ResolveAttributes:300] - Profile
Action ResolveAttributes: Error resolving attributes
net.shibboleth.idp.attribute.resolver.ResolutionException: Data Connector
'myLDAPGroups': Unable to execute LDAP search
        at
net.shibboleth.idp.attribute.resolver.dc.ldap.impl.LDAPDataConnector.retrieveAttributes(LDAPDataConnector.java:225)
Caused by: org.ldaptive.LdapException: LDAPException(resultCode=87 (filter
error), numEntries=0, numReferences=0, errorMessage='Unable to parse string
'(&(objectClass=groupOfUniqueNames)(uniquemember=$distinguishedName.get(0)))'
as an LDAP filter because it contains an unexpected opening parenthesis at
position 71.', ldapSDKVersion=4.0.14,
revision=c0fb784eebf9d36a67c736d0428fb3577f2e25bb')

So, it seems that $distinguishedName.get(0) is never replaced by the value
returned by the Primary LdapConnector. I don't understand why because i
have followed the documentation (
https://wiki.shibboleth.net/confluence/display/IDP4/LDAPNestedGroups) and
for me my configuration looks fine.

I know i'm missing something and i keep looking. But if someone can help me
to find what i'm doing wrong, that would be really nice.

I'm using Shibboleth IDP v4.1.2 with tomcat 9.0.31 and openjdk 11.0.11 on
Debian 10 server.

And here is my attribute-resolver.xml configuration :

<!--Attributes definition-->
<AttributeDefinition id="distinguishedName" xsi:type="Simple">
  <InputDataConnector ref="myLDAP" attributeNames="distinguishedName" />
  <AttributeEncoder xsi:type="SAML2ScopedString" name="distinguishedName"
friendlyName="distinguishedName" encodeType="false" />
</AttributeDefinition>

<AttributeDefinition id="isMemberOfRecursive" xsi:type="Simple">
  <InputDataConnector ref="myLDAPGroups" attributeNames="cn" />
  <AttributeEncoder xsi:type="SAML2String" name="isMemberOf"
friendlyName="isMemberOf" />
</AttributeDefinition>

<!--Primary LdapConnector-->
    <DataConnector id="myLDAP" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        principal="%{idp.attribute.resolver.LDAP.bindDN}"

principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"
        trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}">
        <FilterTemplate>
            <![CDATA[
                %{idp.attribute.resolver.LDAP.searchFilter}
            ]]>
        </FilterTemplate>
        <ReturnAttributes>distinguishedName</ReturnAttributes>
        <ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize:3}"
            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"

validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" />
    </DataConnector>

<!--NestedGroups LdapConnector-->
    <DataConnector id="myLDAPGroups" xsi:type="LDAPDirectory"
        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
        principal="%{idp.attribute.resolver.LDAP.bindDN}"

principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"
        trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"
        maxResultSize="0">

        <InputDataConnector ref="myLDAP" attributeNames="distinguishedName"
/>
        <FilterTemplate>
            <![CDATA[

(&(objectClass=groupOfUniqueNames)(uniquemember=$distinguishedName.get(0)))
            ]]>
        </FilterTemplate>
        <ReturnAttributes>cn</ReturnAttributes>
        <ConnectionPool
            minPoolSize="%{idp.pool.LDAP.minSize:3}"
            maxPoolSize="%{idp.pool.LDAP.maxSize:10}"
            blockWaitTime="%{idp.pool.LDAP.blockWaitTime:PT3S}"

validatePeriodically="%{idp.pool.LDAP.validatePeriodically:true}"
            validateTimerPeriod="%{idp.pool.LDAP.validatePeriod:PT5M}"
            expirationTime="%{idp.pool.LDAP.idleTime:PT10M}" />
    </DataConnector>

Thanks
-- 
Armando Martins
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20210611/f592e5a7/attachment.htm>

More information about the users mailing list