attribute resolver, filter, and value munging
zach at temple.edu
Fri Apr 29 18:27:05 UTC 2022
Hi shib users!
We're running shib 4.2, and I have a question about how best to handle what I would imagine is a common scenario. We're trying to support central authz, and a simplified version is below.
We have LDAP groups (object classes: eduMember, organizationalUnit). These have delegated management in various OUs, and each SP would have groups under some base DN.
We want to release only the leaf OU for groups that are under a base DN, where the base DN is dependent on the SP. That is, we want to filter per SP based on the full DN, but release only the leaf OU.
Currently, we have a DataConnector that searches openLDAP with a root dn that contains everything, and fetches the entrydn and the ou. So, we have both pieces of data separately.
Clearly, we could create a separate DataConnector for each SP that uses the appropriate search base. But that sounds like it scales horribly because each DataConnector has its own connection pool (please correct me if I'm wrong and they can be configured to share a pool).
We could create a scripted attribute resolver that takes the DNs and does the logic of figuring out what to include. But, it sounds like that requires a separate attribute per SP, and again would not scale well.
We could create a scripted attribute filter that does the logic. These would be all very similar, but this sounds like it might be the most reasonable.
We could write a bean to provide a function to do this, but I'd prefer something that can be done in the config files and not require recompiling anything.
I'm sure there are a lot of other ways of doing this that I'm not aware of, and any advice is welcome!
Is there a canonical way to do something like this? Are you doing something similar, and how is it working out?
Office of Identity and Access Management
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the users