Get top level value of LDAP property
703 views
Skip to first unread message
Daniel Maldonado
Nov 12, 2024, 9:19:42 PM11/12/24
to cas-...@apereo.org
I would like to get the top leven “cn” from my ldap query. The values returned look like:
memberOf=[cn=admins,cn=groups,cn=accounts,dc=mycompany,dc=com,…]
as one of the attributes. I only need the top values: “admins”
and not everything else.
I can not find in the documentation where I can basically return this top level value as a set.
I can do it in my Java app but that would mean a “custom” solution for all my apps.
Am I missing something here?
CAS version: 7.1.1
memberOf=[cn=admins,cn=groups,cn=accounts,dc=mycompany,dc=com,…]
as one of the attributes. I only need the top values: “admins”
and not everything else.
I can not find in the documentation where I can basically return this top level value as a set.
I can do it in my Java app but that would mean a “custom” solution for all my apps.
Am I missing something here?
CAS version: 7.1.1
Ray Bon
Nov 12, 2024, 10:13:05 PM11/12/24
to cas-...@apereo.org
Daniel,
See PATTERN FORMAT or EXTERNAL SCRIPT at the bottom of https://apereo.github.io/cas/7.1.x/integration/Attribute-Definitions.html
Ray
On Tue, 2024-11-12 at 18:06 -0500, Daniel Maldonado wrote:
[You don't often get email from dmald...@epc-instore.com. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ]
--
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
William Jojo
Nov 12, 2024, 11:24:23 PM11/12/24
to cas-...@apereo.org
Daniel,
I have the following in my service def as an attribute in allowedAttributes:
memberOf:
[
java.util.ArrayList
[
groovy { def groups = attributes['memberOf']; def result = []; for ( cn in groups ) result.add( ( cn =~ /CN=([^,]+),/)[0][1] ) ; return result; }
]
]
[
java.util.ArrayList
[
groovy { def groups = attributes['memberOf']; def result = []; for ( cn in groups ) result.add( ( cn =~ /CN=([^,]+),/)[0][1] ) ; return result; }
]
]
Hope this helps.
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4e3128410fe5a4e3d2fe930da1fdfcff05e64e8.camel%40uvic.ca.
Daniel Maldonado
Nov 18, 2024, 10:04:15 PM11/18/24
to cas-...@apereo.org
Thank you for your reply. Based on your suggestion I used:
OIDC.....json configuration
...
"bypassApprovalPrompt": true,
"supportedGrantTypes": [ "java.util.HashSet", [ "token", "AUTHORIZATION_CODE" ] ],
"supportedResponseTypes": [ "java.util.HashSet", [ "code" ] ],
"scopes" : [ "java.util.HashSet", [ "openid", "profile", "email", "info" ] ],
"attributeReleasePolicy": {
"@class": "org.apereo.cas.oidc.claims.OidcProfileScopeAttributeReleasePolicy",
"claimMappings" : {
"@class" : "java.util.TreeMap",
"name" : "displayName",
"groups" :
'''
"supportedGrantTypes": [ "java.util.HashSet", [ "token", "AUTHORIZATION_CODE" ] ],
"supportedResponseTypes": [ "java.util.HashSet", [ "code" ] ],
"scopes" : [ "java.util.HashSet", [ "openid", "profile", "email", "info" ] ],
"attributeReleasePolicy": {
"@class": "org.apereo.cas.oidc.claims.OidcProfileScopeAttributeReleasePolicy",
"claimMappings" : {
"@class" : "java.util.TreeMap",
"name" : "displayName",
"groups" :
'''
groovy {
def groups = attributes['memberOf']
def result = []
for ( cn in groups ){
result.add( ( cn =~ /CN=([^,]+), /)[0][1] )
}
return result
}
''',
"email" : "mail"
}
}
return result
}
''',
"email" : "mail"
}
...
and I am still getting stuff like: ERROR [org.apereo.cas.util.scripting.ScriptingUtils] - <index is out of range 0..-1 (index = 0)
StringGroovyMethods.java:getAt:1373null:doMethodInvoke:-1
IndyInterface.java:fromCache:321
Script1.groovy:run:4
and no groups defined. Can I see more of what you have configured and how?
I feel like I am really close it is just this part that I need to figure out.
King, Robert
Nov 19, 2024, 8:50:25 AM11/19/24
to cas-...@apereo.org
Hazarding a guess, does your directory return memberOf attribute? If that value was empty/null I would expect Groovy to throw the “Index is out of range” exception like you are seeing.
Andrew Marker
Nov 19, 2024, 9:41:18 AM11/19/24
to cas-...@apereo.org
I haven't modified it to match your use case expressly and keep in mind, instead of doing this every time I retrieve data from ldap (performance), I am only doing it when a SP needs memberships and I am only passing the groups that match their use (least privilege).
}
import java.util.*
def run(final Object... args) {
def attributes = args[0]
def logger = args[1]
// logger.debug("Current attributes are {}", attributes)
def groupMemberships=attributes['groupMembership']
// logger.debug("Current groups are {}", groupMembership)
// only keep groups that match groupMemberships
groupMemberships.retainAll { it.toLowerCase().startsWith('cn=sis-asp') }
def roles = []
// for each build custom string that AWS expects
groupMemberships.each {kuGroup ->
def (_,role) = (kuGroup =~ /^cn=sis-asp.([^,]*).*/)[0]
roles.add("sis-asp-${role}")
}
return roles
The release is essentially:
"attributeReleasePolicy" : {
"@class" :"org.apereo.cas.services.ReturnMappedAttributeReleasePolicy",
"allowedAttributes" : {
"@class" : "java.util.TreeMap",
"eduPersonPrincipalName" : "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
"urn:oid:1.3.6.1.4.1.5923.1.5.1.1" : "file:/etc/cas/config/scripts/pathlock-roles.groovy"
}
},
Andrew Marker
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/d4e3128410fe5a4e3d2fe930da1fdfcff05e64e8.camel%40uvic.ca.
Daniel Maldonado
Nov 19, 2024, 9:41:18 AM11/19/24
to cas-...@apereo.org
After many weeks of working on this in between my other duties I was finally able to resolve the issue I had while retrieving the attributes I needed in the format I needed from the backend server.
Using the example I got from William and Ray I came up with:
…
def groups = []
for ( cn in rawAttributes ){
def group = (cn =~ /(?i)^cn=([^,]+),/)
if ( group.find() ){
groups.add( group.group(1) )
}
}
return groups
}
'’',
"email" : “mail"
}
}
…
I know it is verbose but this way the next person will be able to understand it right away.
Thank you Ray and William for your help. Get in touch and I will send you some coffee or something.
Dan.
> To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAOGev1j_jO4_BGXphpUoC5p-q%3DgeWUwvRtOa3RyesW%2BoR6fjVw%40mail.gmail.com.
Using the example I got from William and Ray I came up with:
…
"attributeReleasePolicy": {
"@class": "org.apereo.cas.oidc.claims.OidcProfileScopeAttributeReleasePolicy”,
"claimMappings" : {
"@class" : "java.util.TreeMap”,
"name" : "displayName”,
"groups" : ‘''
groovy {
def rawAttributes = attributes['memberOf’]
"@class": "org.apereo.cas.oidc.claims.OidcProfileScopeAttributeReleasePolicy”,
"claimMappings" : {
"@class" : "java.util.TreeMap”,
"name" : "displayName”,
"groups" : ‘''
groovy {
def groups = []
for ( cn in rawAttributes ){
def group = (cn =~ /(?i)^cn=([^,]+),/)
if ( group.find() ){
groups.add( group.group(1) )
}
}
return groups
}
'’',
"email" : “mail"
}
}
…
I know it is verbose but this way the next person will be able to understand it right away.
Thank you Ray and William for your help. Get in touch and I will send you some coffee or something.
Dan.
Reply all
Reply to author
Forward
0 new messages