* joe.young <
joe....@orecity.k12.or.us> [2016-08-04 23:40]:
> This is close.. What does 'group' mean? I want to specify the OU of
> allowed users.
From 1.3 "Attribute Rule":
https://simplesamlphp.org/docs/stable/authorize:authorize
"Each additional filter configuration option is considered an
attribute matching rule. For each attribute, you can specify a
string or array of strings to match. If one of those attributes
match one of the rules (OR operator), the user is
authorized/unauthorized (depending on the deny config option)."
So "group" in third example is the literal attribute name you'd
compare/restrict values for. I.e., for this to work in the simplest
case you'd need an attribute available (looked up from LDAP) with the
value to compare/restrict.
From your example I'm assuming want want to authorize based on group
membership?
> 'authproc.sp' => array(
> 60 => array(
> 'class' => 'authorize:Authorize',
> 'regex' => FALSE,
> 'group' => array(
> 'CN=SimpleSAML Students,CN=Users,DC=example,DC=edu',
> 'CN=All Teachers,OU=Staff,DC=example,DC=edu',
> )
> )
So there are several ways to deal with this, all depending on your
LDAP implementation and configuration.
In case the LDAP server stores (or "mirrors") group memberships in
the person's object (memberOf attribute, isMemberOf attribute,
something like that), that's the attribute you'd look up from LDAP and
put into your config (instead of "group" above). If you know it's
available in LDAP but not shown in SimpleSAMLphp that may be because
it's an operational attribute and those are only returned from the
LDAP DSA when explicitly asked for them. ('attributes' parameter in
the ldap:LDAP authsource, check the documentation.)
For example with OpenLDAP that's possible using the memberOf overlay.
Other LDAP implementatons may have comparable methods, you'd need to
be specific about your LDAP DSA.
For MS-AD (some or all) groups should be available in the 'memberOf'
attribute (but may be missing the user's primary group, from what one
can read on the net).
Also for MS-AD it may make a difference what port you query,
cf. "standard port" vs. "global catalog" at
https://wiki.shibboleth.net/confluence/display/SHIB2/LdapServerIssues#LdapServerIssues-MicrosoftActiveDirectory
In case you don't have group memberships stored (or reflected) in the
person's object, but your LDAP DSA supports at least the entryDN
operational attribute (something you can verify with a simple LDAP
search, e.g. using the ldapsearch command line tool), you can use
Macro's recipe posted to this list only *yesterday* (thread "Using
Group Authorization with OpenLDAP").
Following that method you'd first dynamically create an attribute
within SimpleSAMLphp based on an LDAP search for a person's group
memberships, then reference that attribute in the authorize:Authorize
authproc filter above.
-peter