where do I put my ldap:AttributeAddFromLDAP ?
191 views
Skip to first unread message
Remy Blom
Dec 21, 2016, 6:28:34 AM12/21/16
to SimpleSAMLphp
I have SimpleSAML setup as IdP with two LDAP's. (Authentication works fine with both) One LDAP is used organisation wide for a lot of services and contains all our employees and students. The other is used for a couple of websites containing additional info on some of the employees and students and also any external users (partners, etc) can be registered in this LDAP when needed.
So when a student or employee logs on using the first LDAP I want to get some extra parameters from the second LDAP. But the documentation is quite unclear on WHERE I should include the config for ldap:AttributeAddFromLDAP
Where ever I put it, I don't see any calls being made to the second LDAP in my debug logfile. Any help would be appreciated! Thanx!
I use version 1.14.11 and this is in my authsources.php:
So when a student or employee logs on using the first LDAP I want to get some extra parameters from the second LDAP. But the documentation is quite unclear on WHERE I should include the config for ldap:AttributeAddFromLDAP
Where ever I put it, I don't see any calls being made to the second LDAP in my debug logfile. Any help would be appreciated! Thanx!
I use version 1.14.11 and this is in my authsources.php:
'ldap1' => array(
'ldap:LDAP',
'hostname' => 'ldap1.example.com',
'debug' => true,
'enable_tls' => false,
'attributes' => array('uid','sn','cn','givenName','mail'),
'search.enable' => true,
'search.base' => 'ou=people,dc=hku,dc=nl',
'search.attributes' => array('mail'),
'authproc' => array(
50 => array(
'class' => 'ldap:AttributeAddFromLDAP',
'authsource' => 'ldap2',
'attributes' => array('extra'),
'search.filter' => '(mail=%mail%)'
)
),
),
'ldap2' => array(
'ldap:LDAP',
'hostname' => 'ldap2.example.com',
'enable_tls' => false,
'attributes' => array('uid', 'sn', 'cn', 'givenName', 'mail', 'extra'),
'search.enable' => true,
'search.base' => 'ou=people,dc=hku,dc=nl',
'search.attributes' => array('mail')
)Remy Blom
Dec 21, 2016, 6:55:10 AM12/21/16
to SimpleSAMLphp
A little extra information: I use the 'Test authentication sources' tab to test using ldap1...
Tim van Dijen
Dec 21, 2016, 7:22:59 AM12/21/16
to SimpleSAMLphp
Hello Remy,
I think you should put this in saml20-idp-hosted.php:
'authproc' => array(
50 => array(
'class' => 'ldap:AttributeAddFromLDAP',
'authsource' => 'ldap2',
'attributes' => array('extra'),
'search.filter' => '(mail=%mail%)'
)
),
The extra attributes are probably not gonna show up when you use the 'test authentication sources'-tab... That will just test an authentication source.. What you need is a test-SP.
Peter Schober
Dec 21, 2016, 2:27:11 PM12/21/16
to SimpleSAMLphp
* Remy Blom <doe...@gmail.com> [2016-12-21 12:28]:
metadata, into the IDP metadata, into authsources or SSP's main config.php:
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc#section_1
HTH,
-peter
> But the documentation is quite unclear on WHERE I should include the
> config for ldap:AttributeAddFromLDAP
According to the documentation you can put authproc fiters into the SP
> config for ldap:AttributeAddFromLDAP
metadata, into the IDP metadata, into authsources or SSP's main config.php:
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc#section_1
HTH,
-peter
Remy Blom
Dec 22, 2016, 7:33:33 AM12/22/16
to SimpleSAMLphp
The extra attributes are probably not gonna show up when you use the 'test authentication sources'-tab... That will just test an authentication source.. What you need is a test-SP.
I moved it to saml20-idp-hosted and I configured a test-SP and indeed I get some AttributeAddFromLDAP logging now..... Will investigate further
THANX!
Remy Blom
Dec 22, 2016, 7:49:55 AM12/22/16
to SimpleSAMLphp, peter....@univie.ac.at
On Wednesday, December 21, 2016 at 8:27:11 PM UTC+1, Peter Schober wrote:
According to the documentation you can put authproc fiters into the SP
metadata, into the IDP metadata, into authsources or SSP's main config.php:
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc#section_1
HTH,
-peter
Thanx for that link.. I was reading https://simplesamlphp.org/docs/stable/ldap:ldap#section_2 which only showed the 50 => etc.etc... example. Which was kind of puzzling to me as a beginner =]
saml20-idp-hosted is probably the best place to put it as putting it in authsources is not supported for IdP's.
I do have AttributeAddFromLDAP logging some stuff now, but still no extra attributes. No logging indicates the ldap2 is actually being called. Although I am sure the config for ldap2 is okay, I can use it to log in (in the test page). I am adding some extra debugging to AttributeAddFromLDAP, see what happens....
At least I got my question answered. THANX!
Remy Blom
Dec 23, 2016, 4:21:00 AM12/23/16
to SimpleSAMLphp
Just to wrap up: In the end I found that the second ldap was never called upon due to a bug in BaseFilter.php. Exceptions were thrown but never ended up in the log due to the silent fail in AttributesAddFromLDAP. I fixed both issues in pull request #539
Reply all
Reply to author
Forward
0 new messages