Authproc filter cannot access DN attirbute
20 views
Skip to first unread message
Palle Girgensohn
May 7, 2018, 3:36:22 AM5/7/18
to SimpleSAMLphp
I am trying to set up an eduPersonAffiliation attribute based on the DN, so if a user's DN is uid=foo,ou=staff,dc=example,dc=com, the affilitaion should be st...@example.com.
Problem is I cannot get DN from my OpenLDAP. It is not part of the $attributes vector so an authproc filter does not see the DN.
in authsources.php:
...
'xx-ldap' => array(
'ldap:LDAP',
'hostname' => 'ldap1.example.com',
'enable_tls' => TRUE,
'attributes' => array('uid', 'givenName', 'sn', 'mail', 'dn'),
'dnpattern' => 'uid=%username%,ou=staff,dc=example,dc=com',
...
May 7 09:15:22 idp2 simplesamlphp[4679]: 7 [8b6d57a04f] Library - LDAP getAttributes(): Getting 'uid,givenName,sn,mail,dn' from DN 'uid=foo,ou=staff,dc=pingpong,dc=net'
May 7 09:15:22 idp2 simplesamlphp[4679]: 7 [8b6d57a04f] Library - LDAP getAttributes(): Found attributes '(uid,sn,givenName,mail)'
This seems to how the php ldap module is designed. There is a separate ldap_get_dn method that cannot be reached from the authproc:s [http://php.net/manual/en/function.ldap-get-dn.php].
Is this not doable? I found a reference about how to do this at [https://safire.ac.za/technical/resources/generating-edupersonaffiliation/] so it seems someone has succeeded in doing this? Any suggestions?
Palle
Peter Schober
May 7, 2018, 5:56:56 AM5/7/18
to SimpleSAMLphp
* Palle Girgensohn <gir...@pingpong.se> [2018-05-07 09:36]:
object itself.
OpenLDAP (and other implementations) may expose it that way, though,
in the operational attribute "entryDN".
As with other operational attributes the LDAP DSA will only return
this when explicitly asked for it, though.
-peter
> Problem is I cannot get DN from my OpenLDAP. It is not part of the
> $attributes vector so an authproc filter does not see the DN.
The Distibuished Name of an LDAP object is not an attribute of said
> $attributes vector so an authproc filter does not see the DN.
object itself.
OpenLDAP (and other implementations) may expose it that way, though,
in the operational attribute "entryDN".
As with other operational attributes the LDAP DSA will only return
this when explicitly asked for it, though.
-peter
Peter Schober
May 7, 2018, 6:00:03 AM5/7/18
to SimpleSAMLphp
* Peter Schober <peter....@univie.ac.at> [2018-05-07 11:56]:
"Distinguished Name", sry.
-peter
> * Palle Girgensohn <gir...@pingpong.se> [2018-05-07 09:36]:
> > Problem is I cannot get DN from my OpenLDAP. It is not part of the
> > $attributes vector so an authproc filter does not see the DN.
>
> The Distibuished Name of an LDAP object is not an attribute of said
> object itself.
Whatever twisted my fingers there, that should have been
> > Problem is I cannot get DN from my OpenLDAP. It is not part of the
> > $attributes vector so an authproc filter does not see the DN.
>
> The Distibuished Name of an LDAP object is not an attribute of said
> object itself.
"Distinguished Name", sry.
-peter
Palle Girgensohn
May 7, 2018, 9:27:09 PM5/7/18
to SimpleSAMLphp
Ah excellent. Actually `entryDN` worked for me, but not `Distinguished Name`.
This did the trick:
in authsources.php:
...
'attributes' => array('uid', 'givenName', 'sn', 'mail', 'entryDN'),
...
in metadata/saml20-idp-hosted.php:
40 => array(
'class' => 'core:AttributeAlter',
'subject' => 'entryDN',
'pattern' => '/ou=Users/',
'replacement' => 'st...@example.com',
'target' => 'eduPersonScopedAffiliation',
'%replace',
),
Thanks!
Palle
Reply all
Reply to author
Forward
0 new messages