[Shib-Users] Attribute definition based on RegExp
jehan procaccia
<RegExAttributeDefinition id="urn:mace:dir:attribute-def:employeeType" sourceName="dn" regex=".*,ou=([^,]*)s,dc=people,dc=mysite,dc=fr" replacement="$1">
<DataConnectorDependency requires="tl1AD"/>
</RegExAttributeDefinition>
if dn is "uid=login,ou=permanents,dc=people,dc=mysite,dc=fr"
then employeeType is "permanents"
that was documented at https://spaces.internet2.edu/display/SHIB/RegExpAttributeDefinition
Now I am trying to integrate that definition in my 2.1.4 IDP attribute-resolver.xml:
</resolver:AttributeDefinition>
<!-- https://spaces.internet2.edu/display/SHIB/RegExpAttributeDefinition -->
<RegExAttributeDefinition id="urn:mace:dir:attribute-def:employeeType" sourceName="dn" regex=".*,ou=([^,]*)s,dc=prof,dc=enic,dc=fr" replacement="$1">
<DataConnectorDependency requires="tl1AD"/>
</RegExAttributeDefinition>
<!-- ========================================== -->
<!-- Data Connectors -->
I supossed I mis-placed that definition in the file , or definition syntaxe has changed, or I mised somthing else ?
when I start my IDP with that config, I get :
14:11:23.510 - ERROR [edu.internet2.middleware.shibboleth.common.config.BaseService:187] - Configuration was not loaded for shibboleth.AttributeResolver service, error creating components. The root cause of this error was: org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content was found starting with element 'RegExAttributeDefinition'. One of '{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition, "urn:mace:shibboleth:2.0:resolver":DataConnector, "urn:mace:shibboleth:2.0:resolver":PrincipalConnector}' is expected.
Could someone give me an example or a pointer to a doc on how to do that in 2.X ?
thanks .
Chad La Joie
jehan procaccia wrote:
> Could someone give me an example or a pointer to a doc on how to do that
> in 2.X ?
--
SWITCH
Serving Swiss Universities
--------------------------
Chad La Joie, Software Engineer, Net Services
Werdstrasse 2, P.O. Box, 8021 Zürich, Switzerland
phone +41 44 268 15 75, fax +41 44 268 15 68
chad....@switch.ch, http://www.switch.ch
jehan procaccia
https://spaces.internet2.edu/display/SHIB/RegExpAttributeDefinition
Again regarding the error I get;
14:11:23.510 - ERROR
[edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
Configuration was not loaded for shibboleth.AttributeResolver service,
error creating components. The root cause of this error was:
org.xml.sax.SAXParseException: cvc-complex-type.2.4.a: Invalid content
was found starting with element 'RegExAttributeDefinition'. One of
'{"urn:mace:shibboleth:2.0:resolver":AttributeDefinition,
"urn:mace:shibboleth:2.0:resolver":DataConnector,
"urn:mace:shibboleth:2.0:resolver":PrincipalConnector}' is expected.
I supossed I mis-placed that definition in the file
attribute-resolver.xml ? or I missed a Tag definition , maybe it should
be place in a
<resolver:AttributeDefinition .... what type here ....? >
</resolver:AttributeDefinition>
or a
<resolver:PrincipalConnector ?
https://spaces.internet2.edu/display/SHIB/RegExpAttributeDefinition
doesn't tell us a lot on where to set that RegExpAttributeDefinition !?,
I am not even sure taht it is in file attribute-resolver.xml .
thanks .
Chad La Joie
sent you is the Shib 2 documentation site. Did you follow some path
from the link I sent you to the link you just gave? If so what was it?
It needs to be fixed.
--
jehan procaccia
RegExpAttributeDefinition in the search form on the upper right corner
then it found that one
https://spaces.internet2.edu/display/SHIB/RegExpAttributeDefinition
apparently for 1.3 :-(
staying in ../SHIB2/... docs I found:
https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute#IdPAddAttribute-AttributeDefinition
and regarding RegExp I only found
https://spaces.internet2.edu/display/SHIB2/ResolverRegexSplitAttributeDefinition
but it doesn't treat my RegExpAttributeDefinition need .
isn't it documented yet for 2.X ?
any clues ?
Thanks .
Chad La Joie
jehan procaccia wrote:
> From https://spaces.internet2.edu/display/SHIB2/Home I typed
> RegExpAttributeDefinition in the search form on the upper right corner
> then it found that one
> https://spaces.internet2.edu/display/SHIB/RegExpAttributeDefinition
> apparently for 1.3 :-(
That search searches the entire confluence system which includes the
shib 1 and shib 2 docs. I don't know of any way to limit the search to
just the particular wiki you're in, though that would be nice.
> staying in ../SHIB2/... docs I found:
> https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute#IdPAddAttribute-AttributeDefinition
>
>
> and regarding RegExp I only found
> https://spaces.internet2.edu/display/SHIB2/ResolverRegexSplitAttributeDefinition
>
> but it doesn't treat my RegExpAttributeDefinition need .
> isn't it documented yet for 2.X ?
> any clues ?
That RegexSplit attribute definition is the 2.X version of the 1.3
RegExpAttributeDefinition and, I think, should work with the same
regular expression, they both used 1.5 expression I believe. The
element RegExpAttributeDefinition however is NOT compatible with 2.X.
2.X has a new configuration syntax which the documentation you linked
to, above, gives you.
Michael A. Grady
On Oct 22, 2009, at 8:27 AM, Chad La Joie wrote:
>
>
> jehan procaccia wrote:
>> From https://spaces.internet2.edu/display/SHIB2/Home I typed
>> RegExpAttributeDefinition in the search form on the upper right
>> corner
>> then it found that one
>> https://spaces.internet2.edu/display/SHIB/RegExpAttributeDefinition
>> apparently for 1.3 :-(
>
> That search searches the entire confluence system which includes
> the shib 1 and shib 2 docs. I don't know of any way to limit the
> search to just the particular wiki you're in, though that would be
> nice.
After you do the initial search and end up on a Search Results page,
you can limit the Spaces that are searched for the term(s) by using
the "Where" options on the right side of the page. Of course, that
also requires you understand the concept of the Spaces in Confluence.
Never figured out a way to limit the initial search to just one Space.
--
Michael A. Grady
Executive Program Officer for Cyberinfrastructure
Office of the CIO, University of Illinois at Urbana-Champaign
2222 DCL, MC 256, 1304 W. Springfield Ave., Urbana, IL 61801
217.244.1253 phone, 217.244.4780 fax
jehan procaccia
>> staying in ../SHIB2/... docs I found:
>> https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute#IdPAddAttribute-AttributeDefinition
>>
>>
>> and regarding RegExp I only found
>> https://spaces.internet2.edu/display/SHIB2/ResolverRegexSplitAttributeDefinition
>>
>> but it doesn't treat my RegExpAttributeDefinition need .
>> isn't it documented yet for 2.X ?
>> any clues ?
>
> That RegexSplit attribute definition is the 2.X version of the 1.3
> RegExpAttributeDefinition and, I think, should work with the same
> regular expression, they both used 1.5 expression I believe. The
> element RegExpAttributeDefinition however is NOT compatible with 2.X.
> 2.X has a new configuration syntax which the documentation you linked
> to, above, gives you.
>
https://spaces.internet2.edu/display/SHIB2/ResolverRegexSplitAttributeDefinition
<resolver:AttributeDefinition xsi:type="RegexSplit"
xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="urn:mace:dir:attribute-def:employeeType"
sourceAttributeID="dn"
regex=".*,ou=([^,]*)s,dc=people,dc=mysite,dc=fr" replacement="$1">
</resolver:AttributeDefinition>
but idp-process.log now complains at startup with :
15:33:44.659 - ERROR
[edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
Configuration was not loaded for shibboleth.AttributeResolver service,
error creating components. The root cause of this error was:
org.xml.sax.SAXParseException: cvc-complex-type.3.2.2: Attribute
'replacement' is not allowed to appear in element
'resolver:AttributeDefinition'.
in 1.3 exemple was
<RegExAttributeDefinition
id="urn:mace:dir:attribute-def:eduPersonAffiliation"
sourceName="eduPersonAffiliation"
regex=".*STAFF.*"
replacement="staff"
ignoreCase="true">
<DataConnectorDependency requires="directory"/>
</RegExAttributeDefinition>
so I suppose type="RegexSplit" is not as similar I we tough as
RegExAttributeDefinition !?
anyone did that for 2.X ? replace/rewrite an attribute name base on a
regexp match ?
Brent Putman
jehan procaccia wrote:
>
>
> 15:33:44.659 - ERROR
> [edu.internet2.middleware.shibboleth.common.config.BaseService:187] -
> Configuration was not loaded for shibboleth.AttributeResolver service,
> error creating components. The root cause of this error was:
> org.xml.sax.SAXParseException: cvc-complex-type.3.2.2: Attribute
> 'replacement' is not allowed to appear in element
> 'resolver:AttributeDefinition'.
>
Right, that 'replacement' attribute isn't valid on the 2.x RegexSplit
attribute defintion element.
> in 1.3 exemple was
>
> <RegExAttributeDefinition
> id="urn:mace:dir:attribute-def:eduPersonAffiliation"
> sourceName="eduPersonAffiliation"
> regex=".*STAFF.*"
> replacement="staff"
> ignoreCase="true">
> <DataConnectorDependency requires="directory"/>
> </RegExAttributeDefinition>
>
> so I suppose type="RegexSplit" is not as similar I we tough as
> RegExAttributeDefinition !?
> anyone did that for 2.X ? replace/rewrite an attribute name base on a
> regexp match ?
The 2.x RegexSplit is a bit different than the 1.x
RegExAttributeDefinition. It doesn't allow you to specify the
replacement, instead as stated in the docs:
> regex: A Java 5 regular expression used to split the value(s) of the
> source attribute. *The first match group is used as the value for this
> attribute.*
So more or less the regex's value of "$1" gets used as the attribute
value. I believe that should allow you to easily implememt the case
you originally asked about, by simply having the string you care about
be the first match group.
See also the Mapped attribute defintion, which uses regex's to allow
mapping of values. You could implement your use case this way as well,
esp if the values you want to produce are part of a controlled vocabulary.
https://spaces.internet2.edu/display/SHIB2/ResolverMappedAttributeDefinition
--Brent
jehan procaccia
regex: A Java 5 regular expression used to split the value(s) of the source attribute. *The first match group is used as the value for this attribute.*So more or less the regex's value of "$1" gets used as the attribute value. I believe that should allow you to easily implememt the case you originally asked about, by simply having the string you care about be the first match group. See also the Mapped attribute defintion, which uses regex's to allow mapping of values. You could implement your use case this way as well, esp if the values you want to produce are part of a controlled vocabulary. https://spaces.internet2.edu/display/SHIB2/ResolverMappedAttributeDefinition --Brent
I tried that one, remember my objective is to retreive the value "permanents" from the Dn, so here's what I did:
<resolver:AttributeDefinition xsi:type="Mapped" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
id="StatusTL1"
sourceAttributeID="distinguishedName">
<resolver:Dependency ref="tl1AD" />
<DefaultValue>affiliate</DefaultValue>
<ValueMap>
<ReturnValue>permanents</ReturnValue>
<SourceValue>CN=shib-tl1-int,ou=permanents,dc=people,dc=mysite,dc=fr</SourceValue>
</ValueMap>
</resolver:AttributeDefinition>
It seems to fetch one value regarding the logs ("StatusTL1 containing 1 values"), but I can't read/see it, neither from logs, nor from the test SP https://services-federation.renater.fr/test/ressource/Shibboleth.sso/Session :
Miscellaneous Client Address: 157.159.50.197 Identity Provider: https://idp.telecom-lille1.eu/idp/shibboleth SSO Protocol: urn:oasis:names:tc:SAML:1.1:protocol Authentication Time: 2009-10-23T09:50:40.252Z Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Authentication Context Decl: (none) Session Expiration (barring inactivity): 480 minute(s) Attributes displayName: shib-tl1-int mail: test...@telecom-lille1.eu sn: shib-tl1-int uid: shib-tl1-intidp-preccess-log regarding StatusTL1 attribute:
11:40:56.775 - INFO [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:54] - Parsing configuration for AttributeDefinition plugin with ID: StatusTL1
11:40:56.775 - DEBUG [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.AbstractResolutionPlugInBeanDefinitionParser:60] - Setting the following attribute definition dependencies for plugin StatusTL1: [tl1AD]
11:40:56.776 - DEBUG [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.BaseAttributeDefinitionBeanDefinitionParser:57] - Setting source attribute ID for attribute definition StatusTL1 to: distinguishedName
11:40:56.776 - DEBUG [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.BaseAttributeDefinitionBeanDefinitionParser:81] - Attribute definition StatusTL1 produces attributes that are only dependencies: false
11:40:56.779 - DEBUG [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.MappedAttributeDefinitionBeanDefinitionParser:80] - Attribute definition StatusTL1 default value: affiliate
11:40:56.780 - DEBUG [edu.internet2.middleware.shibboleth.common.config.attribute.resolver.attributeDefinition.MappedAttributeDefinitionBeanDefinitionParser:89] - Attribute definition StatusTL1 uses default value pass thru: false
...
11:43:02.718 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:285] - Resolving attribute StatusTL1 for principal shib-tl1-int
11:43:02.719 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:83] - Attempting to map attribute value 'CN=shib-tl1-int,OU=permanents,DC=people,DC=mysite,DC=fr'
11:43:02.719 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.ValueMap:98] - Performing regular expression based comparison
11:43:02.720 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307] - Resolved attribute StatusTL1 containing 1 values
...
11:43:02.726 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:136] - shibboleth.AttributeResolver resolved, for principal shib-tl1-int, the attributes: [uid, commonName, StatusTL1, email, transientId, surname, displayName]
...
11:43:02.732 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:156] - Processing permit value rule for attribute StatusTL1 for principal shib-tl1-int
11:43:02.733 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:106] - Filtered attributes for principal shib-tl1-int. The following attributes remain: [uid, StatusTL1, email, transientId, surname, displayName]
...
11:43:02.884 - INFO [Shibboleth-Audit:714] - 20091023T094302Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest||https://services-federation.renater.fr/test/ressource|urn:mace:shibboleth:2.0:profiles:saml1:sso|https://idp.telecom-lille1.eu/idp/shibboleth|urn:oasis:names:tc:SAML:1.0:profiles:browser-post|_04cecdf24e43898cc218a7446a470138|shib-tl1-int|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,StatusTL1,email,transientId,surname,displayName,|_cb120419284c33e9ec39211dd099e3c3|_93de1b97a17bcdf31965fc61acc54db2,|
How can I see that "StatusTL1 containing 1 values" !?
Back to the original ResolverRegexSplitAttributeDefinition, here's how I corrected it:
<!-- https://spaces.internet2.edu/display/SHIB2/ResolverRegexSplitAttributeDefinition -->
<resolver:AttributeDefinition xsi:type="RegexSplit" xmlns="urn:mace:shibboleth:2.0:resolver:ad"
sourceAttributeID="distinguishedName"
regex=".*,ou=permanents,dc=people,dc=mysite,dc=fr">
<resolver:Dependency ref="tl1AD" />
<!-- Remaining configuration from the next step goes here -->
</resolver:AttributeDefinition>
but it ends with "It contains no values" :-(
11:43:02.724 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.attributeDefinition.RegexSplitAttributeDefinition:72] - Value CN=Shib-tl1-int,OU=permanents,DC=people,DC=mysite,DC=fr did not result in any values when split by regular expression .*,ou=([^,]*)s,dc=people,dc=mysite,dc=fr
11:43:02.724 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307] - Resolved attribute urn:mace:dir:attribute-def:employeeType containing 0 values
11:43:02.725 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:417] - Removing attribute organizationalUnit from resolution result for principal shib-tl1-int. It contains no values.
I must admit that I'am not fluent in regular exepression, perhaps I mis-interpretated
http://java.sun.com/j2se/1.5.0/docs/api/java/util/regex/Pattern.html
If you see something wrong, please let me know .
regards .
Chad La Joie
with () which is what the value of the attribute will be. So, if you're
looking to get the string "permanents" you want something like the regex
".*,ou=(permanents),dc=people,dc=mysite,dc=fr"
jehan procaccia wrote:
> <!--
> https://spaces.internet2.edu/display/SHIB2/ResolverRegexSplitAttributeDefinition
> -->
> <resolver:AttributeDefinition xsi:type="RegexSplit"
> xmlns="urn:mace:shibboleth:2.0:resolver:ad"
> id="employeeType"
> sourceAttributeID="distinguishedName"
>
> regex=".*,ou=permanents,dc=people,dc=mysite,dc=fr">
> <resolver:Dependency ref="tl1AD" />
> <!-- Remaining configuration from the next step goes here -->
>
> </resolver:AttributeDefinition>
>
> but it ends with "It contains no values" :-(
> I must admit that I'am not fluent in regular exepression, perhaps I
> mis-interpretated
> http://java.sun.com/j2se/1.5.0/docs/api/java/util/regex/Pattern.html
>
> If you see something wrong, please let me know .
>
> regards .
>
>
>
>
>
>
>
>
--
jehan procaccia
regex=".*,OU=(permanents),DC=people,DC=mysite,DC=fr">
12:53:22.271 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307] - Resolved attribute employeeType containing 1 values
...
12:53:22.286 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.filtering.provider.ShibbolethAttributeFilteringEngine:106] - Filtered attributes for principal shib-tl1-int. The following attributes remain: [uid, employeeType, StatusTL1, email, transientId, surname, displayName]
...
12:53:22.438 - INFO [Shibboleth-Audit:714] - 20091023T105322Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest||https://services-federation.renater.fr/test/ressource|urn:mace:shibboleth:2.0:profiles:saml1:sso|https://idp.telecom-lille1.eu/idp/shibboleth|urn:oasis:names:tc:SAML:1.0:profiles:browser-post|_1db30773d06c423d68182635fe76e887|shib-tl1-int|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport|uid,employeeType,StatusTL1,email,transientId,surname,displayName,|_35a1bd41859c66f0c538449d5b34d693|_507027cb3574c015f69fb324ae05128b,|
However Renater test SP doesn't show me the resulted value :-(
Miscellaneous Client Address: 157.159.50.197 Identity Provider: https://idp.telecom-lille1.eu/idp/shibboleth SSO Protocol: urn:oasis:names:tc:SAML:1.1:protocol
Authentication Time: 2009-10-23T10:58:20.657Z
Authentication Context Class: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport Authentication Context Decl: (none) Session Expiration (barring inactivity): 480 minute(s) Attributes
displayName: Shib-tl1-int mail: shib...@telecom-lille1.eu sn: Shib-tl1-int uid: Shib-tl1-intI don't think it's a filter problem as the idp-process.log indicates that it sends the attributes
PasswordProtectedTransport|uid,employeeType,StatusTL1,email,transientId,surname,displayName,|
Perhaps a it's a Renater test SP filter ? I'll ask them, or maybe I should create myself an SP (apache mod_shib) to see what happens ...
can I be sure now that the problem is on the SP side ? is there a test perl/php apache mod_shib page to check all attributes received ?
thanks .
Chad La Joie
the SP's logs and it will tell you if it's filtering out things (which
is probably what is happening).
jehan procaccia wrote:
> However Renater test SP doesn't show me the resulted value :-(
>
> _Miscellaneous_
> *Client Address:* 157.159.50.197
> *Identity Provider:* https://idp.telecom-lille1.eu/idp/shibboleth
> *SSO Protocol:* urn:oasis:names:tc:SAML:1.1:protocol
> *Authentication Time:* 2009-10-23T10:58:20.657Z
> *Authentication Context Class:*
> urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
> *Authentication Context Decl:* (none)
> *Session Expiration (barring inactivity):* 480 minute(s)
>
> _Attributes_
> *displayName*: Shib-tl1-int
> *mail*: shib...@telecom-lille1.eu
> *sn*: Shib-tl1-int
> *uid*: Shib-tl1-int
--
Yasin Amadmia
Dear All,
We are currently having some issues getting attributes out of AD LDAP
within our shibboleth 2.1.2 IDP implementation. The IDP application
loads successfully within Tomcat (I can get an ok for /profile/Status).
When I try to use the ../bin/aacli.sh --configDir=. --principal=<some
valid LDAP Account>, the command returns without any messages (no errors
either) but looking into the idp-process file, I can see the below
lines.
08:33:35.727 - DEBUG [edu.vt.middleware.ldap.Ldap:1538] - Bind with the
following parameters:
08:33:35.727 - DEBUG [edu.vt.middleware.ldap.Ldap:1539] - dn =
cn=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx
08:33:35.728 - DEBUG [edu.vt.middleware.ldap.Ldap:1543] - credential =
<suppressed>
08:33:35.728 - TRACE [edu.vt.middleware.ldap.Ldap:1546] - config =
{java.naming.provider.url=ldap://ldapserverhost:389,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.referral=follow,
java.naming.ldap.attributes.binary=objectSid}
08:33:35.728 - TRACE [edu.vt.middleware.ldap.Ldap:1566] - TLS not used
08:33:35.729 - TRACE [edu.vt.middleware.ldap.Ldap:1567] - authtype is
simple
08:33:35.747 - DEBUG [edu.vt.middleware.ldap.Ldap:549] - Search with the
following parameters:
08:33:35.748 - DEBUG [edu.vt.middleware.ldap.Ldap:550] - dn =
ou=xxx,dc=xxx,dc=xxx,dc=xxx
08:33:35.748 - DEBUG [edu.vt.middleware.ldap.Ldap:551] - filter =
(sAMAccountName=<account>)
08:33:35.748 - DEBUG [edu.vt.middleware.ldap.Ldap:552] - filterArgs =
08:33:35.748 - DEBUG [edu.vt.middleware.ldap.Ldap:554] - none
08:33:35.748 - DEBUG [edu.vt.middleware.ldap.Ldap:558] - retAttrs =
08:33:35.748 - DEBUG [edu.vt.middleware.ldap.Ldap:560] - all
attributes
08:33:35.748 - TRACE [edu.vt.middleware.ldap.Ldap:565] - config =
{java.naming.provider.url=ldap://ldapserverhost:389,
java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory,
java.naming.referral=follow,
java.naming.ldap.attributes.binary=objectSid}
08:33:35.765 - ERROR
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.
dataConnector.ComputedIDDataConnector:114] - No inbound message issuer
identified, unable to compute ID
08:33:35.769 - ERROR
[edu.internet2.middleware.shibboleth.common.attribute.AttributeAuthority
CLI:350] - Error encountered during attribute resolution and filtering
edu.internet2.middleware.shibboleth.common.attribute.resolver.AttributeR
esolutionException: No inbound message issuer identified
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.d
ataConnector.ComputedIDDataConnector.resolve(ComputedIDDataConnector.jav
a:115) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.d
ataConnector.ComputedIDDataConnector.resolve(ComputedIDDataConnector.jav
a:41) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.d
ataConnector.ContextualDataConnector.resolve(ContextualDataConnector.jav
a:76) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.d
ataConnector.ContextualDataConnector.resolve(ContextualDataConnector.jav
a:30) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.S
hibbolethAttributeResolver.resolveDataConnector(ShibbolethAttributeResol
ver.java:354) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.S
hibbolethAttributeResolver.resolveDependencies(ShibbolethAttributeResolv
er.java:386) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.S
hibbolethAttributeResolver.resolveAttribute(ShibbolethAttributeResolver.
java:312) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.S
hibbolethAttributeResolver.resolveAttributes(ShibbolethAttributeResolver
.java:266) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.S
hibbolethAttributeResolver.resolveAttributes(ShibbolethAttributeResolver
.java:132) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.provider.Shibboleth
SAML2AttributeAuthority.getAttributes(ShibbolethSAML2AttributeAuthority.
java:173) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.provider.Shibboleth
SAML2AttributeAuthority.getAttributes(ShibbolethSAML2AttributeAuthority.
java:57) [shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.AttributeAuthorityC
LI.performSAML2AttributeResolution(AttributeAuthorityCLI.java:241)
[shibboleth-common-1.1.2.jar:na]
at
edu.internet2.middleware.shibboleth.common.attribute.AttributeAuthorityC
LI.main(AttributeAuthorityCLI.java:98) [shibboleth-common-1.1.2.jar:na]
Our Attribute-Resolver.xml is as below
<resolver:DataConnector id="myLDAP" xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://ldaphost" baseDN="ou=xxx,dc=xxx,dc=xxx,dc=xxx"
principal="cn=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx"
principalCredential="some-password">
<FilterTemplate>
<![CDATA[
(sAMAccountName=$requestContext.principalName)
]]>
</FilterTemplate>
<LDAPProperty name="java.naming.ldap.attributes.binary"
value="objectSid"/>
<LDAPProperty name="java.naming.referral" value="follow"/>
</resolver:DataConnector>
<!-- Computed targeted ID connector -->
<resolver:DataConnector xsi:type="ComputedId"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
id="computedID"
generatedAttributeID="computedID"
sourceAttributeID="sAMAccountName"
salt="random is very random">
<resolver:Dependency ref="myLDAP" />
</resolver:DataConnector>
NOTE: We don't have uid attribute so using sAMAccountName as userfield.
The Login Config file is as below
ShibUserPassAuth {
edu.vt.middleware.ldap.jaas.LdapLoginModule required
host="ldaphost"
port="389"
ssl="false"
base="ou=xxx,dc=xxx,dc=xxx,dc=xxx"
subtreeSearch="true"
userField="sAMAccountName"
serviceUser="cn=xxx,ou=xxx,dc=xxx,dc=xxx,dc=xxx"
serviceCredential="some-password";
};
Any help much appreciated.
Regards
Yasin.
This message has been checked for viruses but the contents of an attachment
may still contain software viruses, which could damage your computer system:
you are advised to perform your own checks. Email communications with the
University of Nottingham may be monitored as permitted by UK legislation.
Scott Cantor
> We are currently having some issues getting attributes out of AD LDAP
> within our shibboleth 2.1.2 IDP implementation.
Your problem is with the authentication of your partner sites. You can't use
persistentIDs that are pairwise with relying parties if you don't know the
relying party. Nothing to do with LDAP.
> When I try to use the ../bin/aacli.sh --configDir=. --principal=<some
> valid LDAP Account>, the command returns without any messages (no errors
> either) but looking into the idp-process file, I can see the below lines.
And there are no LDAP related errors, are there?
> java.naming.ldap.attributes.binary=objectSid} 08:33:35.765 - ERROR
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.
> dataConnector.ComputedIDDataConnector:114] - No inbound message issuer
> identified, unable to compute ID 08:33:35.769
Nothing about LDAP there.
-- Scott
Brent Putman
jehan procaccia wrote:
> Great, good hint ... now it finds one value . It is also case
> sensitive ... i had to replaces dc by DC and ou by OU:
> regex=".*,OU=(permanents),DC=people,DC=mysite,DC=fr">
Just for the record, both the RegexSplit and Mapped attribute
definitions have options to control the case sensitivity of the regex
match operation, so you can make it case-insensitive if you wanted.
Brent Putman
Yasin Amadmia wrote:
> 08:33:35.765 - ERROR
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.
> dataConnector.ComputedIDDataConnector:114] - No inbound message issuer
> identified, unable to compute ID
As Scott said, error is nothing to do with LDAP.
>
> When I try to use the ../bin/aacli.sh --configDir=. --principal=<some
> valid LDAP Account>,
To test computed ID, you have to use the "--requester" arg to aacli to
indicate the relying party's entityID. That value is necessary for the
computed ID calculation.
jehan procaccia
But my 2 added attributes still don't show up in the SP although the IDP does tell me that it sends them:
15:28:18.086 - INFO [Shibboleth-Audit:714] - 20091026T142818Z|urn:mace:shibboleth:1.0:profiles:AuthnRequest|
|https://trombi.it-sudparis.eu|urn:mace:shibboleth:2.0:profiles:saml1:sso|
https://idp.telecom-lille1.eu/idp/shibboleth|urn:oasis:names:tc:SAML:1.0:profiles:browser-post|_1f277e9ae12b91a5041dc768a2ea5663|shib-tl1-int|urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
|uid,employeeType,StatusTL1,email,transientId,surname,displayName,|_b97e2f25500cb02f7fe7fe9715879ce1|_5dff6dc3cb87aab09e2417f1ca558063,|
On the SP side, here's what I call: http://trombi.it-sudparis.eu/secure/printenv.pl
here's the result in the browser
Variables d'environnement positionnées par le SP shibboleth :
Shib_Authentication_Instant=2009-10-26T14:28:17.940Z
Shib_Application_ID=trombi
Shib_Session_ID=_5a4ebe0339054df92bddf61d28efe793
Shib_Identity_Provider=https://idp.telecom-lille1.eu/idp/shibboleth
sn=Shib-tl1-int
REMOTE_USER=test...@telecom-lille1.eu
mail=test...@telecom-lille1.eu
displayName=Shib-tl1-int
Shib_AuthnContext_Class=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
Shib_Authentication_Method=urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
No trace of employeeType,StatusTL1 that I created from Regexp, nor transientId :-( !?
Here's the SP log, that confirm only 3 attributes :
2009-10-26 15:29:00 DEBUG Shibboleth.SSO.SAML1 [4]: SSO profile processing completed successfully
2009-10-26 15:29:00 DEBUG Shibboleth.SSO.SAML1 [4]: extracting pushed attributes...
2009-10-26 15:29:00 DEBUG Shibboleth.AttributeExtractor.XML [4]: skipping unmapped NameIdentifier with format (urn:mace:shibboleth:1.0:nameIdentifier)
2009-10-26 15:29:00 INFO Shibboleth.AttributeExtractor.XML [4]: skipping unmapped SAML 1.x Attribute with Name: urn:mace:dir:attribute-def:uid
2009-10-26 15:29:00 DEBUG Shibboleth.AttributeDecoder.String [4]: decoding SimpleAttribute (mail) from SAML 1 Attribute (urn:mace:dir:attribute-def:mail) with 1 value(s)
2009-10-26 15:29:00 DEBUG Shibboleth.AttributeDecoder.String [4]: decoding SimpleAttribute (sn) from SAML 1 Attribute (urn:mace:dir:attribute-def:sn) with 1 value(s)
2009-10-26 15:29:00 DEBUG Shibboleth.AttributeDecoder.String [4]: decoding SimpleAttribute (displayName) from SAML 1 Attribute (urn:mace:dir:attribute-def:displayName) with 1 value(s)
2009-10-26 15:29:00 DEBUG Shibboleth.AttributeFilter [4]: filtering 3 attribute(s) from (https://idp.telecom-lille1.eu/idp/shibboleth)
2009-10-26 15:29:00 DEBUG Shibboleth.AttributeFilter [4]: applying filtering rule(s) for attribute (mail) from (https://idp.telecom-lille1.eu/idp/shibboleth)
2009-10-26 15:29:00 DEBUG Shibboleth.AttributeFilter [4]: applying filtering rule(s) for attribute (sn) from (https://idp.telecom-lille1.eu/idp/shibboleth)
2009-10-26 15:29:00 DEBUG Shibboleth.AttributeFilter [4]: applying filtering rule(s) for attribute (displayName) from (https://idp.telecom-lille1.eu/idp/shibboleth)
2009-10-26 15:29:00 DEBUG Shibboleth.SSO.SAML1 [4]: resolving attributes...
2009-10-26 15:29:00 DEBUG Shibboleth.AttributeResolver.Query [4]: found AttributeStatement in input to new session, skipping query
on the SP attribut-map
<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" .... shibboleth-2.0-attribute-map.xsd">
<Attribute name="urn:mace:dir:attribute-def:employeeType" id="employeeType"/>
<Attribute name="StatusTL1" id="StatusTL1"/>
<!-- New namespace in urn:oid of the same attributes for interoperability 1.3 / 2 -->
<Attribute name="urn:oid:1.3.6.1.4.1.7391.4.1.1.1" id="employeType"/>
<Attribute name="urn:oid:1.3.6.1.4.1.7391.4.1.1.2" id="StatusTL1"/>
I once though that it could be a mis-configuration of
attribute-policy.xml ... but I don't see any time "cn, mail or
displayname" in that file, altough I do receive those 3 attributes.
Any advice ?
thanks.