attributes are not getting released

159 views
Skip to first unread message

Pavan K

unread,
Aug 16, 2011, 3:42:49 PM8/16/11
to us...@shibboleth.net
Hi All,

I am new to Shibboleth identity provider. I have installed and configured the Shibboleth identity provider by following the instructions given in shibboleth home page. I configured LDAP data connector to retrieve some attributes. And when i test the attribute resolver by using "AACLI" tool i am getting "No attribute statement" all the time. I did not find any logs related to attribute retrieval in the log files.

My configuration details as follows,

"handler.xml"

<ph:LoginHandler xsi:type="ph:UsernamePassword"
                  jaasConfigurationLocation="file://IDP_HOME/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>

"login.config"

edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="LDAP_URL"
      baseDn="ou=public,dc=abc,dc=com"
      tls="true"
      userFilter="uid={0}"
   ;

"attribute-filter.xml"

<afp:AttributeFilterPolicy>
        <afp:PolicyRequirementRule xsi:type="basic:ANY" />

        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

"attribute-resolver.xml"


 <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
    <resolver:AttributeEncoder xsi:type="SAML2String"
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="mail" />
    </resolver:AttributeDefinition>

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ldapURL="LDAP_URL"
        baseDN="ou=public,dc=abc,dc=com"
        principal="USER_NAME"
        principalCredential="PASSWORD">
        <dc:FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </dc:FilterTemplate>
    </resolver:DataConnector>



Even when i comment the statements in "login.config" file, i am not getting any errors in the log file and still getting "No Aattribute Statement" message. Following is the command i am using from "IDP_HOME"

aacli.bat --configDir=../conf --principal=<USER_NAME>

Could anyone please help me get this working? Am i missing something in the configruation?

Thank you in advance.

-- Pavan

Ashok Kumar

unread,
Aug 16, 2011, 4:05:30 PM8/16/11
to Shib Users
I think if you see the IdP access logs, it will tell you what attribute has been resolved and what are filtered. You may need to set the log level to debug to see all this.

Thanks,
-Ashok


--
To unsubscribe from this list send an email to users-un...@shibboleth.net



--






Pavan K

unread,
Aug 16, 2011, 4:38:04 PM8/16/11
to Shib Users
Thank you Ashok. IN the logs i am seeing the following messages,

Resolved attribute uid containing 0 values
13:31:29.447 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute mail for principal pavank
13:31:29.447 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute mail containing 0 values
13:31:29.447 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute transientId for principal pavank

I did not understand why it is not getting the value from LDAP. Is there configuration i am missing?

Thank you,
Pavan

Chad La Joie

unread,
Aug 16, 2011, 4:40:15 PM8/16/11
to Shib Users
If you look earlier in the logs you'll see what, if anything, was
actually fetched from the LDAP server.

--
Chad La Joie
www.itumi.biz
trusted identities, delivered

Ashok Kumar

unread,
Aug 16, 2011, 4:52:24 PM8/16/11
to Shib Users
How is your LDAP Data connector entry looks like in resolver.conf file?

Thanks,
-Ashok

Pavan K

unread,
Aug 16, 2011, 4:58:28 PM8/16/11
to Shib Users
Here is my LDAP data connector configruation,


<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ldapURL="ldap://<IP_ADDRESS>:389"
        baseDN="ou=public,dc=abc,dc=com"
        principal="<USER_NAME>"
        principalCredential="<PASSWORD>">
        <dc:FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </dc:FilterTemplate>
    </resolver:DataConnector>


and here is the log


13:43:54.714 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter: (uid=<USERNAME>)
13:43:54.714 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:363] - LDAP data connector myLDAP - Retrieving attributes from LDAP
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind with the following parameters:
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -   authtype = simple
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   dn =<USERNAME>
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -   credential = <suppressed>
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:193] - Search with the following parameters:
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:194] -   dn = ou=public,dc=abc,dc=com
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:195] -   filter = (uid=<USERNAME>)
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:196] -   filterArgs = []
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:197] -   searchControls = javax.naming.directory.SearchControls@1c28517
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:198] -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@1afe460, edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler@ba8fce, edu.vt.middleware.ldap.handler.BinarySearchResultHandler@3744bc]
13:43:54.730 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute uid containing 0 values
13:43:54.730 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute mail for principal <USERNAME>
13:43:54.730 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute mail containing 0 values
13:43:54.730 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute transientId for principal <USERNAME>

Chad La Joie

unread,
Aug 16, 2011, 5:07:14 PM8/16/11
to Shib Users
So, the LDAP didn't return attributes for that user. So either your
configuration is wrong or the LDAP really doesn't have attributes for
that user.

--

Chad La Joie
www.itumi.biz
trusted identities, delivered

Ashok Kumar

unread,
Aug 16, 2011, 5:25:18 PM8/16/11
to Shib Users
What's the value of USERNAME? I mean USERNAME should have enough privileges to get the value of $requestContext.principalName. Its kind of service account for LDAP. You may try with cn="Directory Manager" if you have the option.

Do you see the value of $requestContext.principalName in logs? Its the name of the user who is supposed to be authenticated.

I see there is no value coming for uid from LDAP in the logs which is $requestContext.principalName.

Thanks,
-Ashok

Pavan K

unread,
Aug 16, 2011, 5:34:19 PM8/16/11
to Shib Users
Thank you Ashok and Chad. It was LDAP configruation issue. I gave the wrong filter parameter. It is working fine now.

I have one more question, while configuring the LDAP connector we are forced to specify the "filterParameter". That is forcing us to get the attributes of a particular user. But is there any way to get the attributes of all the users that are present in LDAP hierarchy?

Thank you,
Naresh

Ashok Kumar

unread,
Aug 16, 2011, 5:45:03 PM8/16/11
to Shib Users
Hmm... If you are trying to find all the users along with all their attributes & values, then you may try filter uid=* in data connector. I have not used before from IdP but using ldapsearch on LDAP, it will give you all the entries requested on a specific basedn.

What are you trying to achieve out of it?
-Ashok Kumar
CSUEB
Email: ashok...@csueastbay.edu
Phone: 510-885-2141

Chad La Joie

unread,
Aug 16, 2011, 5:49:32 PM8/16/11
to Shib Users
Thats just going to cause an exception. The attribute resolver is
designed to provide information for a single user.

--

Chad La Joie
www.itumi.biz
trusted identities, delivered

Pavan K

unread,
Aug 16, 2011, 5:54:03 PM8/16/11
to Shib Users
Thank you Ashok.

I want to populate all the users from LDAP for a given basedn in my application.

I tried to use "*" for filter but it did not work. It is throwing "size limit exceeded" exception.

javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) ~[na:1.6.0_06]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) ~[na:1.6.0_06]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) ~[na:1.6.0_06]

Chad La Joie

unread,
Aug 16, 2011, 5:57:33 PM8/16/11
to Shib Users
Yep, that's what you should expect.

--

Chad La Joie
www.itumi.biz
trusted identities, delivered

Ashok Kumar

unread,
Aug 16, 2011, 5:57:53 PM8/16/11
to Shib Users
On Tue, Aug 16, 2011 at 2:54 PM, Pavan K <pavanon...@gmail.com> wrote:
Thank you Ashok.

I want to populate all the users from LDAP for a given basedn in my application.

I would suggest to take a ldif dump from LDAP for a given basedn and dump in your application database.
 

Pavan K

unread,
Aug 16, 2011, 6:00:58 PM8/16/11
to Shib Users
I don't want to deal with the database dump. I cannot do that in customer environment. Is there any possibility in Shibboleth IDP?

Thank you,
Naresh

Chad La Joie

unread,
Aug 16, 2011, 6:09:58 PM8/16/11
to Shib Users
No. The IdP is not a provisioning system.

--

Chad La Joie
www.itumi.biz
trusted identities, delivered

Pavan K

unread,
Aug 16, 2011, 6:18:05 PM8/16/11
to Shib Users
Thank you Chad.

Russell J Yount

unread,
Aug 17, 2011, 12:00:58 PM8/17/11
to Shib Users

Is there a way to configure the service provider to present the raw IDP provided SAML assertion in the environment or HTTP headers? I am using the term raw to mean complete with signature and encryption.

 

-Russ

 

Cantor, Scott

unread,
Aug 17, 2011, 12:09:06 PM8/17/11
to us...@shibboleth.net
On 8/17/11 12:00 PM, "Russell J Yount" <r...@cmu.edu> wrote:

>Is there a way to configure the service provider to present the raw IDP
>provided SAML assertion in the environment or HTTP headers?

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAssertionExpor
t

> I am using the term raw
> to mean complete with signature and encryption.

If it were still encrypted, you wouldn't be able to do anything with it.

-- Scott

Reply all
Reply to author
Forward
0 new messages