attributes are not getting released

[Pavan K]

Hi All,

I am new to Shibboleth identity provider. I have installed and configured the Shibboleth identity provider by following the instructions given in shibboleth home page. I configured LDAP data connector to retrieve some attributes. And when i test the attribute resolver by using "AACLI" tool i am getting "No attribute statement" all the time. I did not find any logs related to attribute retrieval in the log files.

My configuration details as follows,

"handler.xml"

<ph:LoginHandler xsi:type="ph:UsernamePassword"
                  jaasConfigurationLocation="file://IDP_HOME/conf/login.config">
        <ph:AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</ph:AuthenticationMethod>
    </ph:LoginHandler>

"login.config"

edu.vt.middleware.ldap.jaas.LdapLoginModule required
      ldapUrl="LDAP_URL"
      baseDn="ou=public,dc=abc,dc=com"
      tls="true"
      userFilter="uid={0}"
   ;

"attribute-filter.xml"

<afp:AttributeFilterPolicy>
        <afp:PolicyRequirementRule xsi:type="basic:ANY" />

        <afp:AttributeRule attributeID="mail">
            <afp:PermitValueRule xsi:type="basic:ANY" />
        </afp:AttributeRule>
    </afp:AttributeFilterPolicy>

"attribute-resolver.xml"


 <resolver:AttributeDefinition xsi:type="ad:Simple" id="mail" sourceAttributeID="mail">
        <resolver:Dependency ref="myLDAP" />
    <resolver:AttributeEncoder xsi:type="SAML2String"
    xmlns="urn:mace:shibboleth:2.0:attribute:encoder"
            name="urn:oid:0.9.2342.19200300.100.1.1" friendlyName="mail" />
    </resolver:AttributeDefinition>

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
        ldapURL="LDAP_URL"
        baseDN="ou=public,dc=abc,dc=com"
        principal="USER_NAME"
        principalCredential="PASSWORD">
        <dc:FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </dc:FilterTemplate>
    </resolver:DataConnector>



Even when i comment the statements in "login.config" file, i am not getting any errors in the log file and still getting "No Aattribute Statement" message. Following is the command i am using from "IDP_HOME"

aacli.bat --configDir=../conf --principal=<USER_NAME>

Could anyone please help me get this working? Am i missing something in the configruation?

Thank you in advance.

-- Pavan

[Ashok Kumar]

I think if you see the IdP access logs, it will tell you what attribute has been resolved and what are filtered. You may need to set the log level to debug to see all this.

Thanks,
-Ashok

--
To unsubscribe from this list send an email to users-un...@shibboleth.net

--

[Pavan K]

Thank you Ashok. IN the logs i am seeing the following messages,

Resolved attribute uid containing 0 values
13:31:29.447 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute mail for principal pavank
13:31:29.447 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute mail containing 0 values
13:31:29.447 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute transientId for principal pavank

I did not understand why it is not getting the value from LDAP. Is there configuration i am missing?

Thank you,
Pavan

[Chad La Joie]

If you look earlier in the logs you'll see what, if anything, was
actually fetched from the LDAP server.

--
Chad La Joie
www.itumi.biz
trusted identities, delivered

[Ashok Kumar]

How is your LDAP Data connector entry looks like in resolver.conf file?

Thanks,
-Ashok

[Pavan K]

Here is my LDAP data connector configruation,

<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"

        ldapURL="ldap://<IP_ADDRESS>:389"

        baseDN="ou=public,dc=abc,dc=com"
        principal="<USER_NAME>"
        principalCredential="<PASSWORD>">
        <dc:FilterTemplate>
            <![CDATA[
                (uid=$requestContext.principalName)
            ]]>
        </dc:FilterTemplate>
    </resolver:DataConnector>

and here is the log


13:43:54.714 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter: (uid=<USERNAME>)
13:43:54.714 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:363] - LDAP data connector myLDAP - Retrieving attributes from LDAP
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:73] - Bind with the following parameters:
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:74] -   authtype = simple
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:75] -   dn =<USERNAME>
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.handler.DefaultConnectionHandler:82] -   credential = <suppressed>
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:193] - Search with the following parameters:
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:194] -   dn = ou=public,dc=abc,dc=com
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:195] -   filter = (uid=<USERNAME>)
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:196] -   filterArgs = []
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:197] -   searchControls = javax.naming.directory.SearchControls@1c28517
13:43:54.714 - DEBUG [edu.vt.middleware.ldap.Ldap:198] -   handler = [edu.vt.middleware.ldap.handler.FqdnSearchResultHandler@1afe460, edu.vt.middleware.ldap.handler.EntryDnSearchResultHandler@ba8fce, edu.vt.middleware.ldap.handler.BinarySearchResultHandler@3744bc]
13:43:54.730 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute uid containing 0 values
13:43:54.730 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute mail for principal <USERNAME>
13:43:54.730 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute mail containing 0 values
13:43:54.730 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute transientId for principal <USERNAME>

[Chad La Joie]

So, the LDAP didn't return attributes for that user. So either your
configuration is wrong or the LDAP really doesn't have attributes for
that user.

--

Chad La Joie
www.itumi.biz
trusted identities, delivered

[Ashok Kumar]

What's the value of USERNAME? I mean USERNAME should have enough privileges to get the value of $requestContext.principalName. Its kind of service account for LDAP. You may try with cn="Directory Manager" if you have the option.

Do you see the value of $requestContext.principalName in logs? Its the name of the user who is supposed to be authenticated.

I see there is no value coming for uid from LDAP in the logs which is $requestContext.principalName.

Thanks,
-Ashok

[Pavan K]

Thank you Ashok and Chad. It was LDAP configruation issue. I gave the wrong filter parameter. It is working fine now.

I have one more question, while configuring the LDAP connector we are forced to specify the "filterParameter". That is forcing us to get the attributes of a particular user. But is there any way to get the attributes of all the users that are present in LDAP hierarchy?

Thank you,
Naresh

[Ashok Kumar]

Hmm... If you are trying to find all the users along with all their attributes & values, then you may try filter uid=* in data connector. I have not used before from IdP but using ldapsearch on LDAP, it will give you all the entries requested on a specific basedn.

What are you trying to achieve out of it?

-Ashok Kumar
CSUEB
Email: ashok...@csueastbay.edu
Phone: 510-885-2141

[Chad La Joie]

Thats just going to cause an exception. The attribute resolver is
designed to provide information for a single user.

--

Chad La Joie
www.itumi.biz
trusted identities, delivered

[Pavan K]

Thank you Ashok.

I want to populate all the users from LDAP for a given basedn in my application.

I tried to use "*" for filter but it did not work. It is throwing "size limit exceeded" exception.

javax.naming.SizeLimitExceededException: [LDAP: error code 4 - Sizelimit Exceeded]
    at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source) ~[na:1.6.0_06]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) ~[na:1.6.0_06]
    at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source) ~[na:1.6.0_06]

[Chad La Joie]

Yep, that's what you should expect.

--

Chad La Joie
www.itumi.biz
trusted identities, delivered

[Ashok Kumar]

On Tue, Aug 16, 2011 at 2:54 PM, Pavan K <pavanon...@gmail.com> wrote:

Thank you Ashok.

I want to populate all the users from LDAP for a given basedn in my application.

I would suggest to take a ldif dump from LDAP for a given basedn and dump in your application database.
 

[Pavan K]

I don't want to deal with the database dump. I cannot do that in customer environment. Is there any possibility in Shibboleth IDP?

Thank you,
Naresh

[Chad La Joie]

No. The IdP is not a provisioning system.

--

Chad La Joie
www.itumi.biz
trusted identities, delivered

[Pavan K]

Thank you Chad.

[Russell J Yount]

Is there a way to configure the service provider to present the raw IDP provided SAML assertion in the environment or HTTP headers? I am using the term raw to mean complete with signature and encryption.

 

-Russ

 

[Cantor, Scott]

On 8/17/11 12:00 PM, "Russell J Yount" <r...@cmu.edu> wrote:

>Is there a way to configure the service provider to present the raw IDP
>provided SAML assertion in the environment or HTTP headers?

https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPAssertionExpor
t

> I am using the term raw
> to mean complete with signature and encryption.

If it were still encrypted, you wouldn't be able to do anything with it.

-- Scott