get LDAP groups associated with user
1,234 views
Skip to first unread message
abdel.ou...@gmail.com
Jul 3, 2017, 6:07:27 AM7/3/17
to SimpleSAMLphp, abdel.o...@magellium.fr
Hello,
I have configured simpleamlphp to use the ldap of my company. The connection works well.
My current problem is that I would now like to retrieve the groups associated with each of my users.
What I would like is to have the group in an attribute of the list of my attributes.
The final goal is to use these groups for a role assignment in drupal.
Can you point me to a procedure to have the group in an attribute.
I have configured simpleamlphp to use the ldap of my company. The connection works well.
My current problem is that I would now like to retrieve the groups associated with each of my users.
What I would like is to have the group in an attribute of the list of my attributes.
The final goal is to use these groups for a role assignment in drupal.
Can you point me to a procedure to have the group in an attribute.
Tim van Dijen
Jul 3, 2017, 6:19:20 AM7/3/17
to SimpleSAMLphp, abdel.o...@magellium.fr, abdel.ou...@gmail.com
Hi Abdel,
You can configure Processing Filters in metadata/saml20-idp-hosted.php to do so:
// Get all nested groups
5 => array(
'class' => 'ldap:AttributeAddUsersGroups',
'authsource' => 'AD-LDAP',
'attribute.groups' => 'memberOf',
),
This will put all group memberships by their DistinguishedName in an attribute called 'memberOf'.
If you rather only use their CommonName-s you can further process it to strip off the excess data.
6 => array(
'class' => 'core:AttributeAlter',
'subject' => 'memberOf',
'pattern' => '/^CN=(.*?),.*/',
'replacement' => '${1}',
),
You can read more about the processing filters here:
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
And here:
https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/ldap/docs/ldap.md
- Tim
Op maandag 3 juli 2017 12:07:27 UTC+2 schreef abdel.ou...@gmail.com:
You can configure Processing Filters in metadata/saml20-idp-hosted.php to do so:
// Get all nested groups
5 => array(
'class' => 'ldap:AttributeAddUsersGroups',
'authsource' => 'AD-LDAP',
'attribute.groups' => 'memberOf',
),
This will put all group memberships by their DistinguishedName in an attribute called 'memberOf'.
If you rather only use their CommonName-s you can further process it to strip off the excess data.
6 => array(
'class' => 'core:AttributeAlter',
'subject' => 'memberOf',
'pattern' => '/^CN=(.*?),.*/',
'replacement' => '${1}',
),
You can read more about the processing filters here:
https://simplesamlphp.org/docs/stable/simplesamlphp-authproc
And here:
https://github.com/simplesamlphp/simplesamlphp/blob/master/modules/ldap/docs/ldap.md
- Tim
Op maandag 3 juli 2017 12:07:27 UTC+2 schreef abdel.ou...@gmail.com:
abdel.ou...@gmail.com
Jul 3, 2017, 8:28:58 AM7/3/17
to SimpleSAMLphp, abdel.o...@magellium.fr, abdel.ou...@gmail.com
Hi Tim,
Thank you for your answer.
Using the configuration as mentioned, the 'memberOf' attribute does not go up.
I test on 'Test configured authentication sources' and on another test page like this:
require_once ( '/ var / simpleSAMLphp / lib / _autoload.php');
$ As = new SimpleSAML_Auth_Simple ('belem-ldap');
$ As-> requireAuth ();
$ Attributes = $ as-> getAttributes ();
print_r ($ attributes);
I subsequently rewrote the test by removing the parameters metadata/saml20-idp-hosted.php to put them directly in the config/authsources.php in the table 'authproc.sp'
Always same result. With each test I make a flush of my memcache to be sure to start a new session.
Abdel
Thank you for your answer.
Using the configuration as mentioned, the 'memberOf' attribute does not go up.
I test on 'Test configured authentication sources' and on another test page like this:
require_once ( '/ var / simpleSAMLphp / lib / _autoload.php');
$ As = new SimpleSAML_Auth_Simple ('belem-ldap');
$ As-> requireAuth ();
$ Attributes = $ as-> getAttributes ();
print_r ($ attributes);
I subsequently rewrote the test by removing the parameters metadata/saml20-idp-hosted.php to put them directly in the config/authsources.php in the table 'authproc.sp'
Always same result. With each test I make a flush of my memcache to be sure to start a new session.
Abdel
Tim van Dijen
Jul 3, 2017, 8:56:29 AM7/3/17
to SimpleSAMLphp, abdel.o...@magellium.fr, abdel.ou...@gmail.com
Hi Abdel,
I should have mentioned that you need to add the memberOf-attribute to the ‘attributes’-array in your LDAP authsource.
If you don't do that, there is no input for the filters to process.
- Tim
Op maandag 3 juli 2017 14:28:58 UTC+2 schreef abdel.ou...@gmail.com:
abdel.ou...@gmail.com
Jul 3, 2017, 9:32:16 AM7/3/17
to SimpleSAMLphp, abdel.o...@magellium.fr, abdel.ou...@gmail.com
I have the same result by adding the attribute memberOf. When I test with 2 attributes (uid and memberOf), I only have ui
Tim van Dijen
Jul 4, 2017, 4:34:30 AM7/4/17
to SimpleSAMLphp, abdel.o...@magellium.fr, abdel.ou...@gmail.com
When using 'Test authentication sources' you should at least see the attributes the way they are received from your LDAP-source.
I may have wrongly assumed your LDAP backend is an MS Active Directory.. Are you sure the attribute is called memberOf in the LDAP directory?
Op maandag 3 juli 2017 15:32:16 UTC+2 schreef abdel.ou...@gmail.com:
I may have wrongly assumed your LDAP backend is an MS Active Directory.. Are you sure the attribute is called memberOf in the LDAP directory?
Op maandag 3 juli 2017 15:32:16 UTC+2 schreef abdel.ou...@gmail.com:
Tim van Dijen
Jul 4, 2017, 8:24:05 AM7/4/17
to SimpleSAMLphp, abdel.o...@magellium.fr, abdel.ou...@gmail.com
Well, there are pointers in the documentation for using OpenLDAP... Have you tried that?
Op dinsdag 4 juli 2017 13:54:33 UTC+2 schreef abdel.ou...@gmail.com:
Op dinsdag 4 juli 2017 13:54:33 UTC+2 schreef abdel.ou...@gmail.com:
Harsha Vardhan Bale
Oct 18, 2023, 3:41:50 PM10/18/23
to SimpleSAMLphp
I dont have memberOf options in LDAP
Peter Brand
Oct 18, 2023, 3:51:02 PM10/18/23
to simple...@googlegroups.com
Harsha Vardhan Bale <harshavard...@gmail.com> [2023-10-18 21:41 CEST]:
-peter
> I dont have memberOf options in LDAP
The same replies from 6 years ago still apply to your "question".
-peter
Thomas de Jesus
Oct 18, 2023, 5:42:40 PM10/18/23
to SimpleSAMLphp
I saw this thread, and I'm confused. Your attribute could be called "bunnyToes" it really doesn't matter. find the attribute that contains your groups, add that to your authsource ldap.
Or am I way off base here? I think everyone gave you the proper answer.
Peter Brand
Oct 19, 2023, 6:53:36 AM10/19/23
to simple...@googlegroups.com
Thomas de Jesus <trf...@gmail.com> [2023-10-18 23:42 CEST]:
Or the OP's config does not explicitly ask for it (meaning it wouldn't
be sent by the LDAP server as it's a so-called "operational attribute"
that's managed by the LDAP server itself).
No technical details of any kind were provided, of course.
No example commands showing how e.g. ldapsearch does show the
attribute but SimpleSAMLphp doesn't.
etc.
-peter
> I saw this thread, and I'm confused. Your attribute could be called
> "bunnyToes" it really doesn't matter. find the attribute that contains your
> groups, add that to your authsource ldap.
The LDAP DSA (aka server) may not even have that attribute populated.
> "bunnyToes" it really doesn't matter. find the attribute that contains your
> groups, add that to your authsource ldap.
Or the OP's config does not explicitly ask for it (meaning it wouldn't
be sent by the LDAP server as it's a so-called "operational attribute"
that's managed by the LDAP server itself).
No technical details of any kind were provided, of course.
No example commands showing how e.g. ldapsearch does show the
attribute but SimpleSAMLphp doesn't.
etc.
-peter
Reply all
Reply to author
Forward
0 new messages