Simplifying LDAP group attribute with AttributeAlter

[John Rodkey]

I want to return a simple list of groups, but the ldap groupMembership is in the form

cn=groupname,ou=Groups,o=mydomain

I would prefer to simply return 'groupname' .

After looking through the AuthProc and AttributeAlter documentation, I have added this authproc designation to the saml2-sp-remote metadata file within the array associated with the SP:

  'authproc.sp' => array(

        10 => array(

            'class' => 'core:AttributeAlter',

            'subject' => 'groupMembership',

            'pattern' => '/ou=Groups,o=mydomain/',

            'replacement' => '',

        ),

        20 => array(

            'class' => 'core:AttributeAlter',

            'subject' => 'groupMembership',

            'pattern' => '/cn=/',

            'replacement' => '',

        ),

  ),

However, there is no change in the output of the groupMembership attribute.

What am I missing?

John Rodkey

Director of Servers and Networks

Westmont College

[Dick Visser]

To rule out any ordering issues, does AttributeAlter work on other attributes?

Dick

> --
> You received this message because you are subscribed to the Google Groups
> "simpleSAMLphp" group.
> To post to this group, send email to simple...@googlegroups.com.
> To unsubscribe from this group, send email to
> simplesamlph...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/simplesamlphp?hl=en.



--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands

[Dick Visser]

On 30 August 2012 02:29, John Rodkey <rod...@westmont.edu> wrote:

> However, there is no change in the output of the groupMembership attribute.
> What am I missing?

I just checked and it does work on multivalued attributes.
I did have trouble find the correct subject name.
This is not necessarily the same as the string that is display on the
web page when you do a test auth.
Might this be the case?

[John Rodkey]

Thanks for your response, Dick.

Here's the line I use to specify the attributes:

  'attributes' => array('givenName','sn','mail','groupMembership'),

From this I assume groupMembership is what should be in the 'subject'.

I wonder about the 

authproc.sp vs. authproc.idp 

I moved the attributeAlter stanzas from saml2-sp-remote.php to 

config.php with no change, but when I renamed it to authproc.idp, I got an error messages from SSP:

 SimpleSAML_Error_Error: UNHANDLEDEXCEPTION

Backtrace:
0 /srv/www/vhosts/box/www/module.php:180 (N/A)
Caused by: Exception: 'replacement' must be set if '%replace' is not set
Backtrace:
7 /srv/www/vhosts/box/modules/core/lib/Auth/Process/AttributeAlter.php:108 (sspmod_core_Auth_Process_AttributeAlter::process)
6 /srv/www/vhosts/box/lib/SimpleSAML/Auth/ProcessingChain.php:195 (SimpleSAML_Auth_ProcessingChain::processState)
5 /srv/www/vhosts/box/lib/SimpleSAML/IdP.php:310 (SimpleSAML_IdP::postAuth)
4 /srv/www/vhosts/box/lib/SimpleSAML/Auth/Default.php:126 (SimpleSAML_Auth_Default::loginCompleted)
3 /srv/www/vhosts/box/lib/SimpleSAML/Auth/Source.php:120 (SimpleSAML_Auth_Source::completeAuth)
2 /srv/www/vhosts/box/modules/core/lib/Auth/UserPassBase.php:190 (sspmod_core_Auth_UserPassBase::handleLogin)
1 /srv/www/vhosts/box/modules/core/www/loginuserpass.php:48 (require)
0 /srv/www/vhosts/box/www/module.php:135 (N/A)

Must the replacement variable be a string of nonzero length?

John

[Dick Visser]

On 30 August 2012 17:59, John Rodkey <rod...@westmont.edu> wrote:

> I moved the attributeAlter stanzas from saml2-sp-remote.php to
> config.php with no change, but when I renamed it to authproc.idp, I got an
> error messages from SSP:
>
> SimpleSAML_Error_Error: UNHANDLEDEXCEPTION
>
> Backtrace:
> 0 /srv/www/vhosts/box/www/module.php:180 (N/A)
> Caused by: Exception: 'replacement' must be set if '%replace' is not set

[...]

> Must the replacement variable be a string of nonzero length?

Yes, so this won't work.
Basically you're trying to delete text by replacing it with '' in two
separate AttributeAlter statements.
A better and more elegant approach is to match the stuff you want, and
then use a reference (backslash) for the replacement.
Assuming your group names are made up of alphanumeric characters:

10 => array(
'class' => 'core:AttributeAlter',
'subject' => groupMembership',

'pattern' => '/^cn=(\w+),ou=Groups,o=mydomain$/',
'replacement' => '\\1',
),


Dick

[Dick Visser]

On 31 August 2012 09:43, Dick Visser <vis...@terena.org> wrote:
> 10 => array(
> 'class' => 'core:AttributeAlter',
> 'subject' => groupMembership',
> 'pattern' => '/^cn=(\w+),ou=Groups,o=mydomain$/',
> 'replacement' => '\\1',
> ),

with proper quotes:

10 => array(
'class' => 'core:AttributeAlter',
'subject' => 'groupMembership',
'pattern' => '/^cn=(\w+),ou=Groups,o=mydomain$/',
'replacement' => '\\1',
),

[John Rodkey]

Perfect, except there's an extra backslash in the replacement.

Oh, and I put it in as authproc.idp and put it in config.php, 

Thank you for your very targeted help, Dick.  Much obliged.

John

[Valdemar Lemche]

Hi

I'm trying the suggested solution. However in my "groups" attribute is a multi-value attribute, and only one of the values are altered.

Does anyone have an idea how to solve this?

[Peter Schober]

* Valdemar Lemche <vald...@lemche.net> [2015-01-10 23:40]:

> I'm trying the suggested solution. However in my "groups" attribute
> is a multi-value attribute, and only one of the values are altered.

If the AttributeAlter indeed doesn't work with multiple attribute
values (I don't know whether that's the case) someone should probaly
fix that. (Pull requests always welcome!)
Alternatively, you can always use the core:PHP filter to write your
own version.

@SimpleSAMLphp folks: Somewhat unrelated but is it necessary/wise to
document filters that create attribute values with the empty string or
a NULL value?
Cf. the last two examples in
https://simplesamlphp.org/docs/stable/core:authproc_attributealter
No idea how null values would be encoded in a SAML assertion but in
both cases (empty string, null value) no attribute should be sent
instead, for which the %remove parameter already exists.
-peter

[Peter Schober]

* Peter Schober <peter....@univie.ac.at> [2015-01-11 11:45]:

> * Valdemar Lemche <vald...@lemche.net> [2015-01-10 23:40]:
> > I'm trying the suggested solution. However in my "groups" attribute
> > is a multi-value attribute, and only one of the values are altered.
>
> If the AttributeAlter indeed doesn't work with multiple attribute
> values (I don't know whether that's the case) someone should probaly
> fix that.

Note that back in 2012, when the thread you replied to was current,
Dick already wrote this:

* Dick Visser <vis...@terena.org> [2012-08-30 17:18]:

> I just checked and it does work on multivalued attributes.

So maybe your filter is off, or the data doesn't match what you
expect it to be?
-peter

[Valdemar Lemche]

My groups DSE's are all in the same OU, and it does only catch one value in the array.

I'm using IBM SDS with the nested group attribute, ibm-allGroups:

$ ldapsearch -x "(uid=dilbert)" ibm-allGroups

# extended LDIF

#

# LDAPv3

# base <o=EXAMPLE> (default) with scope subtree

# filter: (uid=dilbert)

# requesting: ibm-allGroups 

#

# dilbert, Pointless Performance, users, EXAMPLE

dn: uid=dilbert,ou=Pointless Performance,ou=users,O=EXAMPLE

ibm-allGroups: cn=wcmadmins,ou=groups,o=EXAMPLE

ibm-allGroups: cn=lcadmins,ou=groups,O=EXAMPLE

ibm-allGroups: cn=IT Staff,ou=groups,O=EXAMPLE

# search result

search: 2

result: 0 Success

# numResponses: 2

# numEntries: 1

And the entries in authproc.idp array in config/config.php is as following:

        70 => array(

             'class' => 'ldap:AttributeAddFromLDAP',

             'authsource' => 'ldap.example.com',

             'attributes' => array('ibm-allGroups' => 'ibm-allGroups'),

             'attribute.policy' => 'add',

             'search.filter' => '(uid=%uid%)',

        ),

        80 => array(

            'class' => 'ldap:AttributeAddUsersGroups',

            'authsource' => 'ldap.example.com',

            'ldap.product' => '',

            'attribute.dn' => 'distinguishedName',

            'attribute.groups' => 'groups',

            'attribute.member' => 'member',

            'attribute.memberof' => 'ibm-allGroups',

            'attribute.groupname' => 'cn',

            'attribute.type' => 'objectClass',

            'attribute.username' => 'uid',

            'type.group' => 'groupOfNames',

            'type.user' => 'inetOrgPerson',

        ),

        81 => array(

            'class' => 'core:AttributeAlter',

            'pattern' => '/^cn=(\w+),ou=groups,O=EXAMPLE$/',

            'replacement' => '\\1',

            'subject' => 'groups',

        ),

But the result looks like this:

ibm-allGroups	cn=wcmadmins,ou=groups,o=EXAMPLE cn=lcadmins,ou=groups,O=EXAMPLE cn=IT Staff,ou=groups,O=EXAMPLE
groups	cn=wcmadmins,ou=groups,o=EXAMPLE lcadmins cn=IT Staff,ou=groups,O=EXAMPLE

[Dick Visser]

On 11 January 2015 at 16:20, Valdemar Lemche <vald...@lemche.net> wrote:

My groups DSE's are all in the same OU, and it does only catch one value in the array.

​That's expected behavior, see below.

But the result looks like this:

ibm-allGroups	cn=wcmadmins,ou=groups,o=EXAMPLE cn=lcadmins,ou=groups,O=EXAMPLE cn=IT Staff,ou=groups,O=EXAMPLE
groups	cn=wcmadmins,ou=groups,o=EXAMPLE lcadmins cn=IT Staff,ou=groups,O=EXAMPLE

​Your regex is:​

​

​

'/^cn=(\w+),ou=groups,O=EXAMPLE$/'​

​This won't match the first entry because that has a lower case 'o'  in 'o=EXAMPLE'.

It also won't match the third entry because "IT Staff" isn't made up of only word characters - it contains a space.

So probably adjust your regex a bit and things will be fine.

Dick

 

On Sunday, January 11, 2015 at 11:48:55 AM UTC+1, Peter Schober wrote:

* Peter Schober <peter....@univie.ac.at> [2015-01-11 11:45]:
> * Valdemar Lemche <vald...@lemche.net> [2015-01-10 23:40]:
> > I'm trying the suggested solution. However in my "groups" attribute
> > is a multi-value attribute, and only one of the values are altered.
>
> If the AttributeAlter indeed doesn't work with multiple attribute
> values (I don't know whether that's the case) someone should probaly
> fix that.

Note that back in 2012, when the thread you replied to was current,
Dick already wrote this:

* Dick Visser <vis...@terena.org> [2012-08-30 17:18]:
> I just checked and it does work on multivalued attributes.

So maybe your filter is off, or the data doesn't match what you
expect it to be?
-peter

--

You received this message because you are subscribed to the Google Groups "simpleSAMLphp" group.

To unsubscribe from this group and stop receiving emails from it, send an email to simplesamlph...@googlegroups.com.

To post to this group, send email to simple...@googlegroups.com.

Visit this group at http://groups.google.com/group/simplesamlphp.
For more options, visit https://groups.google.com/d/optout.

--

Dick Visser
Sr. System & Networking Engineer
GÉANT Association, Amsterdam Office (formerly TERENA)
Singel 468D, 1017 AW Amsterdam, the Netherlands
Tel: +31 (0) 20 530 4488

GÉANT Association
Networking. Services. People.

Learn more at: http://www.géant.org

[Valdemar Lemche]

Oh of course! 

Thank you

On Thursday, August 30, 2012 at 2:29:47 AM UTC+2, John Rodkey wrote:

[n.mcl...@imperial.ac.uk]

You may prefer if working with Active Directory

'pattern' => '/^CN=(\X*?),OU=(\X+)/',

'replacement' => '\\1',