I'd like to populate a multi-value attribute with names of the LDAP
groups that a user is a member of.
(&(objectclass=rfc822mailgroup)(member=uid=bjensen,ou=people,dc=umich,dc=edu))
The LDAP data connector seems aimed at returning the key/value pairs
for a single specific entry.
Would this be better handled by the scripted attribute definition, or
can the LDAP data connector do what I want?
Liam
You need to add the attributes:
maxResultSize="500"
mergeResults="true"
Jim
So something like.. ?
<resolver:DataConnector id="ldapGroups" xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://ldap.example.edu"
baseDN="ou=People,dc=example,dc=edu"
maxResultSize="500"
mergeResults="true">
<FilterTemplate>
<![CDATA[
(&(objectclass=rfc822mailgroup)(member=uid=$requestContext.principalName,ou=people,dc=example,dc=edu))
]]>
</FilterTemplate>
<ReturnAttributes>dn</ReturnAttributes>
</resolver:DataConnector>
Jim
On Tue, 14 Jul 2009, Liam Hoekenga wrote:
> Date: Tue, 14 Jul 2009 13:59:25 -0700
> From: Liam Hoekenga <li...@umich.edu>
> To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>,
> Jim Fox <f...@u.washington.edu>
> Cc: "shibbole...@internet2.edu" <shibbole...@internet2.edu>
> Subject: Re: [Shib-Users] providing ldap group names as an attribute
17:07:49.111 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:765] - Search filter:
(&(objectclass=rfc822mailgroup)(member=uid=liamr,ou=people,dc=umich,dc=edu))
17:07:49.111 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:781] - Retrieving attributes from
LDAP
17:07:49.111 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:316] - Resolved attribute umichGroups containing 0
values
I know that that ldap filter works - I can use it with ldapsearch on
the command line. It should work as a DataConnector?
Liam
Quoting Jim Fox <f...@washington.edu>:
> !DSPAM:4a5cf28282191222944467!
>
>
>
>
Jim
On Tue, 14 Jul 2009, Liam Hoekenga wrote:
> Date: Tue, 14 Jul 2009 14:13:22 -0700
> From: Liam Hoekenga <li...@umich.edu>
> To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>
> Reply-To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>
This works from the command line...
ldapsearch
'(&(objectclass=rfc822mailgroup)(member=uid=liamr,ou=people,dc=umich,dc=edu))'
This works from php...
$result = ldap_search( $ldapconn, 'dc=umich,dc=edu',
'(&(objectclass=rfc822mailgroup)(member=uid='
. $_SERVER[ 'REMOTE_USER' ]
. ',ou=people,dc=umich,dc=edu))' );
$results = ldap_get_entries( $ldapconn, $result );
foreach( $results as $entry ) {
print( $entry['cn'][ 0 ] . ": " . $entry['dn'] . "\n" );
}
'cn' and 'dn' are attributes in our schema. If I don't do a...
<ReturnAttributes>cn</ReturnAttributes>
...shouldn't I see something like I do for other ldap data connectors
(where it finds all of the attributes that match that filter)? e.g.
Resolving data connector umod for principal liamr
- Search filter: (uid=liamr)
- Retrieving attributes from LDAP
- Found the following attribute: uid=[liamr]
...
Liam
Quoting Jim Fox <f...@washington.edu>:
>
> Something is wrong with the query. Is 'dn' an attribute on your ldap?
>
> Jim
>
> On Tue, 14 Jul 2009, Liam Hoekenga wrote:
>
>> Date: Tue, 14 Jul 2009 14:13:22 -0700
>> From: Liam Hoekenga <li...@umich.edu>
>> To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>
>> Reply-To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>
>> Subject: Re: [Shib-Users] providing ldap group names as an attribute
>>
>> Hm.
>>
>> 17:07:49.111 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:765] - Search
>> filter:
>> (&(objectclass=rfc822mailgroup)(member=uid=liamr,ou=people,dc=umich,dc=edu))
>> 17:07:49.111 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:781] - Retrieving attributes
>> from
>> LDAP
>> 17:07:49.111 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:316] - Resolved attribute umichGroups containing
> !DSPAM:4a5cf67a174631385515324!
>
>
>
>
I don't mean to derail the conversation, but has any effort been put
into determining which group memberships should be disclosed to which
servers?
Since you mention that people can create new groups and manage the
membership, suppose that someone creates a group for employees to
collaborate regarding unionizing a particular coalition of employees.
Would it be appropriate to disclose a user's membership in the group to
a web site in the Human Resources department?
Paul
Well, it ought to work. You should see logs like:
... Found the following attribute: dn=[some_group_dn]
...
You might look at the log on your ldap service.
FWIW, I always code the query with:
${requestContext.principalName}
(the variable in braces) don't know if it matters here though.
Jim
On Tue, 14 Jul 2009, Liam Hoekenga wrote:
> Date: Tue, 14 Jul 2009 15:10:30 -0700
Could it be the inability to access the returned DNs that Brent mentioned?
Liam
Quoting Jim Fox <f...@washington.edu>:
> !DSPAM:4a5d0c1955811510311687!
>
>
>
>
That's an excellent point.
I can only speak to UMICH... In our current OpenLDAP environment,
group membership isn't only available to shib, it's available to
anything that can speak LDAP (and bind anonymously).
If users decide that group membership is a privacy issue, groups /can/
be marked "private", and their existence and membership will only be
available to the owners and members of said group (users will have to
be bound as themselves to access that information). Admittedly, there
is a user education issue there - people may not realize that that
information is available to any and all.
Liam
My baseDN was limiting my search to the part of the directory that
only contains "People" entries.
*sigh*
thanks for your help. Works great.
Liam
Quoting Liam Hoekenga <li...@umich.edu>:
> !DSPAM:4a5d2af628711385515324!
>
>
>
>