[Shib-Users] providing ldap group names as an attribute

[Liam Hoekenga]

We use ldap groups for authorization. People can create new groups
and manage group membership easily.

I'd like to populate a multi-value attribute with names of the LDAP
groups that a user is a member of.

(&(objectclass=rfc822mailgroup)(member=uid=bjensen,ou=people,dc=umich,dc=edu))

The LDAP data connector seems aimed at returning the key/value pairs
for a single specific entry.

Would this be better handled by the scripted attribute definition, or
can the LDAP data connector do what I want?

Liam

[Jim Fox]

>
> The LDAP data connector seems aimed at returning the key/value pairs
> for a single specific entry.
>

You need to add the attributes:

maxResultSize="500"
mergeResults="true"

Jim

[Liam Hoekenga]

So something like.. ?

<resolver:DataConnector id="ldapGroups" xsi:type="LDAPDirectory"
xmlns="urn:mace:shibboleth:2.0:resolver:dc"
ldapURL="ldap://ldap.example.edu"
baseDN="ou=People,dc=example,dc=edu"
maxResultSize="500"
mergeResults="true">
<FilterTemplate>
<![CDATA[

(&(objectclass=rfc822mailgroup)(member=uid=$requestContext.principalName,ou=people,dc=example,dc=edu))
]]>
</FilterTemplate>
<ReturnAttributes>dn</ReturnAttributes>
</resolver:DataConnector>

[Jim Fox]

Yes, that works for me. The '500' was an example though.

Jim

On Tue, 14 Jul 2009, Liam Hoekenga wrote:

> Date: Tue, 14 Jul 2009 13:59:25 -0700
> From: Liam Hoekenga <li...@umich.edu>
> To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>,
> Jim Fox <f...@u.washington.edu>
> Cc: "shibbole...@internet2.edu" <shibbole...@internet2.edu>
> Subject: Re: [Shib-Users] providing ldap group names as an attribute

[Liam Hoekenga]

Hm.

17:07:49.111 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:765] - Search filter:
(&(objectclass=rfc822mailgroup)(member=uid=liamr,ou=people,dc=umich,dc=edu))
17:07:49.111 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:781] - Retrieving attributes from
LDAP
17:07:49.111 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:316] - Resolved attribute umichGroups containing 0
values

I know that that ldap filter works - I can use it with ldapsearch on
the command line. It should work as a DataConnector?

Liam

Quoting Jim Fox <f...@washington.edu>:

> !DSPAM:4a5cf28282191222944467!
>
>
>
>

[Jim Fox]

Something is wrong with the query. Is 'dn' an attribute on your ldap?

Jim

On Tue, 14 Jul 2009, Liam Hoekenga wrote:

> Date: Tue, 14 Jul 2009 14:13:22 -0700

> From: Liam Hoekenga <li...@umich.edu>
> To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>

> Reply-To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>

[Brent Putman]

I think this came up in a thread awhile back, but: the current LDAP
data connector doesn't provide access to the actual DN of the returned
object(s). If you need to use the DN as the group identifer within the
resolver, and your LDAP server supports the 'entryDN' operational
attribute, then you could use that as the resolver attribute that holds
the group identifier. Otherwise, you could use another attribute of the
LDAP group objects as the group identifer/name, such as the 'cn'
attribute. That assumes of course that your group cn attribute data
both exists and contains unique names.

[Liam Hoekenga]

The query works in other environments. :\

This works from the command line...

ldapsearch
'(&(objectclass=rfc822mailgroup)(member=uid=liamr,ou=people,dc=umich,dc=edu))'

This works from php...

$result = ldap_search( $ldapconn, 'dc=umich,dc=edu',
'(&(objectclass=rfc822mailgroup)(member=uid='
. $_SERVER[ 'REMOTE_USER' ]
. ',ou=people,dc=umich,dc=edu))' );
$results = ldap_get_entries( $ldapconn, $result );
foreach( $results as $entry ) {
print( $entry['cn'][ 0 ] . ": " . $entry['dn'] . "\n" );
}

'cn' and 'dn' are attributes in our schema. If I don't do a...

<ReturnAttributes>cn</ReturnAttributes>

...shouldn't I see something like I do for other ldap data connectors
(where it finds all of the attributes that match that filter)? e.g.

Resolving data connector umod for principal liamr
- Search filter: (uid=liamr)

- Retrieving attributes from LDAP

- Found the following attribute: uid=[liamr]
...

Liam

Quoting Jim Fox <f...@washington.edu>:

>
> Something is wrong with the query. Is 'dn' an attribute on your ldap?
>
> Jim
>
> On Tue, 14 Jul 2009, Liam Hoekenga wrote:
>
>> Date: Tue, 14 Jul 2009 14:13:22 -0700
>> From: Liam Hoekenga <li...@umich.edu>
>> To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>
>> Reply-To: "shibbole...@internet2.edu" <shibbole...@internet2.edu>
>> Subject: Re: [Shib-Users] providing ldap group names as an attribute
>>
>> Hm.
>>
>> 17:07:49.111 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:765] - Search
>> filter:
>> (&(objectclass=rfc822mailgroup)(member=uid=liamr,ou=people,dc=umich,dc=edu))
>> 17:07:49.111 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:781] - Retrieving attributes
>> from
>> LDAP
>> 17:07:49.111 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:316] - Resolved attribute umichGroups containing

> !DSPAM:4a5cf67a174631385515324!
>
>
>
>

[Paul B. Hill]

Hi,

I don't mean to derail the conversation, but has any effort been put
into determining which group memberships should be disclosed to which
servers?

Since you mention that people can create new groups and manage the
membership, suppose that someone creates a group for employees to
collaborate regarding unionizing a particular coalition of employees.
Would it be appropriate to disclose a user's membership in the group to
a web site in the Human Resources department?

Paul

[Jim Fox]

Well, it ought to work. You should see logs like:

... Found the following attribute: dn=[some_group_dn]
...

You might look at the log on your ldap service.

FWIW, I always code the query with:

${requestContext.principalName}

(the variable in braces) don't know if it matters here though.

Jim

On Tue, 14 Jul 2009, Liam Hoekenga wrote:

> Date: Tue, 14 Jul 2009 15:10:30 -0700

[Liam Hoekenga]

I'm going to point it at a test LDAP server tomorrow, where I can see
the logs.

Could it be the inability to access the returned DNs that Brent mentioned?

Liam

Quoting Jim Fox <f...@washington.edu>:

> !DSPAM:4a5d0c1955811510311687!
>
>
>
>

[Liam Hoekenga]

> I don't mean to derail the conversation, but has any effort been put
> into determining which group memberships should be disclosed to
> which servers?

That's an excellent point.

I can only speak to UMICH... In our current OpenLDAP environment,
group membership isn't only available to shib, it's available to
anything that can speak LDAP (and bind anonymously).

If users decide that group membership is a privacy issue, groups /can/
be marked "private", and their existence and membership will only be
available to the owners and members of said group (users will have to
be bound as themselves to access that information). Admittedly, there
is a user education issue there - people may not realize that that
information is available to any and all.

Liam

[Liam Hoekenga]

I'm an idiot.

My baseDN was limiting my search to the part of the directory that
only contains "People" entries.

*sigh*

thanks for your help. Works great.

Liam

Quoting Liam Hoekenga <li...@umich.edu>:

> !DSPAM:4a5d2af628711385515324!
>
>
>
>