problem resolving recursive group memberships in AD

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

problem resolving recursive group memberships in AD

Guenther, Dean R.

I’ve been working with Vladimir Mencl’s documentation for resolving recursive group memberships from Active Directory.

 

https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinitionExamples

 

It seems straightforward. I’m not getting an error, but I’m also not getting any groups returned. “mergeResults” has been deprecated in shib v3 so I’ve omitted that. Here is what I have. Any ideas what the problem is with my definitions?

thanks – dean

 

 

<!-- get the user's DN from the main LDAP connector (myLDAP) for searching the groups the user is in -->

<AttributeDefinition id="distinguishedName" xsi:type="Simple"

         sourceAttributeID="distinguishedName">

    <Dependency ref="myLDAP"/>

<!-- no encoder needed -->

</AttributeDefinition>

 

<!-- search for all groups the user is recursively in - and flatten the distinguishedName(s) of all the groups into a single multivalued attribute -->

 

<DataConnector id="groupLDAP" xsi:type="LDAPDirectory" useStartTLS="%{idp.authn.LDAP.useStartTLS}"

                 ldapURL="%{idp.authn.LDAP.ldapURL}" baseDN="%{idp.authn.LDAP.baseDN}"

                 principal="%{idp.authn.LDAP.bindDN}" principalCredential="%{idp.authn.LDAP.bindDNCredential}"

                 maxResultSize="1000"

                 searchTimeLimit="PT10.000S"

                 >

     <Dependency ref="distinguishedName" />

  <FilterTemplate>      

        <![CDATA[

            (member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})

        ]]>

  </FilterTemplate>

   <ReturnAttributes>distinguishedName</ReturnAttributes>

    <LDAPProperty name="java.naming.referral" value="follow"/>

</DataConnector>

<!-- define the memberOf attribute based on the distinguishedName attribute returned by the groupLDAP connector - names of all groups the user is in -->

 

<AttributeDefinition id="memberOf" xsi:type="Simple"

          sourceAttributeID="distinguishedName">

    <Dependency ref="groupLDAP" />

</AttributeDefinition>

 

 

<AttributeDefinition xsi:type="ScriptedAttribute" id="ITSTechPro">

    <Dependency ref="memberOf"/>

    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ITSTechPro"/>

    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.15733.1.4.8" friendlyName="ITSTechPro"/>

    <Script><![CDATA[

          if (typeof memberOf != "undefined" && memberOf != null ) {

              for (i=0; memberOf != null && i < memberOf.getValues().size(); i++) {

                value = memberOf.getValues().get(i).toLowerCase();

                if (value.contains("its_techpro")) {

                        ITSTechPro.getValues().add("member"); }

             }

          }

   ]]></Script>

  </AttributeDefinition>

 

 

 

 

Dean Guenther                          [hidden email]
Washington State University    Phone:    509 335-0433
Pullman, WA. 99164-1222        fax:      509 335-0540
Identity and Access Management Manager

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

AW: problem resolving recursive group memberships in AD

Rosenfeld, Waldemar (extern)

Maybe it’s the source attribute from isMemberOf. That’s my working configuration in attribute resolver:

 

    <AttributeDefinition xsi:type="Simple" id="distinguishedName" sourceAttributeID="distinguishedName">

        <Dependency ref="AD" />

        <AttributeEncoder xsi:type="SAML1String" name="urn:oid:1.3.6.1.4.1.1466.115.121.1.12" />

        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.1466.115.121.1.12" friendlyName="distinguishedName" />

    </AttributeDefinition>

    <AttributeDefinition xsi:type="Simple" id="isMemberOf" sourceAttributeID="cn">

        <Dependency ref="ADGroup" />

        <AttributeEncoder xsi:type="SAML1String" name="urn:oid:1.3.6.1.4.1.20462.5.1.9" />

        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.20462.5.1.9" friendlyName="isMemberOf" />

    </AttributeDefinition>

 

    <DataConnector id="ADGroup" xsi:type="LDAPDirectory"

        ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"

        baseDN="%{idp.attribute.resolver.LDAP.baseDN}"

        principal="%{idp.attribute.resolver.LDAP.bindDN}"

        principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"

        useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"

        connectTimeout="%{idp.attribute.resolver.LDAP.connectTimeout}"

        trustFile="%{idp.attribute.resolver.LDAP.trustCertificates}"

        responseTimeout="PT30S"

        maxResultSize="1000">

        <Dependency ref="distinguishedName"/>

        <Dependency ref="ADGV" />

        <FilterTemplate>

            <![CDATA[

        (member:1.2.840.113556.1.4.1941:=$distinguishedName.get(0))

        ]]>

        </FilterTemplate>

        <ReturnAttributes>cn</ReturnAttributes>

    <LDAPProperty name="java.naming.referral" value="follow"/>

    </DataConnector>

 

Von: users [mailto:[hidden email]] Im Auftrag von Guenther, Dean R.
Gesendet: Montag, 9. Juli 2018 18:58
An: Shib Users <[hidden email]>
Betreff: problem resolving recursive group memberships in AD

 

I’ve been working with Vladimir Mencl’s documentation for resolving recursive group memberships from Active Directory.

 

https://wiki.shibboleth.net/confluence/display/SHIB2/ResolverScriptAttributeDefinitionExamples

 

It seems straightforward. I’m not getting an error, but I’m also not getting any groups returned. “mergeResults” has been deprecated in shib v3 so I’ve omitted that. Here is what I have. Any ideas what the problem is with my definitions?

thanks – dean

 

 

<!-- get the user's DN from the main LDAP connector (myLDAP) for searching the groups the user is in -->

<AttributeDefinition id="distinguishedName" xsi:type="Simple"

         sourceAttributeID="distinguishedName">

    <Dependency ref="myLDAP"/>

<!-- no encoder needed -->

</AttributeDefinition>

 

<!-- search for all groups the user is recursively in - and flatten the distinguishedName(s) of all the groups into a single multivalued attribute -->

 

<DataConnector id="groupLDAP" xsi:type="LDAPDirectory" useStartTLS="%{idp.authn.LDAP.useStartTLS}"

                 ldapURL="%{idp.authn.LDAP.ldapURL}" baseDN="%{idp.authn.LDAP.baseDN}"

                 principal="%{idp.authn.LDAP.bindDN}" principalCredential="%{idp.authn.LDAP.bindDNCredential}"

                 maxResultSize="1000"

                 searchTimeLimit="PT10.000S"

                 >

     <Dependency ref="distinguishedName" />

  <FilterTemplate>      

        <![CDATA[

            (member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})

        ]]>

  </FilterTemplate>

   <ReturnAttributes>distinguishedName</ReturnAttributes>

    <LDAPProperty name="java.naming.referral" value="follow"/>

</DataConnector>

 

<!-- define the memberOf attribute based on the distinguishedName attribute returned by the groupLDAP connector - names of all groups the user is in -->

 

<AttributeDefinition id="memberOf" xsi:type="Simple"

          sourceAttributeID="distinguishedName">

    <Dependency ref="groupLDAP" />

</AttributeDefinition>

 

 

<AttributeDefinition xsi:type="ScriptedAttribute" id="ITSTechPro">

    <Dependency ref="memberOf"/>

    <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:ITSTechPro"/>

    <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.15733.1.4.8" friendlyName="ITSTechPro"/>

    <Script><![CDATA[

          if (typeof memberOf != "undefined" && memberOf != null ) {

              for (i=0; memberOf != null && i < memberOf.getValues().size(); i++) {

                value = memberOf.getValues().get(i).toLowerCase();

 

                if (value.contains("its_techpro")) {

                        ITSTechPro.getValues().add("member"); }

             }

          }

   ]]></Script>

  </AttributeDefinition>

 

 

 

 

Dean Guenther                          [hidden email]
Washington State University    Phone:    509 335-0433
Pullman, WA. 99164-1222        fax:      509 335-0540
Identity and Access Management Manager

 


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]