OBJECT scope search in LDAP/AD attribute resolver

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

OBJECT scope search in LDAP/AD attribute resolver

brabec
I have a running IdP 3.3.3 setup with an attribute resolver
data connector that uses LDAP to search Active Directory.
Attribute resolution is working fine where I'm doing something like

    baseDN = ou=People,dc=blah,...
    searchFilter = (cn=$requestContext.principalName)

The problem that I have is one of the attributes that I want
requires an OBJECT-scope search. In AD terms:
searchFlags: fBASEONLY - Specifies that the attribute is not to be
returned by search operations that are not scoped to a single object.

I've added the following to my DataConnector. The extra attribute that
I want is optional, so it needs to be explicitly requested.

    <ReturnAttributes>* msds-memberOfTransitive</ReturnAttributes>

1. This returns an AD error on the query because of fBASEONLY
    baseDN = ou=People,dc=blah,...
    searchFilter = (cn=$requestContext.principalName)
    searchScope="SUBTREE"

2. This does too
    baseDN = ou=People,dc=blah,...
    searchFilter = (cn=$requestContext.principalName)
    searchScope="ONELEVEL"

3. This returns 0 results
    baseDN = ou=People,dc=blah,...
    searchFilter = (cn=$requestContext.principalName)
    searchScope="OBJECT"

4. This works, because I've hard-coded my user into the baseDN:
    baseDN = cn=userid,ou=People,dc=blah,...
    searchFilter = (cn=*)
    searchScope="OBJECT"

It appears that I need to find a way to get the velocity variable
$requestContext.principalName into my baseDN before I can do this search
generally.

Has anyone tried this sort of query that they could share some examples?

Thanks,
Charles

--
Charles J. Brabec - [hidden email]      

All electronic mail messages in connection with State business which are
sent to or received by this account are subject to the NC Public Records Law
and may be disclosed to third parties.
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: OBJECT scope search in LDAP/AD attribute resolver

Cantor, Scott E.
On 8/24/18, 9:08 AM, "users on behalf of [hidden email]" <[hidden email] on behalf of [hidden email]> wrote:

> Has anyone tried this sort of query that they could share some examples?

The baseDN isn't a template, as far as I'm aware, so I doubt this is possible as is. The search filter is the templated part.

-- Scott


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]