Unable to get memberOf (OpenLDAP, using memberof overlay)

classic Classic list List threaded Threaded
14 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to get memberOf (OpenLDAP, using memberof overlay)

Stevens, M
Querying with ldapsearch, I get group membership information using "\* \+",
"\* memberof", etc., the ldap server clearly considers memberOf to be an
operational attribute, I get it back when filtering only on "+"

From attribute-resolver.xml:
<ReturnAttributes>* +</ReturnAttributes>
        <FilterTemplate>
           
</FilterTemplate>

I've tried about every combination possible. The logs clearly show "+"
returning operational attributes ... just not memberOf.

I have idp.attribute.resolver.LDAP.searchFilter set to
uid=$resolutionContext.principal. Everything I've found suggests I /should/
be getting memberOf back with the operational attributes.



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Peter Schober
* Stevens, M <[hidden email]> [2019-12-10 23:57]:
> From attribute-resolver.xml:
> <ReturnAttributes>* +</ReturnAttributes>
>         <FilterTemplate>
>            
> </FilterTemplate>

Is that empty (except for whitespace) FilterTemplate element above
just a copy/paste error or does that match your actual configuration?

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Stevens, M
The contents of my FilterTemplate got dropped when I posted ...
""



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Stevens, M

<ReturnAttributes>* +</ReturnAttributes>
        <FilterTemplate>
           
        </FilterTemplate>




--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Stevens, M
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Peter Schober
In reply to this post by Stevens, M
* Stevens, M <[hidden email]> [2019-12-10 23:57]:
> Querying with ldapsearch, I get group membership information using "\* \+",
> "\* memberof", etc., the ldap server clearly considers memberOf to be an
> operational attribute, I get it back when filtering only on "+"

The above only refers to your use of ldapsearch?
Or does everything above also work from the IDP when putting that as
content of an <ReturnAttributes> element /except/ the variant you want
"* +"?
Or does not of this work when putting it as content of ReturnAttributes?

Sorry, the above just isn't clear to me.

> I've tried about every combination possible. The logs clearly show
> "+" returning operational attributes ... just not memberOf.

Since you're looking at logs: You can always run the resolver or the
ldap stuff on DEBUG, that should show what it gets and your slapd logs
should show what the IDP requests (on the right loglevel).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Joseph Fischetti
Have you tried explicitly requesting memberof instead of using the +?

Admittedly, we're not using openldap, but thats how we're getting other operational attributes back.

As Peter said, up the log level.  It'll print out what it got back and what the resolved did with it.


From: users <[hidden email]> on behalf of Peter Schober <[hidden email]>
Sent: Tuesday, December 10, 2019 6:24:55 PM
To: [hidden email] <[hidden email]>
Subject: Re: Unable to get memberOf (OpenLDAP, using memberof overlay)
 
[EXTERNAL EMAIL]

* Stevens, M <[hidden email]> [2019-12-10 23:57]:
> Querying with ldapsearch, I get group membership information using "\* \+",
> "\* memberof", etc., the ldap server clearly considers memberOf to be an
> operational attribute, I get it back when filtering only on "+"

The above only refers to your use of ldapsearch?
Or does everything above also work from the IDP when putting that as
content of an <ReturnAttributes> element /except/ the variant you want
"* +"?
Or does not of this work when putting it as content of ReturnAttributes?

Sorry, the above just isn't clear to me.

> I've tried about every combination possible. The logs clearly show
> "+" returning operational attributes ... just not memberOf.

Since you're looking at logs: You can always run the resolver or the
ldap stuff on DEBUG, that should show what it gets and your slapd logs
should show what the IDP requests (on the right loglevel).

-peter
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Stevens, M
In reply to this post by Peter Schober
The first examples are from ldapsearch. If I specify "* +" with ldapsearch, I
get user attributes and operational attributes, the latter including
"memberOf" data.

If I use "* +" in IDP/ReturnAttributes, I get user attributes and
operational attributes ... but no memberOf.

I have IDP logging set to debug, and can clearly see it returning 15 user
attributes when I only include "*" in ReturnAttributes, and 25 user and
operational attributes with I use "* +" in ReturnAttributes. I've tried
explicitly including memberOf in ReturnAttributes, but it has no effect.

Hopefully that's clear ... for whatever reason, ldapsearch thinks "memberOf"
is an operational attribute, the IDP doesn't appear to.



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Stevens, M
In reply to this post by Joseph Fischetti
What the logs show coming back when using "* +" ...

Data Connector 'myLDAP': Attribute 'entryUUID': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'userPassword': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'telephoneNumber': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'mail': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'shadowLastChange': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'createTimestamp': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'modifyTimestamp': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'uid': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'entryCSN': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'modifiersName': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'sn': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'entryDN': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'loginShell': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'structuralObjectClass': Values
'[StringAttributeValue{value=inetOrgPerson}]'
Data Connector 'myLDAP': Attribute 'creatorsName': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'homeDirectory': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'shadowExpire': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'subschemaSubentry': Values
'[StringAttributeValue{value=cn=Subschema}]'
Data Connector 'myLDAP': Attribute 'givenName': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'objectClass': Values
'[StringAttributeValue{value=posixAccount},
StringAttributeValue{value=inetOrgPerson},
StringAttributeValue{value=organizationalPerson},
StringAttributeValue{value=person},
StringAttributeValue{value=shadowAccount}]'
Data Connector 'myLDAP': Attribute 'cn': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'hasSubordinates': Values
'[StringAttributeValue{value=TRUE}]'
Data Connector 'myLDAP': Attribute 'uidNumber': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'gidNumber': Values
'[StringAttributeValue{value=X}]'
Data Connector 'myLDAP': Attribute 'pwdChangedTime': Values
'[StringAttributeValue{value=X}]'



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Simon Lundström-2
In reply to this post by Stevens, M
How is your IDP authenticating against your LDAP-servers? At all?

Did you authenticate when using ldapsearch?

Does `ldapsearch -h ldap.domain.tld -x mail=[hidden email]
memberof` give you the results you want?

It might be an ACL issue.

BR,
- Simon

On Wed, 2019-12-11 at 00:43:25 +0100, Stevens, M wrote:

>The first examples are from ldapsearch. If I specify "* +" with ldapsearch, I
>get user attributes and operational attributes, the latter including
>"memberOf" data.
>
>If I use "* +" in IDP/ReturnAttributes, I get user attributes and
>operational attributes ... but no memberOf.
>
>I have IDP logging set to debug, and can clearly see it returning 15 user
>attributes when I only include "*" in ReturnAttributes, and 25 user and
>operational attributes with I use "* +" in ReturnAttributes. I've tried
>explicitly including memberOf in ReturnAttributes, but it has no effect.
>
>Hopefully that's clear ... for whatever reason, ldapsearch thinks "memberOf"
>is an operational attribute, the IDP doesn't appear to.
>
>
>
>--
>Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
>--
>For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
>To unsubscribe from this list send an email to [hidden email]
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Phil Pishioneri
In reply to this post by Stevens, M
On 2019/12/10 6:43 PM, Stevens, M wrote:
...
Hopefully that's clear ... for whatever reason, ldapsearch thinks "memberOf"
is an operational attribute, the IDP doesn't appear to.


The "memberof" attribute generated by the memberof overlay *is* an operational attribute. See the last line in the OpenLDAP admin guide section "12.8.2. Member Of Configuration"

https://www.openldap.org/doc/admin24/overlays.html#Member%20Of%20Configuration

Note that the memberOf attribute is an operational attribute, so it must be requested explicitly.

-Phil


--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Stevens, M
I'm not clear on the why ldapsearch returns memberOf if the "+" filter is
specified and the idp dataconnector does not, but it does work in the idp
data connector if I explicitly call it out:
<ReturnAttributes>* memberOf</ReturnAttributes>






--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Phil Pishioneri
On 2019/12/11 1:48 PM, Stevens, M wrote:
> I'm not clear on the why ldapsearch returns memberOf if the "+" filter is
> specified and the idp dataconnector does not, but it does work in the idp
> data connector if I explicitly call it out:
> <ReturnAttributes>* memberOf</ReturnAttributes>


Have you looked at your slapd log and verified that slapd sees the same
attribute list from both ldapsearch and IdP searches? (The value for
'attr' in SRCH log entries, e.g., "SRCH attr=* +".)

-Phil

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Unable to get memberOf (OpenLDAP, using memberof overlay)

Stevens, M
I did more testing, and the idp is returning memberOf results when I specify
"* +" ... the slapd logs show the same attributes for the idp that I get
from ldapsearch:

SRCH attr=* +

I'm trying to get this functional for the first time, I may have had
something configured incorrectly, or possibly sssd was behaving strangely (I
restarted it and cleared its cache after getting group memberships back when
declaring memberOf specifically.)

In any case, I've re-tested and this consistently returns the expected
results across every account I've specified:

<ReturnAttributes>* +</ReturnAttributes>

(My testing has all been via the aacli utility.)



--
Sent from: https://shibboleth.1660669.n2.nabble.com/Shibboleth-Users-f1660767.html
--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]