Versions Compared

Old Version 3

changes.mady.by.user Rod Widdowson

Saved on

compared with

New Version Current

changes.mady.by.user Rod Widdowson

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languagexml
<!-- Resolve nested groups in AD using the DN of the resolved user -->
<DataConnector id="ldap-groups" xsi:type="LDAPDirectory"
    ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
    baseDN="%{idp.attribute.resolver.LDAP.baseDN}"
    principal="%{idp.attribute.resolver.LDAP.bindDN}"
    principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
    useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS}"
    maxResultSize="0">

    <InputDataConnector ref="ldap" attributeNames="distinguishedName" />

    <FilterTemplate>
        <![CDATA[
            (member:1.2.840.113556.1.4.1941:=$distinguishedName.get(0))
        ]]>
    </FilterTemplate>

    <ReturnAttributes>
        distinguishedName
        sAMAccountName
    </ReturnAttributes>
</DataConnector>

Attribute definition

You now have two (probably multi-valued) attributes available to use. For example you could map them into an affiliation or turn them into entitlements.

...

code
Code Block
languagexml
<AttributeDefinition xsi:type="Mapped" id="eduPersonAffiliation">
    <InputDataConnector ref="ldap-groups" attributeNames="distinguishedName" />
    <DefaultValue passThru="false"/>
    <ValueMap>
        <ReturnValue>student</ReturnValue>
        <SourceValue>CN=All Students,OU=Groups,DC=example,DC=ac,DC=uk</SourceValue>
    </ValueMap>
    <ValueMap>
        <ReturnValue>staff</ReturnValue>
        <SourceValue>CN=All Staff,OU=Groups,DC=example,DC=ac,DC=uk</SourceValue>
    </ValueMap>
    <ValueMap>
        <ReturnValue>member</ReturnValue>
        <SourceValue>CN=All Students,OU=Groups,DC=example,DC=ac,DC=uk</SourceValue>
        <SourceValue>CN=All Staff,OU=Groups,DC=example,DC=ac,DC=uk</SourceValue>
    </ValueMap>
 </AttributeDefinition>