...
The following example defines the attributes krb_principalname
and krb_domain
that are used in the user directory lookup filter template:
Code Block |
---|
language | xml |
---|
title | Extract the username and realm from the Kerberos Principal name |
---|
| |
<!-- The principal name resulting from the authentication. -->
<resolver:AttributeDefinition<AttributeDefinition id="principalName"
xsi:type="PrincipalName"
dependencyOnly="true">
</AttributeDefinition>
<!-- Extract the simple username from the Kerberos Principal name. -->
<AttributeDefinition id="krb_principalname"
xsi:type="Mapped"
dependencyOnly="true">
<InputAttributeDefinition ref="principalName" />
<DefaultValue passThru="true"/>
<ValueMap>
xsi:type="ad:PrincipalName"
dependencyOnly="true">
</resolver:AttributeDefinition>
<ReturnValue>$1</ReturnValue>
<SourceValue>(.+)@EXAMPLE.ORG</SourceValue>
</ValueMap>
</AttributeDefinition>
<!-- ExtractMap the simpleKerberos usernamerealm fromto thea Kerberos Principaldomain name. -->
<resolver:AttributeDefinition<AttributeDefinition id="krb_principalname"
xsidomain"
xsi:type="ad:Mapped"
dependencyOnly="true">
<InputAttributeDefinition ref="principalName" />
<DefaultValue passThru="true"/>
<ValueMap>
<ReturnValue>domain_a.com</ReturnValue>
<SourceValue>(.+)@DOMAIN_A.COM</SourceValue>
</ValueMap>
<ValueMap>
<ReturnValue>domain_b.com</ReturnValue>
<SourceValue>(.+)@DOMAIN_B.COM</SourceValue>
</ValueMap>
</AttributeDefinition> |
Code Block |
---|
language | xml |
---|
title | Extract the username and realm from the Kerberos Principal name (V3.3) |
---|
collapse | true |
---|
|
<!-- The principal name resulting from the authentication. -->
<resolver:AttributeDefinition sourceAttributeIDid="principalName"
dependencyOnlyxsi:type="truead:PrincipalName">
<resolver:Dependency ref="principalName" /> <ad:DefaultValue passThru="true"/> <ad:ValueMap> <ad:ReturnValue>$1</ad:ReturnValue>
<ad:SourceValue>(.+)@EXAMPLE.ORG</ad:SourceValue>
dependencyOnly="true">
</ad:ValueMap>
</resolver:AttributeDefinition>
<!-- MapExtract the simple Kerberosusername realmfrom tothe aKerberos domainPrincipal name. -->
<resolver:AttributeDefinition id="krb_domainprincipalname"
xsi:type="ad:Mapped"
sourceAttributeID="principalName"
dependencyOnly="true">
<resolver:Dependency ref="principalName" />
<ad:DefaultValue passThru="true"/>
<ad:ValueMap>
<ad:ReturnValue>domain_a.com<ReturnValue>$1</ad:ReturnValue>
<ad:SourceValue>(.+)@DOMAIN_A@EXAMPLE.COM<ORG</ad:SourceValue>
</ad:ValueMap>
<ad:ValueMap></resolver:AttributeDefinition>
<!-- Map the Kerberos realm to a <ad:ReturnValue>domain_b.com</ad:ReturnValue>domain name. -->
<resolver:AttributeDefinition id="krb_domain"
xsi:type="ad:Mapped"
<ad:SourceValue>(.+)@DOMAIN_B.COM</ad:SourceValue>
</ad:ValueMap>
</resolver:AttributeDefinition> |
...
sourceAttributeID="principalName"
dependencyOnly="true">
<resolver:Dependency ref="principalName" />
<ad:DefaultValue passThru="true"/>
<ad:ValueMap>
<ad:ReturnValue>domain_a.com</ad:ReturnValue>
<ad:SourceValue>(.+)@DOMAIN_A.COM</ad:SourceValue>
</ad:ValueMap>
<ad:ValueMap>
<ad:ReturnValue>domain_b.com</ad:ReturnValue>
<ad:SourceValue>(.+)@DOMAIN_B.COM</ad:SourceValue>
</ad:ValueMap>
</resolver:AttributeDefinition> |
Then, the user directory lookup filter template needs to be adapted to use the attributes defined above:
Code Block |
---|
language | xml |
---|
title | Example LDAP data connector (V3.4) |
---|
collapse | true |
---|
|
<DataConnector id="myLDAP" xsi:type="LDAPDirectory"
...>
<FilterTemplate>
<![CDATA[
(&(|(sAMAccountName=$resolutionContext.principal)(mail=$resolutionContext.principal)(&(sAMAccountName=${krb_principalname.get(0)})(msSFU30NisDomain=${krb_domain.get(0)})))(objectClass=user))
]]>
</FilterTemplate>
...
</DataConnector> |
Code Block |
---|
language | xml |
---|
title | Example LDAP data connector (V3.3) |
---|
collapse | true |
---|
|
<resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory"
...>
<dc:FilterTemplate>
<![CDATA[
(&(|(sAMAccountName=$resolutionContext.principal)(mail=$resolutionContext.principal)(&(sAMAccountName=${krb_principalname.get(0)})(msSFU30NisDomain=${krb_domain.get(0)})))(objectClass=user))
]]>
</dc:FilterTemplate>
...
</resolver:DataConnector> |
...