...
Expand |
---|
|
As the groups used for the eduPersonAffiliation attribute use recursive membership, for this attribute specifically, it was necessary to define a second LDAP connector that looks up all the recursive group membership for a user. We obtain the list of all groups a user is recursively a member of by using the Microsoft the AD extension LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941) in the search filter to do the recursive search. Further documentation on this is available at http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475 We define a second LDAP connector (called groupLDAP here) in attribute-resolver.xml that does a recursive lookup on a user DN. This connector depends on the distinguishedName attribute provided by the main LDAP connector (myLDAP ) – to have the user's full DN to search the groups for – and is in turn used by the memberOf attribute that is later used in the eduPersonAffiliation attribute. Specifically, this connector: Uses a search base in the groups OU: OU=Groups and Resources,DC=EXAMPLE,DC=ORG Increases maxResultSize from 1 to 1000 (no way to say unlimited, this is a reasonable value) Has mergeResults="true" (to flatten the results - return a single object with multiple values in the distinguishedName attribute) Uses a FilterTemplate that searches based on the DN returned by the main LDAP conenctor Requests only the distinguishedName attribute on the result objects (not to download the complete group objets) – this is done via a (space-separated) <ReturnAttributes> element (to come after FilterTemplate )
Code Block |
---|
| <!-- get the user's DN from the main LDAP connector (myLDAP) for searching the groups the user is in -->
<resolver:AttributeDefinition id="distinguishedName" xsi:type="ad:Simple"
sourceAttributeID="distinguishedName">
<resolver:Dependency ref="myLDAP" />
<!-- no encoder needed -->
</resolver:AttributeDefinition>
<!-- search for all groups the user is recursively in - and flatten the distinguishedName(s) of all the groups into a single multivalued attribute -->
<resolver:DataConnector id="groupLDAP" xsi:type="dc:LDAPDirectory"
ldapURL="ldaps://ad.example.org"
baseDN="OU=Groups and Resources,DC=EXAMPLE,DC=ORG"
principal="CN=Binder,DC=EXAMPLE,DC=ORG"
principalCredential="PASSWORD-HERE"
maxResultSize="1000"
mergeResults="true"
searchTimeLimit="PT10.000S"
>
<resolver:Dependency ref="distinguishedName" />
<dc:FilterTemplate>
<![CDATA[
(member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)})
]]>
</dc:FilterTemplate>
<dc:ReturnAttributes>distinguishedName</dc:ReturnAttributes>
<dc:LDAPProperty name="java.naming.referral" value="follow"/>
</resolver:DataConnector>
<!-- define the memberOf attribute based on the distinguishedName attribute returned by the groupLDAP connector - names of all groups the user is in -->
<resolver:AttributeDefinition id="memberOf" xsi:type="ad:Simple"
sourceAttributeID="distinguishedName">
<resolver:Dependency ref="groupLDAP" />
<!-- no encoder needed -->
</resolver:AttributeDefinition>
<!-- define eduPersonAffiliation same as in the previous example - but put a dependency on the memberOf attribute defined through the groupLDAP connector -->
<resolver:AttributeDefinition id="eduPersonAffiliation" xsi:type="ad:Script">
<resolver:Dependency ref="memberOf" />
<resolver:DisplayName xml:lang="en">Affiliation type</resolver:DisplayName>
<resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
<resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" />
<ad:Script>
<![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
if (eduPersonAffiliation == null) {
eduPersonAffiliation = new BasicAttribute("eduPersonAffiliation");
}
is_Staff = memberOf != null && memberOf.getValues().contains("CN=All-Staff,OU=Groups and Resources,DC=EXAMPLE,DC=ORG");
if (is_Staff) { eduPersonAffiliation.getValues().add("staff"); };
if (is_Staff) { eduPersonAffiliation.getValues().add("member"); };
]]>
</ad:Script>
</resolver:AttributeDefinition>
|
|
...
Add common-lib-terms to all Staff and Students
...
German-language page only at this time, but feel free to ask about this on the users mailing list if configuration and/or code are not sufficiently clear. Uses schacDateOfBirth and a Script-type AttributeDefinition to calculate whether the subject satisfies the business criteria for carrying a specific eduPersonEntitlement value, which include an age limit, without leaking the age (or birth date) of the subject to the relying party.