Versions Compared

Old Version 23

changes.mady.by.user peter

Saved on

compared with

New Version Current

changes.mady.by.user peter

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: update link to ACOnet docs

...

Expand
titleShow example

As the groups used for the eduPersonAffiliation attribute use recursive membership, for this attribute specifically, it was necessary to define a second LDAP connector that looks up all the recursive group membership for a user.

We obtain the list of all groups a user is recursively a member of by using the Microsoft the AD extension LDAP_MATCHING_RULE_IN_CHAIN (1.2.840.113556.1.4.1941) in the search filter to do the recursive search. Further documentation on this is available at http://msdn.microsoft.com/en-us/library/windows/desktop/aa746475

We define a second LDAP connector (called groupLDAP here) in attribute-resolver.xml that does a recursive lookup on a user DN. This connector depends on the distinguishedName attribute provided by the main LDAP connector (myLDAP) – to have the user's full DN to search the groups for – and is in turn used by the memberOf attribute that is later used in the eduPersonAffiliation attribute.

Specifically, this connector:

  • Uses a search base in the groups OU: OU=Groups and Resources,DC=EXAMPLE,DC=ORG

  • Increases maxResultSize  from 1 to 1000 (no way to say unlimited, this is a reasonable value)

    • Increases searchTimeLimit from 3000ms to 10,000ms

  • Has mergeResults="true" (to flatten the results - return a single object with multiple values in the distinguishedName attribute)

  • Uses a FilterTemplate that searches based on the DN returned by the main LDAP conenctor

    • We cannot use "dn" directly (not seen as an attribute), but we can use "distinguishedName" (visible in AD as an attribute on all objects)

  • Requests only the distinguishedName attribute on the result objects (not to download the complete group objets) – this is done via a (space-separated) <ReturnAttributes> element (to come after FilterTemplate)

    • Again, as we cannot see “dn”, we request distinguishedName as the group name. All of the group names are then flattened into a single multivalued attribute (used by the memberOf definition).

 


Code Block
xml
xml
    <!-- get the user's DN from the main LDAP connector (myLDAP) for searching the groups the user is in -->
    <resolver:AttributeDefinition id="distinguishedName" xsi:type="ad:Simple"
              sourceAttributeID="distinguishedName"> 
        <resolver:Dependency ref="myLDAP" /> 
        <!-- no encoder needed --> 
    </resolver:AttributeDefinition> 

    <!-- search for all groups the user is recursively in - and flatten the distinguishedName(s) of all the groups into a single multivalued attribute -->
    <resolver:DataConnector id="groupLDAP" xsi:type="dc:LDAPDirectory" 
        ldapURL="ldaps://ad.example.org" 
        baseDN="OU=Groups and Resources,DC=EXAMPLE,DC=ORG" 
        principal="CN=Binder,DC=EXAMPLE,DC=ORG"
        principalCredential="PASSWORD-HERE" 

        maxResultSize="1000" 
        mergeResults="true" 
        searchTimeLimit="PT10.000S" 

        > 
        <resolver:Dependency ref="distinguishedName" /> 
        <dc:FilterTemplate> 
            <![CDATA[ 
                (member:1.2.840.113556.1.4.1941:=${distinguishedName.get(0)}) 
            ]]> 
        </dc:FilterTemplate> 
        <dc:ReturnAttributes>distinguishedName</dc:ReturnAttributes> 
        <dc:LDAPProperty name="java.naming.referral" value="follow"/> 
    </resolver:DataConnector>

    <!-- define the memberOf attribute based on the distinguishedName attribute returned by the groupLDAP connector - names of all groups the user is in -->
    <resolver:AttributeDefinition id="memberOf" xsi:type="ad:Simple"
              sourceAttributeID="distinguishedName"> 
        <resolver:Dependency ref="groupLDAP" /> 
        <!-- no encoder needed --> 
    </resolver:AttributeDefinition> 

    <!-- define eduPersonAffiliation same as in the previous example - but put a dependency on the memberOf attribute defined through the groupLDAP connector -->
    <resolver:AttributeDefinition id="eduPersonAffiliation" xsi:type="ad:Script">
        <resolver:Dependency ref="memberOf" />
        <resolver:DisplayName xml:lang="en">Affiliation type</resolver:DisplayName>
        <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAffiliation" />
        <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" friendlyName="eduPersonAffiliation" />
        <ad:Script>
        <![CDATA[
                importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
                if (eduPersonAffiliation == null) {
                        eduPersonAffiliation = new BasicAttribute("eduPersonAffiliation");
                }
                is_Staff = memberOf != null && memberOf.getValues().contains("CN=All-Staff,OU=Groups and Resources,DC=EXAMPLE,DC=ORG");
     
                if (is_Staff) { eduPersonAffiliation.getValues().add("staff"); };
                if (is_Staff) { eduPersonAffiliation.getValues().add("member"); };
        ]]>
        </ad:Script>
    </resolver:AttributeDefinition>

...


Add common-lib-terms to all Staff and Students
...
German-language page only at this time, but feel free to ask about this on the users mailing list if configuration and/or code are not sufficiently clear. Uses schacDateOfBirth and a Script-type AttributeDefinition to calculate whether the subject satisfies the business criteria for carrying a specific eduPersonEntitlement value, which include an age limit, without leaking the age (or birth date) of the subject to the relying party.