{"type":"doc","content":[{"type":"paragraph","content":[{"text":"Largely based on work by Vladimir Mencl, Tuakiri Federation, New Zealand (","type":"text"},{"text":"ResolverScriptAttributeDefinitionExamples","type":"text","marks":[{"type":"link","attrs":{"href":"/wiki/spaces/SHIB2/pages/2577072271"}}]},{"text":").","type":"text"}]},{"type":"paragraph","content":[{"text":"Active Directory and other LDAP directories support the ability to make one group a member of another and nest them. The directories usually, however, only return a ","type":"text"},{"text":"memberOf","type":"text","marks":[{"type":"code"}]},{"text":" attribute with the groups that the user is directly a member of and don't \"resolve\" those memberships unless asked specifically using a LDAP filter flag.","type":"text"}]},{"type":"paragraph","content":[{"text":"This is achieved by asking the directory for all the groups a given user (by distinguished name) is a member of but this needs a second LDAP query for which we need a second ","type":"text"},{"text":"DataConnector","type":"text","marks":[{"type":"code"}]},{"text":" which takes, as its input, the DN of the resolved user object.","type":"text"}]},{"type":"orderedList","attrs":{"order":1},"content":[{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Ensure your existing LDAP Data Connector provides the ","type":"text"},{"text":"dn","type":"text","marks":[{"type":"code"}]},{"text":" or ","type":"text"},{"text":"distinguishedName","type":"text","marks":[{"type":"code"}]},{"text":" attribute.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Create a new LDAP Data Connector with an ","type":"text"},{"text":"InputDataConnector","type":"text","marks":[{"type":"code"}]},{"text":" element referencing the existing one.","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"Set the search filter to","type":"text"},{"text":" (member:1.2.840.113556.1.4.1941:=${attributename.get(0)}) ","type":"text","marks":[{"type":"code"}]}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The results of the search will be a set of Group objects so tell the data connector it can have any number of responses (","type":"text"},{"text":"maxResultsSize=\"0\"","type":"text","marks":[{"type":"code"}]},{"text":")","type":"text"}]}]},{"type":"listItem","content":[{"type":"paragraph","content":[{"text":"The attributes returned will be collated into a set and made available to the resolver.","type":"text"}]}]}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Data Connector","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"Existing data connector (example)","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Example existing data connector","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n \n \n \n\n %{idp.attribute.resolver.LDAP.returnAttributes}\n\n","type":"text"}]},{"type":"heading","attrs":{"level":2},"content":[{"text":"New data connector","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"New nested group resolver","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n\n\n \n\n \n \n \n\n \n distinguishedName\n sAMAccountName\n \n","type":"text"}]},{"type":"heading","attrs":{"level":1},"content":[{"text":"Attribute definition","type":"text"}]},{"type":"paragraph","content":[{"text":"You now have two (probably multi-valued) attributes available to use. For example you could map them into an affiliation or turn them into entitlements.","type":"text"}]},{"type":"heading","attrs":{"level":5},"content":[{"text":"Example attribute definition","type":"text","marks":[{"type":"strong"}]}]},{"type":"codeBlock","attrs":{"language":"xml"},"content":[{"text":"\n \n \n \n student\n CN=All Students,OU=Groups,DC=example,DC=ac,DC=uk\n \n \n staff\n CN=All Staff,OU=Groups,DC=example,DC=ac,DC=uk\n \n \n member\n CN=All Students,OU=Groups,DC=example,DC=ac,DC=uk\n CN=All Staff,OU=Groups,DC=example,DC=ac,DC=uk\n \n ","type":"text"}]}],"version":1}

Browser not supported