diff options
author | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2022-11-07 19:57:45 +0300 |
---|---|---|
committer | Arthur Schiwon <blizzz@arthur-schiwon.de> | 2022-11-10 15:48:51 +0300 |
commit | 94cc465b1274c16486f366fe65452d3c6f7ebddc (patch) | |
tree | 0f6cba53b967ab689b87b6a0032fc316b0c2d5e5 | |
parent | 7c67b3480b44dad690cb670c734eb6f903a67b92 (diff) |
[user_saml shib] expose group info via IdPenh/user_saml/groups
- changes quota attribute name from misunderstood urn, to plain "quota"
- provides "groups" attribute with the common names of those
Signed-off-by: Arthur Schiwon <blizzz@arthur-schiwon.de>
-rw-r--r-- | user_saml_shibboleth-php8.0/shibboleth/conf/attribute-filter.xml | 19 | ||||
-rwxr-xr-x[-rw-r--r--] | user_saml_shibboleth-php8.0/shibboleth/conf/attribute-resolver.xml | 41 | ||||
-rwxr-xr-x[-rw-r--r--] | user_saml_shibboleth-php8.0/shibboleth/conf/ldap.properties | 6 |
3 files changed, 44 insertions, 22 deletions
diff --git a/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-filter.xml b/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-filter.xml index 4dcd548..9ccf1f0 100644 --- a/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-filter.xml +++ b/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-filter.xml @@ -1,10 +1,10 @@ <?xml version="1.0" encoding="UTF-8"?> -<!-- - This file is an EXAMPLE policy file. While the policy presented in this +<!-- + This file is an EXAMPLE policy file. While the policy presented in this example file is illustrative of some simple cases, it relies on the names of non-existent example services and the example attributes demonstrated in the default attribute-resolver.xml file. - + Deployers should refer to the documentation for a complete list of components and their options. --> @@ -21,10 +21,6 @@ <afp:AttributeFilterPolicy id="example1"> <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterString" value="http://localhost/index.php/apps/user_saml/saml/metadata" /> - <afp:AttributeRule attributeID="eduPersonPrincipalName"> - <afp:PermitValueRule xsi:type="basic:ANY" /> - </afp:AttributeRule> - <afp:AttributeRule attributeID="uid"> <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> @@ -41,10 +37,13 @@ <afp:PermitValueRule xsi:type="basic:ANY" /> </afp:AttributeRule> - <afp:AttributeRule attributeID="eduPersonPrincipalName"> - <afp:PermitValueRule xsi:type="basic:ANY" /> - </afp:AttributeRule> + <afp:AttributeRule attributeID="quota"> + <afp:PermitValueRule xsi:type="basic:ANY"/> + </afp:AttributeRule> + <afp:AttributeRule attributeID="groups"> + <afp:PermitValueRule xsi:type="basic:ANY"/> + </afp:AttributeRule> </afp:AttributeFilterPolicy> diff --git a/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-resolver.xml b/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-resolver.xml index de435b5..cf623f2 100644..100755 --- a/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-resolver.xml +++ b/user_saml_shibboleth-php8.0/shibboleth/conf/attribute-resolver.xml @@ -1,12 +1,12 @@ <?xml version="1.0" encoding="UTF-8"?> -<!-- +<!-- This file is an EXAMPLE configuration file containing lots of commented example attributes, encoders, and a couple of example data connectors. - + Not all attribute definitions or data connectors are demonstrated, but a variety of LDAP attributes, some common to Shibboleth deployments and many not, are included. - + Deployers should refer to the Shibboleth 2 documentation for a complete list of components and their options. --> @@ -141,8 +141,13 @@ <resolver:AttributeDefinition xsi:type="ad:Simple" id="quota" sourceAttributeID="quota"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:quota" encodeType="false" /> - <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:quota" friendlyName="quota" encodeType="false" /> + <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="quota" friendlyName="quota" encodeType="false" /> </resolver:AttributeDefinition> + + <resolver:AttributeDefinition id="groups" xsi:type="ad:Simple" sourceAttributeID="cn"> + <resolver:Dependency ref="groupMemberships" /> + <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="groups" friendlyName="groups"/> + </resolver:AttributeDefinition> <!-- <resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials"> <resolver:Dependency ref="myLDAP" /> @@ -158,12 +163,12 @@ <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:departmentNumber" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.2" friendlyName="departmentNumber" encodeType="false" /> </resolver:AttributeDefinition> - + <resolver:AttributeDefinition xsi:type="ad:Simple" id="displayName" sourceAttributeID="displayName"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:displayName" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:2.16.840.1.113730.3.1.241" friendlyName="displayName" encodeType="false" /> - </resolver:AttributeDefinition> + </resolver:AttributeDefinition> <resolver:AttributeDefinition xsi:type="ad:Simple" id="employeeNumber" sourceAttributeID="employeeNumber"> <resolver:Dependency ref="myLDAP" /> @@ -239,7 +244,7 @@ <resolver:AttributeEncoder xsi:type="enc:SAML1ScopedString" name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation" encodeType="false" /> <resolver:AttributeEncoder xsi:type="enc:SAML2ScopedString" name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" friendlyName="eduPersonScopedAffiliation" encodeType="false" /> </resolver:AttributeDefinition> - + <resolver:AttributeDefinition xsi:type="ad:Simple" id="eduPersonAssurance" sourceAttributeID="eduPersonAssurance"> <resolver:Dependency ref="myLDAP" /> <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:eduPersonAssurance" encodeType="false" /> @@ -264,8 +269,8 @@ <!-- <resolver:DataConnector id="mySIS" xsi:type="dc:RelationalDatabase"> <dc:ApplicationManagedConnection jdbcDriver="oracle.jdbc.driver.OracleDriver" - jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" - jdbcUserName="myid" + jdbcURL="jdbc:oracle:thin:@db.example.org:1521:SomeDB" + jdbcUserName="myid" jdbcPassword="mypassword" /> <dc:QueryTemplate> <![CDATA[ @@ -280,7 +285,7 @@ <resolver:DataConnector id="myLDAP" xsi:type="dc:LDAPDirectory" ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" - baseDN="%{idp.attribute.resolver.LDAP.baseDN}" + baseDN="%{idp.attribute.resolver.LDAP.baseDN}" principal="%{idp.attribute.resolver.LDAP.bindDN}" principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"> @@ -296,4 +301,20 @@ --> </resolver:DataConnector> + <resolver:DataConnector id="groupMemberships" xsi:type="dc:LDAPDirectory" + ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}" + baseDN="%{idp.attribute.resolver.LDAP.groupBaseDN}" + principal="%{idp.attribute.resolver.LDAP.bindDN}" + principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}" + useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}" + maxResultSize="0" + > + <dc:FilterTemplate> + <![CDATA[ + %{idp.attribute.resolver.LDAP.groupFilter} + ]]> + </dc:FilterTemplate> + <dc:ReturnAttributes>cn</dc:ReturnAttributes> + </resolver:DataConnector> + </resolver:AttributeResolver> diff --git a/user_saml_shibboleth-php8.0/shibboleth/conf/ldap.properties b/user_saml_shibboleth-php8.0/shibboleth/conf/ldap.properties index c6d8c2e..9fd399a 100644..100755 --- a/user_saml_shibboleth-php8.0/shibboleth/conf/ldap.properties +++ b/user_saml_shibboleth-php8.0/shibboleth/conf/ldap.properties @@ -20,7 +20,7 @@ idp.authn.LDAP.trustStore = %{idp.home}/credentials/ldap-s ## Return attributes during authentication ## NOTE: this is not used during attribute resolution; configure that directly in the ## attribute-resolver.xml configuration via a DataConnector's <dc:ReturnAttributes> element -idp.authn.LDAP.returnAttributes = cn,businessCategory,mail +idp.authn.LDAP.returnAttributes = cn,mail,quota,groups ## DN resolution properties ## @@ -41,11 +41,13 @@ idp.authn.LDAP.dnFormat = uid=%s,ou=people,dc=idptestbed # LDAP attribute configuration, see attribute-resolver.xml idp.attribute.resolver.LDAP.ldapURL = %{idp.authn.LDAP.ldapURL} idp.attribute.resolver.LDAP.baseDN = %{idp.authn.LDAP.baseDN} +idp.attribute.resolver.LDAP.groupBaseDN = ou=Groups,dc=idptestbed idp.attribute.resolver.LDAP.bindDN = %{idp.authn.LDAP.bindDN} idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential} idp.attribute.resolver.LDAP.useStartTLS = %{idp.authn.LDAP.useStartTLS:true} idp.attribute.resolver.LDAP.trustCertificates = %{idp.authn.LDAP.trustCertificates} idp.attribute.resolver.LDAP.searchFilter = (uid=$requestContext.principalName) +idp.attribute.resolver.LDAP.groupFilter = (&(objectclass=groupOfNames)(member=uid=$requestContext.principalName,ou=People,*)) # LDAP pool configuration, used for both authn and DN resolution #idp.pool.LDAP.minSize = 3 @@ -56,4 +58,4 @@ idp.attribute.resolver.LDAP.searchFilter = (uid=$requestContext.principal #idp.pool.LDAP.prunePeriod = 300 #idp.pool.LDAP.idleTime = 600 #idp.pool.LDAP.blockWaitTime = 3000 -#idp.pool.LDAP.failFastInitialize = false
\ No newline at end of file +#idp.pool.LDAP.failFastInitialize = false |