Uploaded image for project: 'Identity Provider'
  1. Identity Provider
  2. IDP-652

ldap configuration is ignoring idp.authn.LDAP.returnAttributes from ldap.properties

    XMLWordPrintable

    Details

      Description

      Hi,

      When writing our (Tuakiri, NZ federation) documentation on setting up an V3 IdP, I noticed that ldap.properties has a setting for attributes to return from LDAP which is apparently never used.

      idp.authn.LDAP.returnAttributes = cn,businessCategory,mail

      I've just looked into whether there would be an easy fix to finish the (apparently incomplete) feature - like, by adding a line to the sample configuration in attriubte-resolver-

      {ldap,full}

      .xml along

      <dc:ReturnAttributes>%{idp.authn.LDAP.returnAttributes}</dc:ReturnAttributes>
      

      but I found a number of issues:

      • The returnAttributes setting only exists in the idp.authn.LDAP space, not in idp.attribute.resolver.LDAP - that would be still easy to add.
      • It also seems it would need a special case for when the property is intentionally unset (set to empty string) - and in that case, skip the whole line (otherwise, the resolver requests a single attribute named as empty string "").
      • The default values are comma separated, while the resolver expects a white-space separated list.
      • Even when changing the definition in ldap.properties to use whitespace, it breaks - the tokenization happens before substitution and so the list expanded from the property is passed as a single attribute request - requesting a single attribute named "mail uid cn".

      Overall, this now looks quite complicated - and the simplest fix might be to remove idp.authn.LDAP.returnAttributes from ldap.properties.

      Just reporting - up to you to decide...

      Cheers,
      Vlad

        Attachments

          Activity

            People

            Assignee:
            cantor.2@osu.edu Scott Cantor
            Reporter:
            vme28@canterbury.ac.nz Vladimir Mencl
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0 minutes
                0m
                Logged:
                Time Spent - 15 minutes
                15m