LDAP Data Connector not finding extended schema attribute

Discussion:

k***@public.gmane.org

2014-09-16 15:57:29 UTC

Hello all,

Apologies if this has already been asked or is posted somewhere online. I've been searching for a few days now and I can't seem to find any answers that can help me.

We have extended our Active Directory Schema to include some other (non-standard) attributes. I'm trying to get the IdP to release these attributes, but with the logs set to DEBUG, I don't see them as being found by the LDAP data connector. For the attribute that it does find, it releases them fine to the SP and aacli. Could anyone out there give me a hand or point me in the right direction?

Thanks so much,
Kenny

Martin, Andrew J.

2014-09-16 16:16:12 UTC

Permalink

Kenny,

I ran into similar issues when I tried to release AD's "whenChanged" attribute as a shibboleth attribute.

It ended up being that the domain service account we used for our LDAP connector did not have permissions to see the requested attribute in AD.

Try logging in and doing an LDAP query as the service account your Shibboleth is using; I'd be willing to bet you won't be able to see the attribute you're trying to release.

Good luck!

-Andy

From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of khuether-uJeCl+Bylqb2fBVCVOL8/***@public.gmane.org
Sent: Tuesday, September 16, 2014 11:57 AM
To: users-***@public.gmane.org
Subject: LDAP Data Connector not finding extended schema attribute

Hello all,

Apologies if this has already been asked or is posted somewhere online. I've been searching for a few days now and I can't seem to find any answers that can help me.

We have extended our Active Directory Schema to include some other (non-standard) attributes. I'm trying to get the IdP to release these attributes, but with the logs set to DEBUG, I don't see them as being found by the LDAP data connector. For the attribute that it does find, it releases them fine to the SP and aacli. Could anyone out there give me a hand or point me in the right direction?

Thanks so much,
Kenny

David Gersic

2014-09-16 16:18:09 UTC

Permalink

What happens if you use something simple, like ldapsearch, to search for the object and request the attributes, using the same account/password as you have configured for the LDAP connector in the IdP?

Post by k***@public.gmane.org
Hello all,
Apologies if this has already been asked or is posted somewhere online. I've
been searching for a few days now and I can't seem to find any answers that
can help me.
We have extended our Active Directory Schema to include some other
(non-standard) attributes. I'm trying to get the IdP to release these
attributes, but with the logs set to DEBUG, I don't see them as being found
by the LDAP data connector. For the attribute that it does find, it releases
them fine to the SP and aacli. Could anyone out there give me a hand or point
me in the right direction?
Thanks so much,
Kenny

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Dave Perry

2014-09-17 09:26:45 UTC

Permalink

Following on from this, our AD analyst created a login for our web services so we can roam around the entire AD tree - Shibboleth is the first to use it, we're trying to switch everything we can to it eventually.

Dave

_________________________________________________
Dave Perry
eLearning Technologist, Hull College Group

Room L34 - Queens Gardens Library
Wilberforce Drive, Queen's Gardens, Hull, HU1 3DG
Extension 2230 / Direct Dial 01482 381930

* Need a fast reply? Try elearning-NOSDTyrR4+***@public.gmane.org *

-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of David Gersic
Sent: 16 September 2014 17:18
To: users-***@public.gmane.org
Subject: Re: LDAP Data Connector not finding extended schema attribute

What happens if you use something simple, like ldapsearch, to search for the object and request the attributes, using the same account/password as you have configured for the LDAP connector in the IdP?

Post by k***@public.gmane.org
Hello all,
Apologies if this has already been asked or is posted somewhere
online. I've been searching for a few days now and I can't seem to
find any answers that can help me.
We have extended our Active Directory Schema to include some other
(non-standard) attributes. I'm trying to get the IdP to release these
attributes, but with the logs set to DEBUG, I don't see them as being
found by the LDAP data connector. For the attribute that it does find,
it releases them fine to the SP and aacli. Could anyone out there give
me a hand or point me in the right direction?
Thanks so much,
Kenny

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

**********************************************************************
This message is sent in confidence for the addressee
only. It may contain confidential or sensitive
information. The contents are not to be disclosed
to anyone other than the addressee. Unauthorised
recipients are requested to preserve this
confidentiality and to advise us of any errors in
transmission. Any views expressed in this message
are solely the views of the individual and do not
represent the views of the College. Nothing in this
message should be construed as creating a contract.

Hull College owns the email infrastructure, including the contents.

Hull College is committed to sustainability, please reflect before printing this email.
**********************************************************************

TEXT

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

Peter Schober

2014-09-16 16:59:07 UTC

Permalink

Post by k***@public.gmane.org
We have extended our Active Directory Schema to include some other
(non-standard) attributes. I'm trying to get the IdP to release
these attributes, but with the logs set to DEBUG, I don't see them
as being found by the LDAP data connector. For the attribute that it
does find, it releases them fine to the SP and aacli. Could anyone
out there give me a hand or point me in the right direction?

Besides ACLs/ACIs there's also the potential issue (documented in the
wiki[1]) of what port you're querying (RFC standard port vs. global
catalog port) and whether the attribute in question is part of the
"Partial Attribute Set" when querying the global catalog port.

So it all depends on your MS-AD deployment and how you configured
Shibboleth to access it.
-peter

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/LdapServerIssues

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

k***@public.gmane.org

2014-09-16 18:36:53 UTC

Permalink

Hi everyone,

The problem was indeed the user didn't have access to those attributes.

Thank you!
Kenny

-----Original Message-----
From: users-bounces-***@public.gmane.org [mailto:users-bounces-***@public.gmane.org] On Behalf Of Peter Schober
Sent: Tuesday, September 16, 2014 12:59 PM
To: users-***@public.gmane.org
Subject: Re: LDAP Data Connector not finding extended schema attribute

Post by k***@public.gmane.org
We have extended our Active Directory Schema to include some other
(non-standard) attributes. I'm trying to get the IdP to release these
attributes, but with the logs set to DEBUG, I don't see them as being
found by the LDAP data connector. For the attribute that it does find,
it releases them fine to the SP and aacli. Could anyone out there give
me a hand or point me in the right direction?

Besides ACLs/ACIs there's also the potential issue (documented in the
wiki[1]) of what port you're querying (RFC standard port vs. global catalog port) and whether the attribute in question is part of the "Partial Attribute Set" when querying the global catalog port.

So it all depends on your MS-AD deployment and how you configured Shibboleth to access it.
-peter

[1] https://wiki.shibboleth.net/confluence/display/SHIB2/LdapServerIssues
--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org

--
To unsubscribe from this list send an email to users-unsubscribe-***@public.gmane.org