Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

LDAP Attribute Store microservice should do case-insensitive comparisons when appropriate #347

Open
skoranda opened this issue Jan 31, 2021 · 1 comment
Open

LDAP Attribute Store microservice should do case-insensitive comparisons when appropriate #347

skoranda opened this issue Jan 31, 2021 · 1 comment
Assignees
@skoranda

Comments

@skoranda
Copy link
Contributor

The LDAP Attribute Store microservice should allow for case-insensitive comparisons when appropriate. For example, if the primary identifier from the upstream authenticating IdP is eduPersonPrincipalName, and the microservice is searching for the value in LDAP to resolve attributes for the user, the search should be able to take into account that eduPersonPrincipalName is defined for case-insensitive match.

We cannot simply rely on the LDAP directory for this because while the value stored in the LDAP directory is known to be an eduPersonPrincipalName, it may be stored in a different attribute in LDAP, like voPersonExternalID. So the microservice should allow the deployer to explicitly arrange for the search to be case insensitive.

Code Version

7.0.3

Expected Behavior

Deployers should be able to configure the microservice so that case-insensitive searches against values passed into the microservice can be accomplished.

Current Behavior

The search filter used with the LDAP query is not taking into account that the deployer may want to do a case insensitive search.

Possible Solution

More configuration syntax and a more sophisticated LDAP query search filter.
@skoranda skoranda self-assigned this Jan 31, 2021
@peppelinux
Copy link
Member

peppelinux commented Jan 31, 2021
edited
Loading

Hi scott, long time I don't use anymore satosa's ldap_attr_store but I faced what you're telling us.
I'm using pyMultiLdap and it come with a satosa ms, here:

https://github.com/peppelinux/pyMultiLDAP/blob/master/multildap/satosa/multiple_ldap_attribute_store.yaml.example
https://github.com/peppelinux/pyMultiLDAP/blob/master/multildap/satosa/multiple_ldap_attribute_store.py

It can be executed completely out of the band, for doing tests outside SATOSA, the configuration is stored in a external file, here an example:
https://github.com/peppelinux/pyMultiLDAP/blob/master/examples/settings.py.example

two useful features:

  • allows you to query multiple LDAP / ADFS servers
  • also allows you to do attribute rewrite on the fly

it is also heavily based on cannata's ldap3:

returning from the OT ...

I had "fought" to achieve the desired result as well. As you will have noticed in the example of multildap satosa ms I make the match on shacpersonaluniqueid, which in fact, from the schema, comes with "EQUALITY caseExactMatch", therefore even providing the ldap case-insensitive filter I didn't get anything. At the same time, I think the example would be good for you, you match on a caseInsensitive field. Give it a chance

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@skoranda skoranda

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@skoranda @peppelinux