By: Marek Grzybowski user 14 Dec 2015 at 3:14 p.m. CST

5 Responses
Marek Grzybowski gravatar
Hi Fallowing advice from this issue https://github.com/GluuFederation/oxAuth/issues/107 i'm creating this ticket. I'm traing do pass "memeberOf" ldap attribute to the client as claim . First i'm creating memberOf attributes for some user (GLUU gui allows only single attribute of the given name, so i add memberOf by hand for some test user ): cat > add_memberof.ldif << _EOF_ dn: inum=@!AB0C.0D5D.4748.501D!0001!77A6.F669!0000!5624.5FFB,ou=people,o=@!AB0C.0D5D.4748.501D!0001!77A6.F669,o=gluu changetype: modify add: memberOf memberOf: bleble1,ou=xxx memberOf: bleble2,ou=yyy _EOF_ /opt/opendj/bin/ldapmodify -p 1389 -D 'cn=directory manager' -w 'xxxxxxxx' -f add_memberof.ldif then i'm adding "memberOf" attribute to scope "profile" then i'm configuring client to request scope "profile" When i log to the client as user, a see all other existing claims set in "profile" scope except "memberOf". Am I missing something here? Mike Schwartz asked "did you register this attribute" (memberOf), what he meant by that ?

By Michael Schwartz Account Admin 14 Dec 2015 at 4:21 p.m. CST

Michael Schwartz gravatar
Can you paste a view of the Scope showing the memberOf user claim so we can confirm that its been saved properly. We'll try to replicate this issue. What version of Gluu Server are you using?

By Marek Grzybowski user 15 Dec 2015 at 4:15 a.m. CST

Marek Grzybowski gravatar
Hi I'm testing gluu-server24 2.4.0-2 on ubuntu 14.04. As requested view of "profile" scope with added memberOf claim : http://pasteboard.co/32x8IWr.jpg And test user example : http://pasteboard.co/32AIisl.jpg id_token generated by Gluu: id_token:"eyJ0eXAiOiJKV1MiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2w4My5jcmVhdGl2ZWNkbi5uZXQiLCJhdWQiOiJAIUFCMEMuMEQ1RC40NzQ4LjUwMUQhMDAwMSE3N0E2LkY2NjkhMDAwOCFGMkI5LkVDMDciLCJleHAiOjE0NTAxNzY4NjQsImlhdCI6MTQ1MDE3MzI2NCwibm9uY2UiOiJyVnJNRmM3Q1hpbGI1d2xGRTIwWkZBZUFEbW45Zy1lWWdueC1xQllNOHQwIiwiYXV0aF90aW1lIjoxNDUwMTczMjY0LCJjX2hhc2giOiJqZUIzSDRsQXkwcWZETnhpNHFUNGtnIiwiYXRfaGFzaCI6IlZTRVpFbWJRbU5aN19FcHIzOW1mcFEiLCJveFZhbGlkYXRpb25VUkkiOiJodHRwczovL2w4My5jcmVhdGl2ZWNkbi5uZXQvb3hhdXRoL29waWZyYW1lIiwib3hPcGVuSURDb25uZWN0VmVyc2lvbiI6Im9wZW5pZGNvbm5lY3QtMS4wIiwiaW51bSI6IkAhQUIwQy4wRDVELjQ3NDguNTAxRCEwMDAxITc3QTYuRjY2OSEwMDAwITU2MjQuNUZGQiIsIm5hbWUiOiJ0ZXN0MUROIiwiZmFtaWx5X25hbWUiOiJ0ZXN0MUxOIiwiZ2l2ZW5fbmFtZSI6InRlc3QxRk4iLCJzdWIiOiJAIUFCMEMuMEQ1RC40NzQ4LjUwMUQhMDAwMSE3N0E2LkY2NjkhMDAwMCE1NjI0LjVGRkIifQ.Y21HdPLIEPiZ5Pe47LUzGh7wK8UPx47s9zwGAwLKBq0" My goal is to synchronize Gluu witch openldap and authenticate in ldap ( with is working out of the box with gluu 2.4 , not working in 2.3.x ), then use mod_auth_openidc as replacement for mod_auth_ldap. Only thing that is missing is information about groups membership in claims. OpenAM concatenates all "memberOf" attributes for user into single string, I was hoping that Gluu will do something similar.

By Aliaksandr Samuseu staff 15 Dec 2015 at 1:21 p.m. CST

Aliaksandr Samuseu gravatar
Hi, Marek. You need to visit "Configuration -> Attributes" page. Find "memberOf" attribute in the list there, open it for edit and make sure properties marked as green on the picture I've attached to this post is set accordingly. You must set "Usage type" as such for attributes you need to be available for OIDC workflows, and you also must assign some "oxAuth claim name" to them. Until I'd done that for memberOf I also couldn't get it requested by RP. But, still, it seems there is another issue. I only able to see one entry of my new member_of claim in the output of test python script. I'm still unsure whether it's a problem of Gluu, of the script itself, of mod_auth_openidc. Marek, could you check for yourself and let us know whether you able to receive both enties of memberOf at RP? Regards, Alex.

By Aliaksandr Samuseu staff 15 Dec 2015 at 1:36 p.m. CST

Aliaksandr Samuseu gravatar
Updated: I've just verified that userinfo endpoint sends both values of member_of in its response (check picture in attachement). It seems Gluu isn't at fault here.

By Marek Grzybowski user 16 Dec 2015 at 1:39 p.m. CST

Marek Grzybowski gravatar
Hi Aliaksandr Thank You for pointing out "Configuration -> Attributes" page. It's awesome feature of Gluu, that any ldap attribute could be scripted. My currently OpenID Connect flow takes claims from id_token. Id_token that i set by GLUU do not have list of memberOf attributes, only first element of that list.