Shibboleth IDP无法解析属性

时间:2017-06-01 07:14:44

标签: ldap single-sign-on shibboleth

我有一个Shibboleth IDP配置为使用Zentyal 5进行身份验证,我能够与有效用户进行身份验证,但IDP无法解析属性。

我可以从下面的日志中看到找到了属性但没有得到解决。

***********************找到的属性********************** ******* 

In [44]: x
Out[44]: 
array([[1, 2, 3],
       [4, 5, 6],
       [7, 8, 0]])

In [45]: x.ravel()[x.ravel().argsort()[:3]]
Out[45]: array([0, 1, 2])

In [48]: x.ravel()[x.ravel().argpartition(range(3))[:3]]
Out[48]: array([0, 1, 2])

In [52]: np.sort(x.ravel()[x.ravel().argpartition(3)[:3]])
Out[52]: array([0, 1, 2])

In [47]: x.ravel()[x.ravel().argpartition(3)[:3]]
Out[47]: array([0, 1, 2])

******************属性未解决**************** 

10:41:26.940 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:119] - shibboleth.AttributeResolver resolving attributes for principal edison
10:41:26.940 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:275] - Specific attributes for principal edison were not requested, resolving all attributes.
10:41:26.941 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute employeeType for principal edison
10:41:26.942 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:354] - Resolving data connector myLDAP for principal edison
10:41:26.961 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:308] - Search filter: (sAMAccountName=edison)
10:41:26.961 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:363] - LDAP data connector myLDAP - Retrieving attributes from LDAP
10:41:27.004 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: lastlogontimestamp[131406840205649190]
10:41:27.005 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: countrycode[0]
10:41:27.005 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: givenname[Edison]
10:41:27.006 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: whenchanged[20170531060020.0Z]
10:41:27.006 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: lastlogoff[0]
10:41:27.006 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: instancetype[4]
10:41:27.006 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: codepage[0]
10:41:27.006 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: uidnumber[65536]
10:41:27.006 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: usncreated[3827]
10:41:27.006 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: quota[500]
10:41:27.007 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: usnchanged[3866]
10:41:27.007 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: logoncount[0]
10:41:27.007 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: badpwdcount[0]
10:41:27.007 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: whencreated[20170505111349.0Z]
10:41:27.007 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: description[Testing]
10:41:27.007 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: name[Edison Trutwein]
10:41:27.007 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: objectcategory[CN=Person,CN=Schema,CN=Configuration,DC=list,DC=test]
10:41:27.042 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: homedirectory[/home/edison]
10:41:27.042 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: objectclass[organizationalPerson, person, posixAccount, systemQuotas, user, top]
10:41:27.058 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: sn[Trutwein]
10:41:27.058 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: useraccountcontrol[512]
10:41:27.058 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: lastlogon[0]
10:41:27.075 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: pwdlastset[131406013011869710]
10:41:27.076 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: samaccounttype[805306368]
10:41:27.076 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: badpasswordtime[0]
10:41:27.076 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: gidnumber[2513]
10:41:27.079 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: distinguishedname[CN=Edison Trutwein,CN=Users,DC=list,DC=test]
10:41:27.079 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: cn[Edison Trutwein]
10:41:27.079 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: entrydn[CN=Edison Trutwein,CN=Users,DC=list,DC=test]
10:41:27.217 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: primarygroupid[513]
10:41:27.218 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: samaccountname[edison]
10:41:27.218 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: objectsid[ֹP<ψ0�vQ]
10:41:27.218 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: accountexpires[9223372036854775807]
10:41:27.232 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: userprincipalname[edison@list.TEST]
10:41:27.232 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: objectguid[�����H�.����]
10:41:27.232 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:414] - LDAP data connector myLDAP - Found the following attribute: displayname[Edison Trutwein]
10:41:27.258 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute employeeType containing 0 values
10:41:27.259 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute uid for principal edison
10:41:27.259 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:336] - Resolved attribute uid containing 0 values
10:41:27.259 - DEBUG [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:314] - Resolving attribute eduPersonPrincipalName for principal edison

1 个答案:

答案 0 :(得分:3)

我能解决问题,但在attribute-resolver.xml和attribute-filter.xml文件中提供了正确的映射。现在属性得到解决,但Shibboleth SP没有读取它们:(

attribute-resolver.xml中的 id 应与attribute-filter.xml中的 attributeID 匹配

attribute-resolver.xml 

<resolver:AttributeDefinition xsi:type="ad:Simple" id="sAMAccountName"  sourceAttributeID="samaccountname">
    <resolver:Dependency ref="myLDAP" />
    <resolver:AttributeEncoder xsi:type="enc:SAML1String" name="urn:mace:dir:attribute-def:samaccountname" />
    <resolver:AttributeEncoder xsi:type="enc:SAML2String" name="urn:oid:1.2.840.113556.1.4.221" friendlyName="samaccountname" />
</resolver:AttributeDefinition>

属性filter.xml 

<afp:AttributeRule attributeID="sAMAccountName">
   <afp:PermitValueRule xsi:type="basic:ANY"/>
</afp:AttributeRule>
相关问题
最新问题