search

IdentityPython / SATOSA

Proxy translating between different authentication protocols (SAML2, OpenID Connect and OAuth2)
https://idpy.org
Apache License 2.0
197 stars 121 forks source link

LDAP Attribute Store microservice should do case-insensitive comparisons when appropriate #347

Open skoranda opened 3 years ago

skoranda commented 3 years ago

The LDAP Attribute Store microservice should allow for case-insensitive comparisons when appropriate. For example, if the primary identifier from the upstream authenticating IdP is eduPersonPrincipalName, and the microservice is searching for the value in LDAP to resolve attributes for the user, the search should be able to take into account that eduPersonPrincipalName is defined for case-insensitive match.

We cannot simply rely on the LDAP directory for this because while the value stored in the LDAP directory is known to be an eduPersonPrincipalName, it may be stored in a different attribute in LDAP, like voPersonExternalID. So the microservice should allow the deployer to explicitly arrange for the search to be case insensitive.

Code Version

7.0.3

Expected Behavior

Deployers should be able to configure the microservice so that case-insensitive searches against values passed into the microservice can be accomplished.

Current Behavior

The search filter used with the LDAP query is not taking into account that the deployer may want to do a case insensitive search.

Possible Solution

More configuration syntax and a more sophisticated LDAP query search filter.

peppelinux commented 3 years ago

Hi scott, long time I don't use anymore satosa's ldap_attr_store but I faced what you're telling us. I'm using pyMultiLdap and it come with a satosa ms, here:

https://github.com/peppelinux/pyMultiLDAP/blob/master/multildap/satosa/multiple_ldap_attribute_store.yaml.example https://github.com/peppelinux/pyMultiLDAP/blob/master/multildap/satosa/multiple_ldap_attribute_store.py

It can be executed completely out of the band, for doing tests outside SATOSA, the configuration is stored in a external file, here an example: https://github.com/peppelinux/pyMultiLDAP/blob/master/examples/settings.py.example

two useful features:

it is also heavily based on cannata's ldap3:

returning from the OT ...

I had "fought" to achieve the desired result as well. As you will have noticed in the example of multildap satosa ms I make the match on shacpersonaluniqueid, which in fact, from the schema, comes with "EQUALITY caseExactMatch", therefore even providing the ldap case-insensitive filter I didn't get anything. At the same time, I think the example would be good for you, you match on a caseInsensitive field. Give it a chance