Separate LDAP query return attributes from mapping to internal attributes

The config option search_return_attributes for the LDAP attribute store
conflated what attribute values to return from the LDAP query with how
those values should be mapped to internal attributes. This commit
separates the functionality by introducing two new config options,
query_return_attributes and ldap_to_internal_map. The
search_return_attributes option is still supported for backwards
compatibility.

Author: skoranda

example/plugins/microservices/ldap_attribute_store.yaml.example

@@ -9,12 +9,30 @@ config:
       read_only : true
       version : 3
 
-      # see ldap3 client_strategies
+      # See ldap3 client_strategies.
       client_strategy : RESTARTABLE
       auto_bind : true
       pool_size : 10
       pool_keepalive : 10
 
+      # Attributes to return from LDAP query.
+      query_return_attributes:
+        - sn
+        - givenName
+        - mail
+        - employeeNumber
+        - isMemberOf
+
+      # LDAP attribute to internal attribute mapping.
+      ldap_to_internal_map:
+        sn: surname
+        givenName: givenname
+        mail: mail
+        employeeNumber: employeenumber
+        isMemberOf: ismemberof
+
+      # Deprecated. Use query_return_attributes and
+      # ldap_to_internal_map instead.
       search_return_attributes:
         # Format is LDAP attribute name : internal attribute name
         sn: surname

src/satosa/micro_services/ldap_attribute_store.py

@@ -42,9 +42,11 @@ class LdapAttributeStore(ResponseMicroService):
         'ignore':                        False,
         'ldap_identifier_attribute':     None,
         'ldap_url':                      None,
+        'ldap_to_internal_map':          None,
         'on_ldap_search_result_empty':   None,
         'ordered_identifier_candidates': None,
         'search_base':                   None,
+        'query_return_attributes':       None,
         'search_return_attributes':      None,
         'user_id_from_attrs':            [],
         'read_only':                     True,
@@ -328,11 +330,15 @@ def _populate_attributes(self, config, record, context, data):
         state = context.state
         attributes = data.attributes
 
-        search_return_attributes = config['search_return_attributes']
-        for attr in search_return_attributes.keys():
+        if config['ldap_to_internal_map']:
+            ldap_to_internal_map = config['ldap_to_internal_map']
+        else:
+            # Deprecated configuration. Will be removed in future.
+            ldap_to_internal_map = config['search_return_attributes']
+        for attr in ldap_to_internal_map.keys():
             if attr in record["attributes"]:
                 if record["attributes"][attr]:
-                    internal_attr = search_return_attributes[attr]
+                    internal_attr = ldap_to_internal_map[attr]
                     value = record["attributes"][attr]
                     attributes[internal_attr] = value
                     msg = "Setting internal attribute {} with values {}"
@@ -450,7 +456,11 @@ def process(self, context, data):
 
             try:
                 # message_id only works in REUSABLE async connection strategy.
-                attributes = config['search_return_attributes'].keys()
+                if config['query_return_attributes']:
+                    attributes = config['query_return_attributes']
+                else:
+                    # Deprecated configuration. Will be removed in future.
+                    attributes = config['search_return_attributes'].keys()
                 results = connection.search(config['search_base'],
                                             search_filter,
                                             attributes=attributes