Merge branch 'feature-update-ldap-attribute-store'

c00kiemon5ter · c00kiemon5ter · commit 5ecf9d68ccfe · 2018-11-29T00:20:19.000+02:00
diff --git a/example/plugins/microservices/ldap_attribute_store.yaml.example b/example/plugins/microservices/ldap_attribute_store.yaml.example
@@ -1,51 +1,65 @@
-module: plugins.microservices.ldap_attribute_store.LdapAttributeStore
+module: LdapAttributeStore
 name: LdapAttributeStore
 config:
-  ldap_url: ldaps://ldap.example.org
-  bind_dn: cn=admin,dc=example,dc=org
-  bind_password: xxxxxxxx
-  search_base: ou=People,dc=example,dc=org
-  search_return_attributes:
-    # format is LDAP attribute name : internal attribute name
-    sn: surname
-    givenName: givenname
-    mail: mail
-    employeeNumber: employeenumber
-    isMemberOf: ismemberof
-  idp_identifiers:
-    # Ordered list of identifiers asserted as attributes by
-    # IdP to use when constructing search filter to find
-    # user record in LDAP directory. This example searches
-    # in order for eduPersonUniqueId, eduPersonPrincipalName
-    # combined with SAML persistent, eduPersonPrincipalName
-    # combined with eduPersonTargetedId,
-    # eduPersonPrincipalName, SAML persistent, and 
-    # eduPersonTargetedId.
-    - epuid
-    - 
-      - eppn
-      - name_id: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-    -
-      - eppn
-      - edupersontargetedid
-    - eppn
-    - name_id: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
-    - edupersontargetedid
-  ldap_identifier_attribute: uid
-  # Whether to clear values for attributes incoming
-  # to this microservice. Default is no or false.
-  clear_input_attributes: no
-  # List of LDAP attributes to use as input to hashing to create
-  # NameID.
-  user_id_from_attrs:
-    - employeeNumber
+  "":
+      ldap_url: ldaps://ldap.example.org
+      bind_dn: cn=admin,dc=example,dc=org
+      bind_password: xxxxxxxx
+      search_base: ou=People,dc=example,dc=org
+      search_return_attributes:
+        # Format is LDAP attribute name : internal attribute name
+        sn: surname
+        givenName: givenname
+        mail: mail
+        employeeNumber: employeenumber
+        isMemberOf: ismemberof
+      # LDAP connection pool size
+      pool_size: 10
+      # LDAP connection pool seconds to wait between calls out to server
+      # to keep the connection alive (uses harmless Abandon(0) call)
+      pool_keepalive: 10
+      ordered_identifier_candidates:
+        # Ordered list of identifiers to use when constructing the
+        # search filter  to find the user record in LDAP directory. 
+        # This example searches in order for eduPersonUniqueId, eduPersonPrincipalName
+        # combined with SAML persistent NameID, eduPersonPrincipalName
+        # combined with eduPersonTargetedId, eduPersonPrincipalName, 
+        # SAML persistent NameID, and eduPersonTargetedId.
+        - attribute_names: [epuid]
+        - attribute_names: [eppn, name_id]
+          name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+        - attribute_names: [eppn, edupersontargetedid]
+        - attribute_names: [eppn]
+        - attribute_names: [name_id]
+          name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
+          add_scope: issuer_entityid
+        - attribute_names: [edupersontargetedid]
+          add_scope: issuer_entityid
+      ldap_identifier_attribute: uid
+      # Whether to clear values for attributes incoming
+      # to this microservice. Default is no or false.
+      clear_input_attributes: no
+      # List of LDAP attributes to use as input to hashing to create
+      # NameID.
+      user_id_from_attrs:
+        - employeeNumber
+      # Where to redirect the browser if no record is returned
+      # from LDAP. The default is not to redirect.
+      on_ldap_search_result_empty: https://my.vo.org/please/go/enroll
   # Configuration may also be done per-SP with any
   # missing parameters taken from the default if any.
   # The configuration key is the entityID of the SP.
   #
   # For example:
-  https://sp.myserver.edu/shibboleth-sp
+  https://sp.myserver.edu/shibboleth-sp:
     search_base: ou=People,o=MyVO,dc=example,dc=org
-    eduPersonPrincipalName: employeenumber
+    search_return_attributes:
+        employeeNumber: employeenumber
+    ordered_identifier_candidates:
+      - attribute_names: [eppn]
     user_id_from_attrs:
       - uid
+  # The microservice may be configured to ignore a particular SP.
+  https://another.sp.myserver.edu:
+    ignore: true
+  
diff --git a/src/satosa/frontends/saml2.py b/src/satosa/frontends/saml2.py
@@ -210,13 +210,13 @@ def _handle_authn_request(self, context, binding_in, idp):
 
         subject = authn_req.subject
         subject_id = subject.name_id.text if subject else None
-        # XXX TODO how should type be handled in relation to name_format above?
-        # subject_type = subject.name_id.format if subject else None
+        # XXX should subject.name_id.format overwrite name_id_policy.format?
+        subject_type = subject.name_id.format if subject else name_format
 
         requester_name = self._get_sp_display_name(idp, requester)
         internal_req = InternalData(
             subject_id=subject_id,
-            subject_type=name_format,
+            subject_type=subject_type,
             requester=requester,
             requester_name=requester_name,
         )
diff --git a/src/satosa/micro_services/ldap_attribute_store.py b/src/satosa/micro_services/ldap_attribute_store.py
