Merge pull request #464 from nextcloud/enh/user_saml/groups

feat(user_saml_shibboleth): Provide group information
nextcloud · Nov 20, 2023 · adae567 · adae567
2 parents 0fdac0a + aa1843d
commit adae567
Show file tree

Hide file tree

Showing 5 changed files with 65 additions and 3 deletions.
diff --git a/user_saml-dirsrv/Dockerfile b/user_saml-dirsrv/Dockerfile
@@ -23,6 +23,11 @@ RUN /usr/libexec/dirsrv/dscontainer -r & \
     dsconf localhost backend create --suffix dc=idptestbed --be-name ci_root; \
     mv /var/opt/98nextcloud-schema.ldif /etc/dirsrv/slapd-localhost/schema/; \
     dsconf localhost schema reload; \
+    dsconf localhost plugin memberof enable; \
+    dsconf localhost plugin memberof set --autoaddoc inetOrgPerson; \
+    dsctl localhost restart; \
+    dsconf localhost plugin memberof status; \
+    dsconf localhost plugin memberof show; \
     dsconf localhost backend import "dc=idptestbed" /var/opt/entries.ldif; \
     rm /var/opt/entries.ldif;
 

diff --git a/user_saml-dirsrv/conf/entries.ldif b/user_saml-dirsrv/conf/entries.ldif
@@ -1,3 +1,4 @@
+# Structure
 
 dn: dc=idptestbed
 objectClass: top
@@ -23,10 +24,13 @@ objectClass: top
 objectClass: organizationalunit
 ou: People
 
+# Users
+
 dn: uid=student1,ou=People,dc=idptestbed
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top
+objectClass: inetuser
 objectClass: inetOrgPerson
 objectClass: nextcloudUser
 givenName: Stud
@@ -41,6 +45,7 @@ dn: uid=student2,ou=People,dc=idptestbed
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top
+objectClass: inetuser
 objectClass: inetOrgPerson
 objectClass: nextcloudUser
 givenName: Stud
@@ -55,6 +60,7 @@ dn: uid=staff1,ou=People,dc=idptestbed
 objectClass: organizationalPerson
 objectClass: person
 objectClass: top
+objectClass: inetuser
 objectClass: inetOrgPerson
 objectClass: nextcloudUser
 givenName: St
@@ -63,3 +69,23 @@ sn: aff
 cn: St aff
 mail: staff1@idptestbed.edu
 userPassword: password
+
+
+# Groups
+
+dn: cn=Students,ou=Groups,dc=idptestbed
+objectClass: groupOfNames
+cn: Students
+member: uid=student1,ou=People,dc=idptestbed
+member: uid=student2,ou=People,dc=idptestbed
+
+dn: cn=Professors,ou=Groups,dc=idptestbed
+objectClass: groupOfNames
+cn: Professors
+member: uid=staff1,ou=People,dc=idptestbed
+
+dn: cn=Astrophysics,ou=Groups,dc=idptestbed
+objectClass: groupOfNames
+cn: Astrophysics
+member: uid=student1,ou=People,dc=idptestbed
+member: uid=staff1,ou=People,dc=idptestbed
diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-filter.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-filter.xml
@@ -37,6 +37,14 @@
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>
 
+		<AttributeRule attributeID="quota">
+			<PermitValueRule xsi:type="ANY" />
+		</AttributeRule>
+
+		<AttributeRule attributeID="groups">
+			<PermitValueRule xsi:type="ANY" />
+		</AttributeRule>
+
         <AttributeRule attributeID="eduPersonPrincipalName">
             <PermitValueRule xsi:type="ANY" />
         </AttributeRule>

diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-resolver.xml b/user_saml_shibboleth-idp/shibboleth-idp/conf/attribute-resolver.xml
@@ -129,10 +129,15 @@
     </AttributeDefinition>
 
     <AttributeDefinition xsi:type="Simple" id="quota">
-		<InputDataConnector ref="myLDAP" attributeNames="quota" />
+		<InputDataConnector ref="myLDAP" attributeNames="nextcloudQuota" />
         <AttributeEncoder xsi:type="SAML1String" name="urn:mace:dir:attribute-def:quota" encodeType="false" />
-        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:quota" friendlyName="quota" encodeType="false" />
+        <AttributeEncoder xsi:type="SAML2String" name="urn:oid:1.3.6.1.4.1.49213.1.1.2" friendlyName="quota" encodeType="false" />
     </AttributeDefinition>
+
+	<AttributeDefinition xsi:type="Simple" id="groups">
+		<InputDataConnector ref="groupMemberships" attributeNames="cn" />
+		<AttributeEncoder xsi:type="SAML2String" name="groups" friendlyName="groups" encodeType="false" />
+	</AttributeDefinition>
 <!--
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="initials" sourceAttributeID="initials">
         <resolver:Dependency ref="myLDAP" />
@@ -286,4 +291,19 @@
     -->
     </DataConnector>
 
+	<DataConnector id="groupMemberships" xsi:type="LDAPDirectory"
+				   ldapURL="%{idp.attribute.resolver.LDAP.ldapURL}"
+				   baseDN="%{idp.attribute.resolver.LDAP.groupBaseDN}"
+				   principal="%{idp.attribute.resolver.LDAP.bindDN}"
+				   principalCredential="%{idp.attribute.resolver.LDAP.bindDNCredential}"
+				   useStartTLS="%{idp.attribute.resolver.LDAP.useStartTLS:true}"
+				   maxResultSize="0">
+		<FilterTemplate>
+			<![CDATA[
+				%{idp.attribute.resolver.LDAP.groupFilter}
+			]]>
+		</FilterTemplate>
+		<ReturnAttributes>cn</ReturnAttributes>
+	</DataConnector>
+
 </AttributeResolver>
diff --git a/user_saml_shibboleth-idp/shibboleth-idp/conf/ldap.properties b/user_saml_shibboleth-idp/shibboleth-idp/conf/ldap.properties
@@ -21,13 +21,14 @@ idp.authn.LDAP.trustStore                       = %{idp.home}/credentials/ldap-s
 ## Return attributes during authentication
 ## NOTE: this is not used during attribute resolution; configure that directly in the
 ## attribute-resolver.xml configuration via a DataConnector's <dc:ReturnAttributes> element
-idp.authn.LDAP.returnAttributes                 = cn,businessCategory,mail
+idp.authn.LDAP.returnAttributes                 = cn,mail,quota,groups
 
 ## DN resolution properties ##
 
 # Search DN resolution, used by anonSearchAuthenticator, bindSearchAuthenticator
 # for AD: CN=Users,DC=example,DC=org
 idp.authn.LDAP.baseDN                           = ou=people,dc=idptestbed
+idp.authn.LDAP.groupBaseDN                      = ou=groups,dc=idptestbed
 #idp.authn.LDAP.subtreeSearch                   = false
 idp.authn.LDAP.userFilter                       = (uid={user})
 # bind search configuration
@@ -42,11 +43,13 @@ idp.authn.LDAP.dnFormat                         = uid=%s,ou=people,dc=idptestbed
 # LDAP attribute configuration, see attribute-resolver.xml
 idp.attribute.resolver.LDAP.ldapURL             = %{idp.authn.LDAP.ldapURL}
 idp.attribute.resolver.LDAP.baseDN              = %{idp.authn.LDAP.baseDN}
+idp.attribute.resolver.LDAP.groupBaseDN         = %{idp.authn.LDAP.groupBaseDN}
 idp.attribute.resolver.LDAP.bindDN              = %{idp.authn.LDAP.bindDN}
 idp.attribute.resolver.LDAP.bindDNCredential    = %{idp.authn.LDAP.bindDNCredential}
 idp.attribute.resolver.LDAP.useStartTLS         = %{idp.authn.LDAP.useStartTLS:true}
 idp.attribute.resolver.LDAP.trustCertificates   = %{idp.authn.LDAP.trustCertificates}
 idp.attribute.resolver.LDAP.searchFilter        = (uid=$requestContext.principalName)
+idp.attribute.resolver.LDAP.groupFilter         = (&(objectclass=groupOfNames)(member=uid=$requestContext.principalName,ou=People,*))
 
 # LDAP pool configuration, used for both authn and DN resolution
 #idp.pool.LDAP.minSize                          = 3