dn missing in attributes ?

[huckabeec]

I've got a simple authproc that calls ldap:AttributeAddUsersGroups to get the user's group information. Our LDAP is OpenLDAP that has groups with both groupOfNames and posixGroup objectclasses. So we have both uniqueMember and memberuid attributes our groups.

If I call that authproc like this - it works, the uid is used and matches the memberUid attribute:

 50 => [
            'class' => 'ldap:AttributeAddUsersGroups',
            'authsource' => 'ldap',
            'ldap.product' => 'OpenLDAP',
            'search.base' => [
              'ou=Groups,dc=mycompany,dc=com',
            ],
            'attribute.dn' => 'dn',
            'attribute.return' => 'cn',
            'attribute.groups' => 'groups',
            'attribute.username' => 'uid',
            'attribute.memberOf' => 'memberuid',
            'timeout' => 30,
       ],

However if I call it like this:

 50 => [
            'class' => 'ldap:AttributeAddUsersGroups',
            'authsource' => 'ldap',
            'ldap.product' => 'OpenLDAP',
            'search.base' => [
              'ou=Groups,dc=mycompany,dc=com',
            ],
            'attribute.dn' => 'dn',
            'attribute.return' => 'cn',
            'attribute.groups' => 'groups',
            'attribute.username' => 'dn',
            'attribute.memberOf' => 'uniquemember',
            'timeout' => 30,
       ],

I get an error telling me 'dn' is not found in the attributes array. So, I added another authproc call to ldap:AttributeAddFromLDAP to go specifically grab 'dn' for the user. To my knowledge 'dn' is always returned by LDAP searches, but I figured let's try this:

40 => [
             'class' => 'ldap:AttributeAddFromLDAP',
             'authsource' => 'ldap',
             'attributes' => ['dn'],
             'attribute.policy' => 'add',
             'search.filter' => '(cn=%cn%)',
       ],

Which itself works without error, but I still get the following on the very next call to 'ldap:AttributeAddUsersGroups' :

SimpleSAML\Error\Exception: Warning - Undefined array key "dn" at /usr/local/install/simplesamlphp/modules/ldap/src/Auth/Process/AttributeAddUsersGroups.php:229

I can't find where or if 'dn' is somehow being filtered out but the attribute is definitely being returned by a search.

We'd like to switch to using the DN where we can but this has been a roadblock I can't figure out.

[tvdijen]

How are you authenticating before this authproc runs?
The AttributeAddUserGroups authproc-filter assumed that the attribute specified in attribute.username is already present in the attributes-array before the filter runs..

PS: I'm responding slowly due to a vacation and limited access to a computer.

[huckabeec]

I'm using the authX509 module (which calls the ldap module internally) which seems to be working correctly - when I've verified that module using a different SP (that doesn't require an authproc) I get the expected attributes although no DN showing up there either.

Also enjoy your vacation - this can wait until you return for sure.

EDIT: This may be a problem in both the ldap and x509 modules. Doing a test from the SimpleSamlPHP console, I get all of the expected attributes except the 'dn' from the ldap module. When I test the authX509 module I get a very small number of attributes back (also missing the dn). I will be doing some more digging.

[huckabeec]

With the fixes added for the authX509 module it now returns the same attribute list as the ldap module - but neither returns the “dn”. I can’t find any obvious reason for that but I’ll keep poking at the code.

[tvdijen]

I suspect dn to be an 'operational attribute' in OpenLDAP, which means you have to set 'attributes' => null and retrieve all attributes and then filter them yourself.

[huckabeec]

I suspect dn to be an 'operational attribute' in OpenLDAP, which means you have to set 'attributes' => null and retrieve all attributes and then filter them yourself.

That's exactly how it is setup - that was what drove the patches I submitted for authX509 so it would respect the null attributes setting in the ldap module. I get all of the other attributes but the 'dn' is left out.

[huckabeec]

So the fact that this is using Symfony and not straight PHP somehow escaped me. I was going by what the PHP documentation says which is:
An array of the required attributes, e.g. array("mail", "sn", "cn"). Note that the "dn" is always returned irrespective of which attributes types are requested.

But Symfony doesn't do that, so you have to make another call to get the DN.

In src/Auth/Source/Ldap.php, in function processAttributes, I did this:

private function processAttributes(Entry $entry): array
   {   
       $result = $entry->getAttributes();
       $dn     = $entry->getDn(); 
       $result['dn'] = $dn;

And now I have the dn value I want. I can work on submitting an actual pull request but should this be the default behavior or an optional behavior ? And should it check first if 'dn' was even in the requested attributes before adding this ?