[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[upki-fed:156] Re: Active Directory 上の eduPerson 属性について



山地先生

成城大学五十嵐です.

いただいた hint で自己解決できました.
-----------------------------------------------------------------
17:23:42.972 - DEBUG
[edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
- Found the following attribute: eduPersonAffiliation=[staff]
-----------------------------------------------------------------
結局 Shibboleth から AD に port 3268 で接続する場合,GC に拡張スキ
ーマがレプリケートされていないと値が取得できません.

LDIFDE でスキーマ拡張するだけではダメで,その後 AD スキーマスナッ
プインで [グローバル カタログにこの属性をレプリケートする] をチェ
ックしないといけなかったようです.

お騒がせいたしました.


> 山地先生
>
> 成城大学五十嵐です.
>
> ありがとうございました.
> edu.internet2.middleware.shibboleth Logger のレベルが INFO だった
> ので,DEBUG にあげたら確認できました.
>
> 結局,
> ----------------------------------------------------------------
> 16:04:00.726 - TRACE [edu.vt.middleware.ldap.Ldap:582] -   config =
> {java.naming.provider.url=ldap://mncssotad.seijo.ac.jp:3268,
> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
> 16:04:00.728 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: uSNChanged=[33134]
> 16:04:00.728 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: mail=[xxx@xxxxxxxxxxx]
> 16:04:00.729 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.r
> esolver.provider.dataConnector.LdapDataConnector:882] - Found the
> following
> attribute: sn=[五十嵐]
> 16:04:00.729 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: objectSid=[���w
> �%Ny�^]
> 16:04:00.729 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: whenCreated=[20100204033850.0Z]
> 16:04:00.732 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: userAccountControl=[66176]
> 16:04:00.732 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: uSNCreated=[33124]
> 16:04:00.732 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: objectClass=[top, person,
> organizationalPerson, user]
> 16:04:00.732 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute:
> memberOf=[CN=mncstaff,OU=mnc,DC=ssotest,DC=seijo,DC=ac,DC=jp]
> 16:04:00.733 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: sAMAccountType=[805306368]
> 16:04:00.733 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: instanceType=[4]
> 16:04:00.734 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute:
> userPrincipalName=[xxx@xxxxxxxxxxxxxxxxxxx]
> 16:04:00.734 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: whenChanged=[20100204040110.0Z]
> 16:04:00.735 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: cn=[kaz]
> 16:04:00.735 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: sAMAccountName=[kaz]
> 16:04:00.735 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: primaryGroupID=[513]
> 16:04:00.735 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: description=[member]
> 16:04:00.735 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: name=[kaz]
> 16:04:00.735 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute:
> objectCategory=[CN=Person,CN=Schema,CN=Configuration,DC=ssotest,DC=seijo,DC=ac,DC=jp]
> 16:04:00.736 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute:
> objectGUID=[]�k��C�~kt_D�]
> 16:04:00.736 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute: displayName=[Kazuhiro Igarashi]
> 16:04:00.736 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
> - Found the following attribute:
> distinguishedName=[CN=kaz,OU=mnc,DC=ssotest,DC=seijo,DC=ac,DC=jp]
> 16:04:00.737 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307]
> - Resolved attribute eduPersonPrincipalName containing 1 values
> 16:04:00.737 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:285]
> - Resolving attribute eduPersonAffiliation for principal kaz
> 16:04:00.737 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307]
> - Resolved attribute eduPersonAffiliation containing 0 values
> 16:04:00.737 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:285]
> - Resolving attribute email for principal kaz
> 16:04:00.737 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307]
> - Resolved attribute email containing 1 values
> 16:04:00.737 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:285]
> - Resolving attribute transientId for principal kaz
> 16:04:00.738 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307]
> - Resolved attribute transientId containing 1 values
> 16:04:00.738 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:285]
> - Resolving attribute surname for principal kaz
> 16:04:00.738 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307]
> - Resolved attribute surname containing 1 values
> 16:04:00.738 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:285]
> - Resolving attribute eduPersonEntitlement for principal kaz
> 16:04:00.738 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:325]
> - Resolving data connector staticEntitlement for principal kaz
> 16:04:00.739 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307]
> - Resolved attribute eduPersonEntitlement containing 1 values
> 16:04:00.739 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:285]
> - Resolving attribute givenName for principal kaz
> 16:04:00.739 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307]
> - Resolved attribute givenName containing 0 values
> 16:04:00.739 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:285]
> - Resolving attribute displayName for principal kaz
> 16:04:00.739 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:307]
> - Resolved attribute displayName containing 1 values
> 16:04:00.740 - DEBUG
> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.ShibbolethAttributeResolver:417]
> - Removing attribute eduPersonAffiliation from resolution result for
> principal kaz.  It contains no values.
> ----------------------------------------------------------------
> こんな感じで,eduPersonAffiliation に値が無いと言われてしまうの
> ですが,ldapsearch コマンドだと値は取得できます.
>
> ---------------------------------------------------------------
> ldapsearch -x -h mncssotad.seijo.ac.jp -D Administrator@ssotest -W -b
> "dc=ssotest,dc=seijo,dc=ac,dc=jp" "sAMAccountName=kaz"
> ...
> eduPersonAffiliation: staff
> ...
> ---------------------------------------------------------------
>
> AD の場合 Login Handler を GC に向けるのに Port 3268 を使うよう
> https://spaces.internet2.edu/display/SHIB2/IdPADConfigIssues に
> ありますが,利用 Port によって取得できる属性値が変わってしまう
> のでしょうか?
>
>
>> やまじです.
>>
>> ** On Thu, 4 Feb 2010 14:43:04 +0900 (JST)
>> ** kaz igarashi <xxx@xxxxxxxxxxx> writes:
>>
>>> AttributeDefinition で sourceAttributeID に拡張スキーマ以外の属性値
>>> (例えば description 等)を指定すれば test-sp に値が渡るので,LDAP の
>>> DataConnector が取得した直後の値を直接確認できないかと悩んでいます.
>>
>> SPにアクセスした後にIdPのidp-process.logをみたときに,以下のような感じ
>> で,Found the following attributeというログにその属性がでていないでし
>> ょうか?
>>
>> 15:18:53.336 - DEBUG [edu.vt.middleware.ldap.Ldap:549] - Search with the
>> following parameters:
>> 15:18:53.336 - DEBUG [edu.vt.middleware.ldap.Ldap:550] -   dn =
>> o=test_o,dc=ac,c=JP
>> 15:18:53.337 - DEBUG [edu.vt.middleware.ldap.Ldap:551] -   filter =
>> (uid=yamaji)
>> 15:18:53.337 - DEBUG [edu.vt.middleware.ldap.Ldap:552] -   filterArgs =
>> 15:18:53.337 - DEBUG [edu.vt.middleware.ldap.Ldap:554] -     none
>> 15:18:53.337 - DEBUG [edu.vt.middleware.ldap.Ldap:558] -   retAttrs =
>> 15:18:53.338 - DEBUG [edu.vt.middleware.ldap.Ldap:560] -     all
>> attributes
>> 15:18:53.338 - TRACE [edu.vt.middleware.ldap.Ldap:565] -   config =
>> {java.naming.provider.url=ldap://localhost:389,
>> java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory}
>> 15:18:53.363 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
>> - Found the following attribute: uid=[yamaji]
>> 15:18:53.364 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
>> - Found the following attribute: mail=[xxxxxx@xxxxxxxxx]
>> 15:18:53.364 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
>> - Found the following attribute: eduPersonAffiliation=[member]
>> 15:18:53.364 - DEBUG
>> [edu.internet2.middleware.shibboleth.common.attribute.resolver.provider.dataConnector.LdapDataConnector:882]
>> - Found the following attribute: sn=[yamaji]
>> ひっぱってこれた属性がでます.
>> --
>> Kazu
>>
>
>
> Kaz Igarashi +++++++++++++++++++++++++++++
> Mail to ------------------ xxx@xxxxxxxxxxx
> URL -------------- http://www.seijo.ac.jp/
> +++++++++++++++++++++++++ MNC, Seijo Univ.
>
>


Kaz Igarashi +++++++++++++++++++++++++++++
Mail to ------------------ xxx@xxxxxxxxxxx
URL -------------- http://www.seijo.ac.jp/
+++++++++++++++++++++++++ MNC, Seijo Univ.