LDAP Attribute Store microservice should do case-insensitive comparisons when appropriate
skoranda opened this issue · 1 comments
The LDAP Attribute Store microservice should allow for case-insensitive comparisons when appropriate. For example, if the primary identifier from the upstream authenticating IdP is eduPersonPrincipalName, and the microservice is searching for the value in LDAP to resolve attributes for the user, the search should be able to take into account that eduPersonPrincipalName is defined for case-insensitive match.
We cannot simply rely on the LDAP directory for this because while the value stored in the LDAP directory is known to be an eduPersonPrincipalName, it may be stored in a different attribute in LDAP, like voPersonExternalID. So the microservice should allow the deployer to explicitly arrange for the search to be case insensitive.
Code Version
7.0.3
Expected Behavior
Deployers should be able to configure the microservice so that case-insensitive searches against values passed into the microservice can be accomplished.
Current Behavior
The search filter used with the LDAP query is not taking into account that the deployer may want to do a case insensitive search.
Possible Solution
More configuration syntax and a more sophisticated LDAP query search filter.
Hi scott, long time I don't use anymore satosa's ldap_attr_store but I faced what you're telling us.
I'm using pyMultiLdap and it come with a satosa ms, here:
https://github.com/peppelinux/pyMultiLDAP/blob/master/multildap/satosa/multiple_ldap_attribute_store.yaml.example
https://github.com/peppelinux/pyMultiLDAP/blob/master/multildap/satosa/multiple_ldap_attribute_store.py
It can be executed completely out of the band, for doing tests outside SATOSA, the configuration is stored in a external file, here an example:
https://github.com/peppelinux/pyMultiLDAP/blob/master/examples/settings.py.example
two useful features:
- allows you to query multiple LDAP / ADFS servers
- also allows you to do attribute rewrite on the fly
it is also heavily based on cannata's ldap3:
returning from the OT ...
I had "fought" to achieve the desired result as well. As you will have noticed in the example of multildap satosa ms I make the match on shacpersonaluniqueid, which in fact, from the schema, comes with "EQUALITY caseExactMatch", therefore even providing the ldap case-insensitive filter I didn't get anything. At the same time, I think the example would be good for you, you match on a caseInsensitive field. Give it a chance