[Satosa-dev] breaking change to LDAP attribute store microservice?

Scott Koranda skoranda at gmail.com
Sun Sep 17 18:49:58 CEST 2017


Hi,

(Apologies in advance for a long and detailed note. TL;DR I want to make a
breaking change but I think I am directly working with everyone using the
microservice.)

I would like to make a breaking change to the LDAP attribute store
microservice. Specifically I want to change the name and syntax for the
configuration option 'idp_identifier' (but not the functionality).

That configuration option is used to determine what value(s) is used for
the LDAP filter that is constructed to search for user records in LDAP.
Currently a simple configuration would be

idp_identifiers:
  - eppn
ldap_identifier_attribute: uid

That configuration would take the value asserted by the IdP for eppn (the
SATOSA internal name for that attribute as it is "seen" by the
microservice) and use it to construct the filter value, eg. '
skoranda at uwm.edu', so that for example the LDAP filter would be

(uid=skoranda at uwm.edu)

More complicated configurations that include the ability to combine values
including NameID values asserted by the IdP are included in the example
configuration.

But there are two problems I have with the current configuration and its
syntax:

1) The value that is used to construct the LDAP filter may not be directly
coming (asserted by) an IdP. It may have been constructed using another
microservice(s) that runs prior to the LDAP attribute store. So I think
instead of

idp_identifier

I want to name the configuration option

ordered_identifier_candidates

2) The syntax as seen in the current example is poor. After a helpful
dialogue with Ivan I prefer this syntax, which I think better illustrates
what is going on (this would be a fairly complicated example):

ordered_identifier_candidates:
  - attribute_names: [epuid]
  - attribute_names: [eppn, name_id]
     name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  - attribute_names: [eppn, edupersontargetedid]
  - attribute_names: [eppn]
  - attribute_names: [name_id]
    name_id_format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
    add_scope: issuer_entityid
  - attribute_names: [edupersontargetedid]
    add_scope: issuer_entityid

The simple configuration from above would become

ordered_identifier_candidates:
  - attribute_names: [eppn]

An intermediate example configuration would be

ordered_identifier_candidates:
  - attribute_names: [eppn]
  - attribute_names: [edupersontargetedid]
    add_scope: issuer_entityid

Normally I would of course prefer not to make a breaking change, but I
think I am working with everyone using the microservice and can direcftly
help them transition and I think it is early enough in the evolution of the
microservice that some flux is expected/allowed.

Thoughts?

Thanks,

Scott K
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sunet.se/pipermail/satosa-dev/attachments/20170917/fa6a3315/attachment.html>


More information about the Satosa-dev mailing list