Hi,
I'm trying to probe the boundaries of what I can do with the "script" attributedefinition in Shib 2 trying various things to see what I can do. A while ago Colleen Romero posted a script here that access the users dn derived from LDAP:
<Script>
<![CDATA[
importPackage(Packages.edu.internet2.middleware.shibboleth.common.attribute.provider);
eduPersonAffiliation = new BasicAttribute("eduPersonAffiliation");
dn = distinguishedName.getValues().get(0).toLowerCase();
if (dn.contains("ou=staff")) {
... etc
]]>
</Script>
I know this was against AD, can anyone enlighten me, I believe "distinguishedName" is an LDAP "attribute" that AD returns for each request, unfortunately there doesn't seem to be an equivalent one for Novell eDirectory. I have read a claim that Novell supports the "operational attribute" entryDN that should be returned but using that generates an error of undefined attribute so shib is clearly not getting it.
Does anyone know, does Shib 2 keep the users DN in some internal attribute that I can access? The only way I can think of doing this is by storing a users DN as an extra attribute on each object (yuk!).
I don't actually _need_ to do this at the moment, its just that I can envisage some scenarios where it might be nice.
Cheers
Andy
The University of Dundee is a registered Scottish charity, No: SC015096
|