* Andy Swiffin <[log in to unmask]> [2009-08-14 13:12]: > Does anyone know, does Shib 2 keep the users DN in some internal > attribute that I can access? The only way I can think of doing this > is by storing a users DN as an extra attribute on each object > (yuk!). The former (a new Shib feature) has been written (see the patch in https://bugs.internet2.edu/jira/browse/SC-68), but is not yet part of the source code repository or a released version. It provides the entries' DN as an attribute (by default named 'ldapDN') and works with any DSA. To make use of this you'd need to include the patch above and build the IdP from source (which is not difficult), see https://spaces.internet2.edu/display/SHIB2/SourceAccess The latter (making available the DN as an attribute) is exactly what DSAs supporting the entryDN operational attribute do for you, as you already mentioned. But, as per my other replies to Jethro, this attribute (like any other operational attribtue) won't be returned from the DSA unless explicitly asked for, so you'd need to list it in the LDAP resolver:DataConnector/ReturnAttributes XML element, e.g. <ReturnAttributes>uid mail ... entryDN</ReturnAttributes> and take it from there as per usual. (See https://spaces.internet2.edu/display/SHIB2/IdPAddAttribute https://spaces.internet2.edu/display/SHIB2/ResolverLDAPDataConnector ) Note that I had to explicitly allow access to this attribute in an ACLs with a recent OpenLDAP DSA, which may or may not be the case with Novell eDirectory. Finally, from a quick search (e.g. [1]) it seems that Novell eDirectory does indeed support entryDN, so you should be fine with the Shib IdP as released (no patch necessary) by explicitly requesting the attribute and possibly tuning eDirectory to let you have it. Worked for me. cheers, -peter [1] http://www.omni-ts.com/newsroom/edirectory-authentication-sharepoint.html