In your resolver, do you restrict the attributes that you read in the dataconnector? I have a vague memory of it getting overloaded if there's too much. We have the line:
<dc:ReturnAttributes>o departmentNumber workforceID groupMembership dUNUNIEResourcesSet cn employeeStatus mail sn givenName</dc:ReturnAttributes>
Which restricts the ldap read to the specific set of attributes we use.
Andy
> -----Original Message-----
> From: Discussion list for Shibboleth developments [mailto:JISC-
> [log in to unmask]] On Behalf Of John Horne
> Sent: 26 February 2014 12:57
> To: [log in to unmask]
> Subject: Re: Testing for a non-null LDAP attribute value
>
> On Tue, 2014-02-25 at 09:53 +0000, Andy Swiffin wrote:
> > Oooh, I remember being here once before some time ago. Let me just
> > see if I can find the scars...
> >
> Thanks for the replies.
>
> A quick update is that the attributes 'typeof' is being returned as 'object'.
> Whether that is an actual array or not I can't say. Secondly, it seems that our
> LDAP call is not returning all the attributes for a user. The idp-process log file
> states that certain LDAP attributes are resolved with 'containing 0 values',
> with no corresponding 'Found the following attribute' log record. (Doing a
> manual LDAP query shows that the relevant attribute does have a value.) So
> I'm currently wondering if perhaps too much data is being returned and
> truncated(?), or if there is something on the backend Active Directory side
> that is preventing all the data being sent.
>
>
>
>
> John.
>
> --
> John Horne Tel: +44 (0)1752 587287
> Plymouth University, UK Fax: +44 (0)1752 587001
The University of Dundee is a registered Scottish Charity, No: SC015096
|