Skip to Content.
Sympa Menu

shibboleth-users - Re: [Shib-Users] Novell eDir GUID transformation using script attribute definition

Subject: Shibboleth Users

List archive

Re: [Shib-Users] Novell eDir GUID transformation using script attribute definition


Chronological Thread 
  • From: Dan McLaughlin <>
  • To:
  • Subject: Re: [Shib-Users] Novell eDir GUID transformation using script attribute definition
  • Date: Thu, 26 Aug 2010 09:24:02 -0500

Use org.opensaml.xml.util.Base64 instead of
com.novell.xml.util.Base64Codec…right?

On Thu, Aug 26, 2010 at 9:16 AM, Chad La Joie
<>
wrote:
> Okay, if you're certain that the value you're getting back from the
> directory is a Base64 encoded byte[] then you can import
> org.opensaml.xml.util.Base64 and use its decode(String) method to get the
> bytes, then just follow the rest of the code you pointed at to hex encode
> the value.
>
> Just remember, when you call attribute.getValues() you'll always get a
> java.util.List, even if the attribute only has one value.  So you'll need to
> loop over the values replacing each with the hex encoded version (in theory
> there should only ever be one element in the list).
>
> On 8/26/10 10:08 AM, Dan McLaughlin wrote:
>>
>> Sorry, I know this is confusing…GUID's in Novell eDir are stored in
>> OctetString syntax, which is a byte array.  But before Novell stores
>> the hex GUID in eDir, they Base64 encoded it to save space.  If I
>> don't tell the data connector that the GUID attribute is binary then I
>> get a opensaml::FatalProfileException when I try and release the
>> attribute.
>>
>> The steps as I understand them are...
>>
>> 1) Using a Data Connector retrieve the Base64 encoded GUID attribute
>> stored in OctetString syntax, which is a byte array.
>> 2) Convert the Base64 encoded GUID to a Hex GUID using a script
>> attribute definition.
>> 3) Encode the Hex GUID as a SAML2 String Attribute.
>> 4) Release the Attribute.
>>
>> --
>>
>> Thanks,
>>
>> Dan McLaughlin
>>
>> NOTICE: This e-mail message and all attachments transmitted with it
>> are for the sole use of the intended recipient(s) and may contain
>> confidential and privileged information. Any unauthorized review, use,
>> disclosure or distribution is strictly prohibited. The contents of
>> this e-mail are confidential and may be subject to work product
>> privileges. If you are not the intended recipient, please contact the
>> sender by reply e-mail and destroy all copies of the original message.
>>
>> Need to schedule a meeting??? http://www.tungle.me/DanMcLaughlin
>>
>> On Thu, Aug 26, 2010 at 8:22 AM, Chad La
>> Joie<>
>>  wrote:
>>>
>>> Okay, so first, try removing the<LDAPProperty
>>> name="java.naming.ldap.attributes.binary" value="GUID"/>  from the data
>>> connector.  If it really is stored as a Base64 string then doing this
>>> won't
>>> change anything, you should still get the same string back.  If you don't
>>> then the directory is actually storing it as a byte[]. Depending on which
>>> it
>>> is you'll need to do something different in the script.
>>>
>>> On 8/26/10 9:16 AM, Dan McLaughlin wrote:
>>>>
>>>> The GUID in eDir is stored as a Base64 encoded string representation of
>>>> the more common hexadecimal GUID (eDir does this so it stores less
>>>> character data).
>>>>
>>>> What I'm looking for is an example script attribute definition used to
>>>> transform the Base64 encoded string representation of the GUID (ex.
>>>> gN2+pzgC3BGDaAAUwmAcPg==) to the canonical string representation of the
>>>> GUID as a text sequence of hex digits (ex.
>>>> 9c5a9b0e-d98f-404b-23bd-9c5a9b0ed98f).  In my case I'm more concerned
>>>> with releasing the attribute in a common GUID format than I am reducing
>>>> the size of the attribute.
>>>>
>>>> I found an article talking about doing something similar...
>>>>
>>>> http://www.novell.com/communities/node/4095/synchronizing-edirectory-guid-oracle-database
>>>>
>>>> …just not sure about the proper way to try and wrap this up in a script
>>>> attribute definition.
>>>>
>>>> We plan to manage role information for our applications and we need to
>>>> make sure we are associating the roles to a GUID that won't change every
>>>> time someone decides to get married and change their last name.
>>>>
>>>> --
>>>>
>>>> Thanks,
>>>>
>>>> Dan McLaughlin
>>>>
>>>> NOTICE: This e-mail message and all attachments transmitted with it are
>>>> for the sole use of the intended recipient(s) and may contain
>>>> confidential and privileged information. Any unauthorized review, use,
>>>> disclosure or distribution is strictly prohibited. The contents of this
>>>> e-mail are confidential and may be subject to work product privileges.
>>>> If you are not the intended recipient, please contact the sender by
>>>> reply e-mail and destroy all copies of the original message.
>>>>
>>>>
>>>> On Thu, Aug 26, 2010 at 5:35 AM, Chad La
>>>> Joie<
>>>> <mailto:>>
>>>>  wrote:
>>>>
>>>>    If the value is a byte[], and you don't want to use Base64 encoding
>>>>    in order to get an ASCII string, what type of encoding do you want
>>>>    to use, hex?
>>>>
>>>>
>>>>    On 8/26/10 2:23 AM, Dan McLaughlin wrote:
>>>>
>>>>        Novell eDir contains a unique ID for each user in the GUID
>>>>        attribute.
>>>>        The GUID string is Base64 encoded and stored as a binary value in
>>>>        eDir.
>>>>
>>>>        Here's my understanding of how this should work...
>>>>
>>>>        I understand that in order to return a binary attribute in the
>>>> data
>>>>        connector you must define it as binary by setting<LDAPProperty
>>>>        name="java.naming.ldap.attributes.binary" value="GUID"/>.  This
>>>>        seems
>>>>        to be working because If I encode the GUID as a SAML2 String
>>>>        Attribute
>>>>        and release it, I can see that the Base64 encoded string was
>>>>        returned
>>>>        from the data connector.
>>>>
>>>>        Since I don't want to release GUID as Base64 encoded string; I
>>>>        need to
>>>>        decode it to an ASCII string first. In order to do this I have to
>>>>        transform the Base64 encoded GUID attribute value to an ASCII
>>>> string
>>>>        using a script attribute definition.
>>>>
>>>>        I'm looking for a sample script attribute definition used to
>>>>        transform
>>>>        the Base64 encode GUID to an ASCII string.  Has anyone done this
>>>>        before?
>>>>
>>>>        --
>>>>
>>>>        Thanks,
>>>>
>>>>        Dan McLaughlin
>>>>
>>>>        NOTICE: This e-mail message and all attachments transmitted with
>>>> it
>>>>        are for the sole use of the intended recipient(s) and may contain
>>>>        confidential and privileged information. Any unauthorized
>>>>        review, use,
>>>>        disclosure or distribution is strictly prohibited. The contents
>>>> of
>>>>        this e-mail are confidential and may be subject to work product
>>>>        privileges. If you are not the intended recipient, please
>>>>        contact the
>>>>        sender by reply e-mail and destroy all copies of the original
>>>>        message.
>>>>
>>>>        Need to schedule a meeting??? http://www.tungle.me/DanMcLaughlin
>>>>
>>>>
>>>>    --
>>>>    Chad La Joie
>>>>    http://itumi.biz
>>>>    trusted identities, delivered
>>>>
>>>>
>>>
>>> --
>>> Chad La Joie
>>> http://itumi.biz
>>> trusted identities, delivered
>>
>
> --
> Chad La Joie
> http://itumi.biz
> trusted identities, delivered
>



Archive powered by MHonArc 2.6.16.

Top of Page