We are using Shibboleth for authentication, with LDAP as an identity provider. We would just use shibboleth for the identity provider as well, but it seems that indico can’t get group information from shibboleth (even though our shibboleth does provide a multivalued ‘groups’ attribute.) Our shibboleth configuration uses a federated login, then supplements the attributes with data from this LDAP directory, which is why we can’t use LDAP for both authentication and identity.
Authentication works. Also, I am able to search for the LDAP groups, but indico claims that these groups have no members. When I use indico shell to try to investigate these groups, I get ldap.FILTER_ERROR.
The relevant part of our indico.conf file is:
AUTH_PROVIDERS = {
‘shib-sso’: {
‘type’: ‘shibboleth’,
‘title’: ‘SSO’,
‘attrs_prefix’: ‘’,
‘callback_uri’: ‘/login/shib-sso/shibboleth’,
}
}
IDENTITY_PROVIDERS = {
‘ldap’: {
‘type’: ‘ldap’,
‘title’: ‘LDAP’,
‘ldap’: {
‘uri’: ‘ldaps://OURHOST’,
‘bind_dn’: ‘XXXX’,
‘bind_password’: ‘XXXX’,
‘timeout’: 30,
‘verify_cert’: True,
‘page_size’: 1500,'uid': 'uid', 'user_base': 'ou=People,cn=XXXX', 'user_filter': '(objectClass=inetOrgPerson)', 'gid': 'cn', 'group_base': 'ou=Groups,cn=XXXX', 'group_filter': '(objectClass=groupOfNames)', 'member_of_attr': 'memberOf', 'mapping': { 'first_name': 'givenName', 'last_name': 'sn', 'email': 'mail', 'affiliation': 'o', }, }, 'default_group_provider': True, 'synced_fields': {'first_name', 'last_name', 'affiliation'}
},
}
Attempts to list the group memberships in the gui produce “There are no users in this group.”
memberOf capability is enabled on the LDAP directory.
When I use indico shell I get:
In [1]: g = groupProxy(‘Project’, ‘ldap’)
In [2]: g.get_members()
Out [2]: set()
In [3]: u = User.get(2)
In [4]: u in g
…
ValueError: The filter supplied to the operation is invalid. (This is most likely due to a bad user or group filter.
I suspect that the LDAP setup is not using the correct attribute to search for users.
But I don’t understand the invalid filter part. I am able to search for groups and assign them permissions for events. But it has no effect.