An open discussion list for topics related to the eduGAIN interfederation service.

[Peter Schober <peter.schober AT univie.ac.at>]

Hi Sten,

TL;DR: What Davide said. I'll just expand a bit on that.

* Sten Aus <sten.aus AT eenet.ee> [2017-12-14 10:46]:
> I wanted to ask if some of you know (or can ask) how your IdPs
> handle eduPerson schema in their Active Directory Services?

I don't think /any/ of our institutions extended their LDAP schema in
order to join and fully interoperate within the federation. (Well, I
did that myself, back when I was running Univie's LDAP and Shibboleth
infrastructure, but that was because I wanted to make use of these
data structures also within the institution via LDAP, not just SAML.)

E.g. here's our documentation on how to create the most common
attributes used in eduID.at and eduGAIN, and *none* of these require
the addition of the eduPerson (or any other) schema to your LDAP DSA:
https://wiki.univie.ac.at/display/federation/IDP+3+Attribute+resolution

> If I understand correctly eduPerson is not supported "out of the
> box" in AD schema?

It's certainly not included in the products as shipped by M$. It
should work just fine, though, if you manage to find a current version
of it that's in a format you can feed to AD:

MACE-Dir (the curator of the eduPerson schema) depends on community
contributions to keep the collected schemas up to date and this is not
the case with the MS-AD format, it seems:
https://spaces.internet2.edu/display/macedir/LDIFs
https://spaces.internet2.edu/display/macedir/Active+Directory+eduPerson
(Current is 201602, cf. http://macedir.org/specs/eduperson/ )

But again, you'll only need this if you decided you want to make use
of those data structures via LDAP / within your MS-AD system.

Cheers,
-peter