Shib docs?

[Michael Jinks <mj...@uchicago.edu>]

I need to Shibbolize my VCL installation, and I know I've seen docs
describing how, but I can't find them now.  The top (and pretty much
only) Google hit is:

 https://cwiki.apache.org/VCLDOCS/setting-up-shibboleth-authentication.html

...but I know anything under "VCLDOCS" is out of date.

Better link?


-- 
Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
University of Chicago IT Services

Re: Shib docs?

[Josh Thompson <jo...@ncsu.edu>]

Aaron,

Great write-up!  You can go ahead and add it to the documentation
section of the new CMS.  I'd say to put a link to it off of the
Installation page.  Here are the steps to create the page:

-add the CMS bookmarklet to your browser - see
   https://cms.apache.org/#bookmark
-go to http://vcl.apache.org/
-click the bookmarklet to start editing
-log in with your subversion userid/password
-scroll down to the docs/ directory and click on it
-click [Edit this directory] at the top of the page
-in the 'Add New File or Directory' text box, enter something like
shibauth.mdtext and hit Enter
-create the page content (the markdown takes some getting used to)
-hit Submit at the bottom (actually, a good idea to hit this
occasionally and then start editing again to save your progress -
changes are only saved in your copy of the cms at this point)
-after submitting it, if you click [Browse] - you'll see a generically
styled version of your page.  It doesn't include our css styling.
-when you are finished, you can click [Commit] to commit it to the
staged section
-you can view the staged version of your page by clicking the [Staged]
link when browsing the docs directory
-you'll need to edit the installation.mdtext page to add a link to your
new page and commit that change
-finally, when everything looks right, you can publish the site to make
the page displayed at vcl.apache.org

Josh


On 08/16/12 21:08, Aaron Coburn wrote:
> Michael, That page you mention is generally correct, but it is very
> incomplete. Rather than responding over email, I wrote an article on
> shibbolizing the VCL here:
> 
> http://people.apache.org/~acoburn/shibboleth.html
> 
> This page assumes you are using version 2.3 of the VCL. Eventually,
> this will make it into the site documentation. In the meantime, if
> any of you on this list have other tips to add, please let me know
> and I will add them to the web page. Also, if there are errors in the
> instructions, please do let me know.
> 
> In addition to what I wrote, there are many, many more things you can
> do to configure Shibboleth (without modifying the VCL code).
> 
> Best regards, Aaron
> 
> 
> 
> -- Aaron Coburn Systems Administrator and Programmer Academic
> Technology Services, Amherst College 
> acoburn@amherst.edu<ma...@amherst.edu>
> 
> 
> 
> 
> 
> 
> On Aug 16, 2012, at 6:09 PM, Michael Jinks wrote:
> 
> I need to Shibbolize my VCL installation, and I know I've seen docs 
> describing how, but I can't find them now.  The top (and pretty much 
> only) Google hit is:
> 
> https://cwiki.apache.org/VCLDOCS/setting-up-shibboleth-authentication.html
>
>  ...but I know anything under "VCLDOCS" is out of date.
> 
> Better link?
> 
> 
> -- Michael Jinks :: mjinks@uchicago.edu<ma...@uchicago.edu>
> :: 773-469-9688 University of Chicago IT Services
> 
> 

-- 
-------------------------------
Josh Thompson
VCL Developer
North Carolina State University

my GPG/PGP key can be found at pgp.mit.edu

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.

rebaseall

[will robinson <wr...@g.clemson.edu>]

hi all,

it seems that i cannot make any vms available for reservations because the 
rebaseall script fails.  i can access the vm through vsphere, but when i try to 
run the script (as recommended by other threads), it complains of the following:

rebaseall: only ash or dash processes are allowed during rebasing.
      Exit all Cygwin processes and stop all Cygwin services.
      Execute ash from Start/Run... or a cmd or command window.
      Execute '/bin/rebaseall' from ash (or dash).
rebaseall exit status: 2

any attempts to follow the directions above results in the same message.  i 
would appreciate any recommendations to get past this issue.  thanks.

-- 

will

Re: Shib and user permissions, was Re: Shib docs?

[Michael Jinks <mj...@uchicago.edu>]

On Wed, Sep 05, 2012 at 06:48:46PM -0500, Michael Jinks wrote:
> On Wed, Sep 05, 2012 at 08:26:46PM +0000, Aaron Coburn wrote:
> > 
> >    First, create a file, such as test.php. Its contents can be as simple
> >    as:
> >    <?php phpinfo(); ?>
> >    View that page in a browser -- you should be forced to authenticate
> >    first; verify that the shibboleth attributes are present (e.g. do a
> >    search for 'eppn').
> 
> Argh.  No 'eppn'; and, the test step from:
> 
>  http://people.apache.org/~acoburn/shibboleth.html
> 
> ...no longer works either.  'test.php' shows every value as "Undefined".
> So it looks like our relationship with our IdP has fallen apart for some
> reason in the past couple of weeks.  Great.  Odd that authN still works
> at all.

Nope, I'm an idiot; my apache shib configs weren't checked into our
configuration management system, so they got reverted back to a
partially-configured SP.

Fixed that, revisited the Privileges section, now my shib-backed account
has admin privs, but the "New Reservation" section still says "Selection
not currently available" for all our system images.  This problem rings
a bell, so I'll revisit the steps I took to get things working in the
first place and if I have trouble I'll post again under separate cover.

Thanks Aaron.

-m


-- 
Michael Jinks :: mjinks@uchicago.edu
University of Chicago IT Services

Re: Shib and user permissions, was Re: Shib docs?

[Michael Jinks <mj...@uchicago.edu>]

On Wed, Sep 05, 2012 at 08:26:46PM +0000, Aaron Coburn wrote:
> 
>    First, create a file, such as test.php. Its contents can be as simple
>    as:
>    <?php phpinfo(); ?>
>    View that page in a browser -- you should be forced to authenticate
>    first; verify that the shibboleth attributes are present (e.g. do a
>    search for 'eppn').

Argh.  No 'eppn'; and, the test step from:

 http://people.apache.org/~acoburn/shibboleth.html

...no longer works either.  'test.php' shows every value as "Undefined".
So it looks like our relationship with our IdP has fallen apart for some
reason in the past couple of weeks.  Great.  Odd that authN still works
at all.

Time to talk to our IdM folks.  Thanks for the help.

-m

Re: Shib and user permissions, was Re: Shib docs?

[Aaron Coburn <ac...@amherst.edu>]

Michael,
You can start by deleting userid 11 from the database.

It looks to me as though the Shib attributes are not being properly passed into the VCL. I would start by performing a test in your shibauth directory:

First, create a file, such as test.php. Its contents can be as simple as:

<?php phpinfo(); ?>

View that page in a browser -- you should be forced to authenticate first; verify that the shibboleth attributes are present (e.g. do a search for 'eppn').

If that proves to be OK, then login to the VCL through your IdP

At this point, check the database to see what values were just added to the users table. You should have a proper value in unityid, and affiliationid should not be 1. You should also have values in firstname and lastname.

If that is all OK, then login as admin@Local (restart your browser first), adding this new user to the adminUsers@Local group (from the Manage Groups menu)

Now logout and log back in through your IdP. At this point, you should have the appropriate privileges.

Let me know if any of those steps fail.

BTW, the privilege tree you described is perfectly fine -- I just have mine organized differently.

Aaron



--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
acoburn@amherst.edu<ma...@amherst.edu>






On Sep 5, 2012, at 3:26 PM, Michael Jinks <mj...@uchicago.edu>> wrote:

On Tue, Sep 04, 2012 at 09:18:46PM +0000, Aaron Coburn wrote:

There are a number possibilities here, but first you should investigate why there are two unityid values for mjinks. Presumably those are from different affiliations?

Yeah.  The first was probably created while we were using direct LDAP
for authN, and the second appeared with the addition of Shib.  I did add
both id's to the adminUsers group, no luck.

(You may want to consider removing one of those accounts from the database).

I've now done that; see below for an account of the results.

And are you certain that, when you login via Shibboleth, that the active userid (i.e. 6 or 10 in your case) is the same as the userid that you added to the adminUsers group?

Yep; added both to be sure.

Also, you need to make sure that the adminUsers group has been added to the privilege tree properly within the VCL. For that, login as the admin@Local user, then go to "Privileges" and select the "VCL" node in the privilege tree. The "adminUsers@Local" group should be listed under "Users". If it isn't, add it and make sure that the privileges cascade.

Well, this is fun...

If I select the "VCL" node itself, I don't see any adminUsers@Local
under "User Groups".  If I select the "admin" node directly beneath VCL,
then adminUsers@Local does appear under "User Groups", with all
privileges checked including "Cascade to Child Nodes".

If that doesn't lead to anything, I would recommend verifying that the $authMechs configuration is correct.

I'll paste my complete authMechs section below.

But first: I deleted both 'mjinks' records from the user table (after
removing their foreign key dependencies).  Then I re-visited my
management node's web UI with a live Shib cookie.  Now, when I look
through the user table, there's no mjinks, but there is a new record
created when I came to the UI, and it's clearly wrong:

ql> select id, unityid, affiliationid, firstname, lastname from user where id='11';
+----+---------+---------------+-----------+----------+
| id | unityid | affiliationid | firstname | lastname |
+----+---------+---------------+-----------+----------+
| 11 | @       |             1 |           |          |
+----+---------+---------------+-----------+----------+
1 row in set (0.00 sec)


Any idea what might be causing this?

I'm starting to wonder if I just need to start over, yet again, with a
blank database.

Anyhow, here's our complete authMechs stanza, kruft and all:

$authMechs = array(
 "UChicago Single Sign-On" => array(
           "type" => "redirect",
           "URL" => "/Shibboleth.sso/Login?target=/shibauth&entityID=urn:mace:incommon:uchicago.edu",
           "affiliationid" => 0,
           "help" => "Use \"UChicago Single Sign-On\" to log in with your UChicago ID."),
 "Local Account"    => array("type" => "local",
            "affiliationid" => 1,
            "help" => "You probably don't want \"Local Account\" unless you are are an administrator of the VCL system."),
 "CNet-Example"     => array("type" => "ldap",
            "server" => "ldap.uchicago.edu<http://ldap.uchicago.edu>",
            "binddn" => "ou=people,dc=uchicago,dc=edu",
            "userid" => "uid=%s,ou=people,dc=uchicago,dc=edu",
                 "unityid" => "uid",
                 "firstname" => "givenName",
                 "lastname" => "sn",
                 "email" => "mail",
                 "defaultemail" => "@uchicago.edu<http://uchicago.edu>",
           #"lookupuserbeforeauth" => 1,
                 #"lookupuserfield" => "uid",
           #"masterlogin" => "",
                 #"masterpwd" => "",
                 "affiliationid" => 3,
                 "help" => "The \"CNet-Example\" option is for testing and will probably go away in the future."),
);






On Sep 4, 2012, at 3:34 PM, Michael Jinks <mj...@uchicago.edu>> wrote:

Bumping this; I didn't hear anything back when I posted the message
below, about a week and a half ago.  Also, I've since discovered that
my Shib-backed account doesn't appear to have any privileges at all;
in spite of having all the permissions boxes checked, I still don't
have access to any VM images or to any but the most basic elements of
the UI.  What did I miss?

This is on VCL 2.2.1.

Thanks,
-m


On Fri, Aug 24, 2012 at 01:54:42PM -0500, Michael Jinks wrote:
I just got back around to trying Josh's instructions for giving my Shib
user account admin rights:

On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote:

Michael,

Probably the simplest thing to do is to add your shibboleth based user
to the adminUsers group directly in the database.  Here's what to do:

1) get the id of your user:
 SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
2) note the returned id
3) get the id of the adminUsers group:
 SELECT id FROM usergroup WHERE name = 'adminUsers';
4) note the returned id
5) add a record to the usergroupmembers table:
 INSERT INTO usergroupmembers
 (userid, usergroupid) VALUES
 (id_from_step_2, id_from_step_4);

Then, your shibboleth account should have admin access (assuming you
left the adminUsers group having admin access).

The good news is that (with some help from our IDM folks) I have Shib
working for my devel VCL instance, and my account is logged in currently.

The bad news is that I still don't have admin rights.  The only
navigation links on the VCL page are "HOME", "New Reservation", "Block
Allocation", "User Preferences", "Statistics", and "Logout".

Not sure if this is relevant or not, but when I did step 1 above, I got
two records back instead of one:

+----+---------+
| id | unityid |
+----+---------+
|  6 | mjinks  |
| 10 | mjinks  |
+----+---------+

When I tried to add them to the adminUsers group, I found that id 6 was
already there, probably as a result of my previous efforts to get this
working.  I added id 10 as well, but that didn't make any difference.

I'm able to use the "Logout" button and log back in as a local admin,
thank goodness... When I go to the "Privileges" page, I find that
"Cascade to Child Nodes" is set for the adminUsers@Local group, and
permissions there are a Christmas tree, all boxes checked.

Any idea what else I might have missed?

Thanks as always.

--Michael

--
Michael Jinks :: mjinks@uchicago.edu<ma...@uchicago.edu> :: 773-469-9688
University of Chicago IT Services


--
Michael Jinks :: mjinks@uchicago.edu<ma...@uchicago.edu> :: 773-469-9688
University of Chicago IT Services

Re: Shib and user permissions, was Re: Shib docs?

[Michael Jinks <mj...@uchicago.edu>]

On Tue, Sep 04, 2012 at 09:18:46PM +0000, Aaron Coburn wrote:
> 
> There are a number possibilities here, but first you should investigate why there are two unityid values for mjinks. Presumably those are from different affiliations?

Yeah.  The first was probably created while we were using direct LDAP
for authN, and the second appeared with the addition of Shib.  I did add
both id's to the adminUsers group, no luck.

> (You may want to consider removing one of those accounts from the database).

I've now done that; see below for an account of the results.

> And are you certain that, when you login via Shibboleth, that the active userid (i.e. 6 or 10 in your case) is the same as the userid that you added to the adminUsers group?

Yep; added both to be sure.

> Also, you need to make sure that the adminUsers group has been added to the privilege tree properly within the VCL. For that, login as the admin@Local user, then go to "Privileges" and select the "VCL" node in the privilege tree. The "adminUsers@Local" group should be listed under "Users". If it isn't, add it and make sure that the privileges cascade.

Well, this is fun...

If I select the "VCL" node itself, I don't see any adminUsers@Local
under "User Groups".  If I select the "admin" node directly beneath VCL,
then adminUsers@Local does appear under "User Groups", with all
privileges checked including "Cascade to Child Nodes".

> If that doesn't lead to anything, I would recommend verifying that the $authMechs configuration is correct.

I'll paste my complete authMechs section below.

But first: I deleted both 'mjinks' records from the user table (after
removing their foreign key dependencies).  Then I re-visited my
management node's web UI with a live Shib cookie.  Now, when I look
through the user table, there's no mjinks, but there is a new record
created when I came to the UI, and it's clearly wrong:

ql> select id, unityid, affiliationid, firstname, lastname from user where id='11';
+----+---------+---------------+-----------+----------+
| id | unityid | affiliationid | firstname | lastname |
+----+---------+---------------+-----------+----------+
| 11 | @       |             1 |           |          |
+----+---------+---------------+-----------+----------+
1 row in set (0.00 sec)


Any idea what might be causing this?

I'm starting to wonder if I just need to start over, yet again, with a
blank database.

Anyhow, here's our complete authMechs stanza, kruft and all:

$authMechs = array(
  "UChicago Single Sign-On" => array(
            "type" => "redirect",
            "URL" => "/Shibboleth.sso/Login?target=/shibauth&entityID=urn:mace:incommon:uchicago.edu",
            "affiliationid" => 0,
            "help" => "Use \"UChicago Single Sign-On\" to log in with your UChicago ID."),
  "Local Account"    => array("type" => "local",
             "affiliationid" => 1,
             "help" => "You probably don't want \"Local Account\" unless you are are an administrator of the VCL system."),
  "CNet-Example"     => array("type" => "ldap",
             "server" => "ldap.uchicago.edu",
             "binddn" => "ou=people,dc=uchicago,dc=edu",
             "userid" => "uid=%s,ou=people,dc=uchicago,dc=edu",
                  "unityid" => "uid",
                  "firstname" => "givenName",
                  "lastname" => "sn",
                  "email" => "mail",
                  "defaultemail" => "@uchicago.edu",
            #"lookupuserbeforeauth" => 1,
                  #"lookupuserfield" => "uid",
            #"masterlogin" => "",
                  #"masterpwd" => "",
                  "affiliationid" => 3,
                  "help" => "The \"CNet-Example\" option is for testing and will probably go away in the future."),
);






> On Sep 4, 2012, at 3:34 PM, Michael Jinks <mj...@uchicago.edu> wrote:
> 
> > Bumping this; I didn't hear anything back when I posted the message
> > below, about a week and a half ago.  Also, I've since discovered that
> > my Shib-backed account doesn't appear to have any privileges at all;
> > in spite of having all the permissions boxes checked, I still don't
> > have access to any VM images or to any but the most basic elements of
> > the UI.  What did I miss?
> > 
> > This is on VCL 2.2.1.
> > 
> > Thanks,
> > -m
> > 
> > 
> > On Fri, Aug 24, 2012 at 01:54:42PM -0500, Michael Jinks wrote:
> >> I just got back around to trying Josh's instructions for giving my Shib
> >> user account admin rights:
> >> 
> >> On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote:
> >>> 
> >>> Michael,
> >>> 
> >>> Probably the simplest thing to do is to add your shibboleth based user
> >>> to the adminUsers group directly in the database.  Here's what to do:
> >>> 
> >>> 1) get the id of your user:
> >>>   SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
> >>> 2) note the returned id
> >>> 3) get the id of the adminUsers group:
> >>>   SELECT id FROM usergroup WHERE name = 'adminUsers';
> >>> 4) note the returned id
> >>> 5) add a record to the usergroupmembers table:
> >>>   INSERT INTO usergroupmembers
> >>>   (userid, usergroupid) VALUES
> >>>   (id_from_step_2, id_from_step_4);
> >>> 
> >>> Then, your shibboleth account should have admin access (assuming you
> >>> left the adminUsers group having admin access).
> >> 
> >> The good news is that (with some help from our IDM folks) I have Shib
> >> working for my devel VCL instance, and my account is logged in currently.
> >> 
> >> The bad news is that I still don't have admin rights.  The only
> >> navigation links on the VCL page are "HOME", "New Reservation", "Block
> >> Allocation", "User Preferences", "Statistics", and "Logout".
> >> 
> >> Not sure if this is relevant or not, but when I did step 1 above, I got
> >> two records back instead of one:
> >> 
> >> +----+---------+
> >> | id | unityid |
> >> +----+---------+
> >> |  6 | mjinks  |
> >> | 10 | mjinks  |
> >> +----+---------+
> >> 
> >> When I tried to add them to the adminUsers group, I found that id 6 was
> >> already there, probably as a result of my previous efforts to get this
> >> working.  I added id 10 as well, but that didn't make any difference.
> >> 
> >> I'm able to use the "Logout" button and log back in as a local admin,
> >> thank goodness... When I go to the "Privileges" page, I find that
> >> "Cascade to Child Nodes" is set for the adminUsers@Local group, and
> >> permissions there are a Christmas tree, all boxes checked.
> >> 
> >> Any idea what else I might have missed?
> >> 
> >> Thanks as always.
> >> 
> >> --Michael
> > 
> > -- 
> > Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
> > University of Chicago IT Services
> 

-- 
Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
University of Chicago IT Services

Re: Shib and user permissions, was Re: Shib docs?

[Aaron Coburn <ac...@amherst.edu>]

Michael,

There are a number possibilities here, but first you should investigate why there are two unityid values for mjinks. Presumably those are from different affiliations? (You may want to consider removing one of those accounts from the database). And are you certain that, when you login via Shibboleth, that the active userid (i.e. 6 or 10 in your case) is the same as the userid that you added to the adminUsers group? Also, you need to make sure that the adminUsers group has been added to the privilege tree properly within the VCL. For that, login as the admin@Local user, then go to "Privileges" and select the "VCL" node in the privilege tree. The "adminUsers@Local" group should be listed under "Users". If it isn't, add it and make sure that the privileges cascade.

If that doesn't lead to anything, I would recommend verifying that the $authMechs configuration is correct.

Aaron



--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
acoburn@amherst.edu






On Sep 4, 2012, at 3:34 PM, Michael Jinks <mj...@uchicago.edu> wrote:

> Bumping this; I didn't hear anything back when I posted the message
> below, about a week and a half ago.  Also, I've since discovered that
> my Shib-backed account doesn't appear to have any privileges at all;
> in spite of having all the permissions boxes checked, I still don't
> have access to any VM images or to any but the most basic elements of
> the UI.  What did I miss?
> 
> This is on VCL 2.2.1.
> 
> Thanks,
> -m
> 
> 
> On Fri, Aug 24, 2012 at 01:54:42PM -0500, Michael Jinks wrote:
>> I just got back around to trying Josh's instructions for giving my Shib
>> user account admin rights:
>> 
>> On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote:
>>> 
>>> Michael,
>>> 
>>> Probably the simplest thing to do is to add your shibboleth based user
>>> to the adminUsers group directly in the database.  Here's what to do:
>>> 
>>> 1) get the id of your user:
>>>   SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
>>> 2) note the returned id
>>> 3) get the id of the adminUsers group:
>>>   SELECT id FROM usergroup WHERE name = 'adminUsers';
>>> 4) note the returned id
>>> 5) add a record to the usergroupmembers table:
>>>   INSERT INTO usergroupmembers
>>>   (userid, usergroupid) VALUES
>>>   (id_from_step_2, id_from_step_4);
>>> 
>>> Then, your shibboleth account should have admin access (assuming you
>>> left the adminUsers group having admin access).
>> 
>> The good news is that (with some help from our IDM folks) I have Shib
>> working for my devel VCL instance, and my account is logged in currently.
>> 
>> The bad news is that I still don't have admin rights.  The only
>> navigation links on the VCL page are "HOME", "New Reservation", "Block
>> Allocation", "User Preferences", "Statistics", and "Logout".
>> 
>> Not sure if this is relevant or not, but when I did step 1 above, I got
>> two records back instead of one:
>> 
>> +----+---------+
>> | id | unityid |
>> +----+---------+
>> |  6 | mjinks  |
>> | 10 | mjinks  |
>> +----+---------+
>> 
>> When I tried to add them to the adminUsers group, I found that id 6 was
>> already there, probably as a result of my previous efforts to get this
>> working.  I added id 10 as well, but that didn't make any difference.
>> 
>> I'm able to use the "Logout" button and log back in as a local admin,
>> thank goodness... When I go to the "Privileges" page, I find that
>> "Cascade to Child Nodes" is set for the adminUsers@Local group, and
>> permissions there are a Christmas tree, all boxes checked.
>> 
>> Any idea what else I might have missed?
>> 
>> Thanks as always.
>> 
>> --Michael
> 
> -- 
> Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
> University of Chicago IT Services

Shib and user permissions, was Re: Shib docs?

[Michael Jinks <mj...@uchicago.edu>]

Bumping this; I didn't hear anything back when I posted the message
below, about a week and a half ago.  Also, I've since discovered that
my Shib-backed account doesn't appear to have any privileges at all;
in spite of having all the permissions boxes checked, I still don't
have access to any VM images or to any but the most basic elements of
the UI.  What did I miss?

This is on VCL 2.2.1.

Thanks,
-m


On Fri, Aug 24, 2012 at 01:54:42PM -0500, Michael Jinks wrote:
> I just got back around to trying Josh's instructions for giving my Shib
> user account admin rights:
> 
> On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote:
> > 
> > Michael,
> > 
> > Probably the simplest thing to do is to add your shibboleth based user
> > to the adminUsers group directly in the database.  Here's what to do:
> > 
> > 1) get the id of your user:
> >    SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
> > 2) note the returned id
> > 3) get the id of the adminUsers group:
> >    SELECT id FROM usergroup WHERE name = 'adminUsers';
> > 4) note the returned id
> > 5) add a record to the usergroupmembers table:
> >    INSERT INTO usergroupmembers
> >    (userid, usergroupid) VALUES
> >    (id_from_step_2, id_from_step_4);
> > 
> > Then, your shibboleth account should have admin access (assuming you
> > left the adminUsers group having admin access).
> 
> The good news is that (with some help from our IDM folks) I have Shib
> working for my devel VCL instance, and my account is logged in currently.
> 
> The bad news is that I still don't have admin rights.  The only
> navigation links on the VCL page are "HOME", "New Reservation", "Block
> Allocation", "User Preferences", "Statistics", and "Logout".
> 
> Not sure if this is relevant or not, but when I did step 1 above, I got
> two records back instead of one:
> 
>  +----+---------+
>  | id | unityid |
>  +----+---------+
>  |  6 | mjinks  |
>  | 10 | mjinks  |
>  +----+---------+
> 
> When I tried to add them to the adminUsers group, I found that id 6 was
> already there, probably as a result of my previous efforts to get this
> working.  I added id 10 as well, but that didn't make any difference.
> 
> I'm able to use the "Logout" button and log back in as a local admin,
> thank goodness... When I go to the "Privileges" page, I find that
> "Cascade to Child Nodes" is set for the adminUsers@Local group, and
> permissions there are a Christmas tree, all boxes checked.
> 
> Any idea what else I might have missed?
> 
> Thanks as always.
> 
> --Michael

-- 
Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
University of Chicago IT Services

Re: Shib docs?

[Michael Jinks <mj...@uchicago.edu>]

I just got back around to trying Josh's instructions for giving my Shib
user account admin rights:

On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote:
> 
> Michael,
> 
> Probably the simplest thing to do is to add your shibboleth based user
> to the adminUsers group directly in the database.  Here's what to do:
> 
> 1) get the id of your user:
>    SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
> 2) note the returned id
> 3) get the id of the adminUsers group:
>    SELECT id FROM usergroup WHERE name = 'adminUsers';
> 4) note the returned id
> 5) add a record to the usergroupmembers table:
>    INSERT INTO usergroupmembers
>    (userid, usergroupid) VALUES
>    (id_from_step_2, id_from_step_4);
> 
> Then, your shibboleth account should have admin access (assuming you
> left the adminUsers group having admin access).

The good news is that (with some help from our IDM folks) I have Shib
working for my devel VCL instance, and my account is logged in currently.

The bad news is that I still don't have admin rights.  The only
navigation links on the VCL page are "HOME", "New Reservation", "Block
Allocation", "User Preferences", "Statistics", and "Logout".

Not sure if this is relevant or not, but when I did step 1 above, I got
two records back instead of one:

 +----+---------+
 | id | unityid |
 +----+---------+
 |  6 | mjinks  |
 | 10 | mjinks  |
 +----+---------+

When I tried to add them to the adminUsers group, I found that id 6 was
already there, probably as a result of my previous efforts to get this
working.  I added id 10 as well, but that didn't make any difference.

I'm able to use the "Logout" button and log back in as a local admin,
thank goodness... When I go to the "Privileges" page, I find that
"Cascade to Child Nodes" is set for the adminUsers@Local group, and
permissions there are a Christmas tree, all boxes checked.

Any idea what else I might have missed?

Thanks as always.

--Michael

Re: Shib docs?

[Josh Thompson <jo...@ncsu.edu>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Michael,

Probably the simplest thing to do is to add your shibboleth based user
to the adminUsers group directly in the database.  Here's what to do:

1) get the id of your user:
   SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
2) note the returned id
3) get the id of the adminUsers group:
   SELECT id FROM usergroup WHERE name = 'adminUsers';
4) note the returned id
5) add a record to the usergroupmembers table:
   INSERT INTO usergroupmembers
   (userid, usergroupid) VALUES
   (id_from_step_2, id_from_step_4);

Then, your shibboleth account should have admin access (assuming you
left the adminUsers group having admin access).

Josh

On 08/22/12 10:48, Michael Jinks wrote:
> Hi all.  I'm stepping through Aaron's Shib instructions and I've
> managed to hose my VCL dev instance.
> 
> Things went fine until I enabled Shib for VCL and hit the web
> interface. I immediately realized that my user account didn't have
> admin privileges, since only the user-level buttons appeared on the
> landing page.  So I tried to back out my changes, but with Shib
> disabled, my browser always gets redirected to /shibauth, which
> draws a 500/Internal Server Error.
> 
> I've done enough investigating to be pretty sure that the redirect
> is being controlled by something in the backing database, not by
> anything in the local filesystem, but I'm not sure what has
> changed.
> 
> How can I access an admin account with Shib enabled?  Is there any
> way to give a user account full privileges?  Our efforts up to now
> have failed.
> 
> And/or, how can I get back from where I am?  I have SQL access to
> the backing store, so if I knew what to change I could un-shib the
> instance and start over.  I'd rather not just do a complete load
> from the database without looking around a bit first.
> 
> 
> 
> On Fri, Aug 17, 2012 at 04:58:33PM +0000, Aaron Coburn wrote:
>> 
>>> Many thanks, but we're still on 2.2.  Are there lots of
>>> differences?
>> 
>> Not really.
>> 
>> The main difference is that there is no "ALLOWADDSHIBUSERS"
>> constant, so you can just skip the item related to that. You will
>> just not be able to manually add a user to a group before that
>> user has logged in for the first time.
>> 
>> 
>> 
>>> On Fri, Aug 17, 2012 at 01:08:39AM +0000, Aaron Coburn wrote:
>>>> Michael,
>>>> 
>>>> That page you mention is generally correct, but it is very
>>>> incomplete. Rather than responding over email, I wrote an
>>>> article on shibbolizing the VCL here:
>>>> 
>>>> [1]http://people.apache.org/~acoburn/shibboleth.html
> <snip>

- -- 
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University

my GPG/PGP key can be found at pgp.mit.edu

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlA0+vIACgkQV/LQcNdtPQO6uACfdZPrSrxuU3BkenCmabhkcF/D
9xUAn3QwdYqgZz/GY9KlYUaModl0qYmq
=WPIA
-----END PGP SIGNATURE-----

Re: Shib docs?

[Aaron Coburn <ac...@amherst.edu>]

Michael,

> Things went fine until I enabled Shib for VCL and hit the web interface.
> I immediately realized that my user account didn't have admin
> privileges, since only the user-level buttons appeared on the landing
> page.  So I tried to back out my changes, but with Shib disabled, my
> browser always gets redirected to /shibauth, which draws a 500/Internal
> Server Error.

For this, you may want to inspect the httpd logs.

> I've done enough investigating to be pretty sure that the redirect is
> being controlled by something in the backing database, not by anything
> in the local filesystem, but I'm not sure what has changed.

There are two reasons why your browser would redirect to the shibauth directory: either your affiliation is configured to do that in conf.php or you have a shib session cookie.
If it is the first issue, then change the affiliation entry in conf.php. If it is the second, just restart your browser (i.e. fully quit the application, don't just close the browser window)

> How can I access an admin account with Shib enabled?  Is there any way
> to give a user account full privileges?  Our efforts up to now have
> failed.

There are numerous ways to set this up, but the easiest is probably to login as the admin@Local user and add your (shib-enabled) user account to the root (VCL) node in the privilege tree. Make sure your privileges cascade.

> And/or, how can I get back from where I am?  I have SQL access to the
> backing store, so if I knew what to change I could un-shib the instance
> and start over.  I'd rather not just do a complete load from the
> database without looking around a bit first.

The way to get back to where you started should be easy -- check the vcl.affiliation database table, and make sure that the 'shibonly' field is set to 0 for your institution.
Also, make sure that the affiliation configuration in .ht-inc/conf.php is no longer pointing to the Shibboleth login location.
And, as is always the case with Shibboleth, restart your browser.

Aaron

> 
> 
> On Fri, Aug 17, 2012 at 04:58:33PM +0000, Aaron Coburn wrote:
>> 
>>> Many thanks, but we're still on 2.2.  Are there lots of differences?
>> 
>> Not really.
>> 
>> The main difference is that there is no "ALLOWADDSHIBUSERS" constant, so you can just skip the item related to that. You will just not be able to manually add a user to a group before that user has logged in for the first time.
>> 
>> 
>> 
>>> On Fri, Aug 17, 2012 at 01:08:39AM +0000, Aaron Coburn wrote:
>>>>  Michael,
>>>> 
>>>>  That page you mention is generally correct, but it is very incomplete.
>>>>  Rather than responding over email, I wrote an article on shibbolizing
>>>>  the VCL here:
>>>> 
>>>>  [1]http://people.apache.org/~acoburn/shibboleth.html
> <snip>

Re: Shib docs?

[Michael Jinks <mj...@uchicago.edu>]

Hi all.  I'm stepping through Aaron's Shib instructions and I've managed
to hose my VCL dev instance.

Things went fine until I enabled Shib for VCL and hit the web interface.
I immediately realized that my user account didn't have admin
privileges, since only the user-level buttons appeared on the landing
page.  So I tried to back out my changes, but with Shib disabled, my
browser always gets redirected to /shibauth, which draws a 500/Internal
Server Error.

I've done enough investigating to be pretty sure that the redirect is
being controlled by something in the backing database, not by anything
in the local filesystem, but I'm not sure what has changed.

How can I access an admin account with Shib enabled?  Is there any way
to give a user account full privileges?  Our efforts up to now have
failed.

And/or, how can I get back from where I am?  I have SQL access to the
backing store, so if I knew what to change I could un-shib the instance
and start over.  I'd rather not just do a complete load from the
database without looking around a bit first.



On Fri, Aug 17, 2012 at 04:58:33PM +0000, Aaron Coburn wrote:
> 
> > Many thanks, but we're still on 2.2.  Are there lots of differences?
> 
> Not really.
> 
> The main difference is that there is no "ALLOWADDSHIBUSERS" constant, so you can just skip the item related to that. You will just not be able to manually add a user to a group before that user has logged in for the first time.
> 
> 
> 
> > On Fri, Aug 17, 2012 at 01:08:39AM +0000, Aaron Coburn wrote:
> >>   Michael,
> >> 
> >>   That page you mention is generally correct, but it is very incomplete.
> >>   Rather than responding over email, I wrote an article on shibbolizing
> >>   the VCL here:
> >> 
> >>   [1]http://people.apache.org/~acoburn/shibboleth.html
<snip>

Re: Shib docs?

[Aaron Coburn <ac...@amherst.edu>]

> Many thanks, but we're still on 2.2.  Are there lots of differences?

Not really.

The main difference is that there is no "ALLOWADDSHIBUSERS" constant, so you can just skip the item related to that. You will just not be able to manually add a user to a group before that user has logged in for the first time.



> On Fri, Aug 17, 2012 at 01:08:39AM +0000, Aaron Coburn wrote:
>>   Michael,
>> 
>>   That page you mention is generally correct, but it is very incomplete.
>>   Rather than responding over email, I wrote an article on shibbolizing
>>   the VCL here:
>> 
>>   [1]http://people.apache.org/~acoburn/shibboleth.html
>> 
>>   This page assumes you are using version 2.3 of the VCL. Eventually,
>>   this will make it into the site documentation. In the meantime, if any
>>   of you on this list have other tips to add, please let me know and I
>>   will add them to the web page. Also, if there are errors in the
>>   instructions, please do let me know.
>> 
>>   In addition to what I wrote, there are many, many more things you can
>>   do to configure Shibboleth (without modifying the VCL code).
>> 
>>   Best regards,
>> 
>>   Aaron
>> 
>>   --
>>   Aaron Coburn
>>   Systems Administrator and Programmer
>>   Academic Technology Services, Amherst College
>>   [2]acoburn@amherst.edu
>>   On Aug 16, 2012, at 6:09 PM, Michael Jinks wrote:
>> 
>>   I need to Shibbolize my VCL installation, and I know I've seen docs
>>   describing how, but I can't find them now.  The top (and pretty much
>>   only) Google hit is:
>>   [3]https://cwiki.apache.org/VCLDOCS/setting-up-shibboleth-authenticatio
>>   n.html
>>   ...but I know anything under "VCLDOCS" is out of date.
>>   Better link?
>>   --
>>   Michael Jinks :: [4]mjinks@uchicago.edu :: 773-469-9688
>>   University of Chicago IT Services
>> 
>> References
>> 
>>   1. http://people.apache.org/~acoburn/shibboleth.html
>>   2. mailto:acoburn@amherst.edu
>>   3. https://cwiki.apache.org/VCLDOCS/setting-up-shibboleth-authentication.html
>>   4. mailto:mjinks@uchicago.edu
> 
> -- 
> Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
> University of Chicago IT Services

Re: Shib docs?

[Michael Jinks <mj...@uchicago.edu>]

Many thanks, but we're still on 2.2.  Are there lots of differences?


On Fri, Aug 17, 2012 at 01:08:39AM +0000, Aaron Coburn wrote:
>    Michael,
> 
>    That page you mention is generally correct, but it is very incomplete.
>    Rather than responding over email, I wrote an article on shibbolizing
>    the VCL here:
> 
>    [1]http://people.apache.org/~acoburn/shibboleth.html
> 
>    This page assumes you are using version 2.3 of the VCL. Eventually,
>    this will make it into the site documentation. In the meantime, if any
>    of you on this list have other tips to add, please let me know and I
>    will add them to the web page. Also, if there are errors in the
>    instructions, please do let me know.
> 
>    In addition to what I wrote, there are many, many more things you can
>    do to configure Shibboleth (without modifying the VCL code).
> 
>    Best regards,
> 
>    Aaron
> 
>    --
>    Aaron Coburn
>    Systems Administrator and Programmer
>    Academic Technology Services, Amherst College
>    [2]acoburn@amherst.edu
>    On Aug 16, 2012, at 6:09 PM, Michael Jinks wrote:
> 
>    I need to Shibbolize my VCL installation, and I know I've seen docs
>    describing how, but I can't find them now.  The top (and pretty much
>    only) Google hit is:
>    [3]https://cwiki.apache.org/VCLDOCS/setting-up-shibboleth-authenticatio
>    n.html
>    ...but I know anything under "VCLDOCS" is out of date.
>    Better link?
>    --
>    Michael Jinks :: [4]mjinks@uchicago.edu :: 773-469-9688
>    University of Chicago IT Services
> 
> References
> 
>    1. http://people.apache.org/~acoburn/shibboleth.html
>    2. mailto:acoburn@amherst.edu
>    3. https://cwiki.apache.org/VCLDOCS/setting-up-shibboleth-authentication.html
>    4. mailto:mjinks@uchicago.edu

-- 
Michael Jinks :: mjinks@uchicago.edu :: 773-469-9688
University of Chicago IT Services

Re: Shib docs?

[Aaron Coburn <ac...@amherst.edu>]

Michael,
That page you mention is generally correct, but it is very incomplete. Rather than responding over email, I wrote an article on shibbolizing the VCL here:

http://people.apache.org/~acoburn/shibboleth.html

This page assumes you are using version 2.3 of the VCL. Eventually, this will make it into the site documentation. In the meantime, if any of you on this list have other tips to add, please let me know and I will add them to the web page. Also, if there are errors in the instructions, please do let me know.

In addition to what I wrote, there are many, many more things you can do to configure Shibboleth (without modifying the VCL code).

Best regards,
Aaron



--
Aaron Coburn
Systems Administrator and Programmer
Academic Technology Services, Amherst College
acoburn@amherst.edu<ma...@amherst.edu>






On Aug 16, 2012, at 6:09 PM, Michael Jinks wrote:

I need to Shibbolize my VCL installation, and I know I've seen docs
describing how, but I can't find them now.  The top (and pretty much
only) Google hit is:

https://cwiki.apache.org/VCLDOCS/setting-up-shibboleth-authentication.html

...but I know anything under "VCLDOCS" is out of date.

Better link?


--
Michael Jinks :: mjinks@uchicago.edu<ma...@uchicago.edu> :: 773-469-9688
University of Chicago IT Services