vcl-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Thompson <>
Subject Re: Shib docs?
Date Wed, 22 Aug 2012 15:29:54 GMT
Hash: SHA1


Probably the simplest thing to do is to add your shibboleth based user
to the adminUsers group directly in the database.  Here's what to do:

1) get the id of your user:
   SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
2) note the returned id
3) get the id of the adminUsers group:
   SELECT id FROM usergroup WHERE name = 'adminUsers';
4) note the returned id
5) add a record to the usergroupmembers table:
   INSERT INTO usergroupmembers
   (userid, usergroupid) VALUES
   (id_from_step_2, id_from_step_4);

Then, your shibboleth account should have admin access (assuming you
left the adminUsers group having admin access).


On 08/22/12 10:48, Michael Jinks wrote:
> Hi all.  I'm stepping through Aaron's Shib instructions and I've
> managed to hose my VCL dev instance.
> Things went fine until I enabled Shib for VCL and hit the web
> interface. I immediately realized that my user account didn't have
> admin privileges, since only the user-level buttons appeared on the
> landing page.  So I tried to back out my changes, but with Shib
> disabled, my browser always gets redirected to /shibauth, which
> draws a 500/Internal Server Error.
> I've done enough investigating to be pretty sure that the redirect
> is being controlled by something in the backing database, not by
> anything in the local filesystem, but I'm not sure what has
> changed.
> How can I access an admin account with Shib enabled?  Is there any
> way to give a user account full privileges?  Our efforts up to now
> have failed.
> And/or, how can I get back from where I am?  I have SQL access to
> the backing store, so if I knew what to change I could un-shib the
> instance and start over.  I'd rather not just do a complete load
> from the database without looking around a bit first.
> On Fri, Aug 17, 2012 at 04:58:33PM +0000, Aaron Coburn wrote:
>>> Many thanks, but we're still on 2.2.  Are there lots of
>>> differences?
>> Not really.
>> The main difference is that there is no "ALLOWADDSHIBUSERS"
>> constant, so you can just skip the item related to that. You will
>> just not be able to manually add a user to a group before that
>> user has logged in for the first time.
>>> On Fri, Aug 17, 2012 at 01:08:39AM +0000, Aaron Coburn wrote:
>>>> Michael,
>>>> That page you mention is generally correct, but it is very
>>>> incomplete. Rather than responding over email, I wrote an
>>>> article on shibbolizing the VCL here:
>>>> [1]
> <snip>

- -- 
- -------------------------------
Josh Thompson
VCL Developer
North Carolina State University

my GPG/PGP key can be found at

All electronic mail messages in connection with State business which
are sent to or received by this account are subject to the NC Public
Records Law and may be disclosed to third parties.
Version: GnuPG v2.0.17 (GNU/Linux)
Comment: Using GnuPG with Mozilla -


View raw message