vcl-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aaron Coburn <acob...@amherst.edu>
Subject Re: Shib docs?
Date Wed, 22 Aug 2012 15:26:07 GMT
Michael,

> Things went fine until I enabled Shib for VCL and hit the web interface.
> I immediately realized that my user account didn't have admin
> privileges, since only the user-level buttons appeared on the landing
> page.  So I tried to back out my changes, but with Shib disabled, my
> browser always gets redirected to /shibauth, which draws a 500/Internal
> Server Error.

For this, you may want to inspect the httpd logs.

> I've done enough investigating to be pretty sure that the redirect is
> being controlled by something in the backing database, not by anything
> in the local filesystem, but I'm not sure what has changed.

There are two reasons why your browser would redirect to the shibauth directory: either your
affiliation is configured to do that in conf.php or you have a shib session cookie.
If it is the first issue, then change the affiliation entry in conf.php. If it is the second,
just restart your browser (i.e. fully quit the application, don't just close the browser window)

> How can I access an admin account with Shib enabled?  Is there any way
> to give a user account full privileges?  Our efforts up to now have
> failed.

There are numerous ways to set this up, but the easiest is probably to login as the admin@Local
user and add your (shib-enabled) user account to the root (VCL) node in the privilege tree.
Make sure your privileges cascade.

> And/or, how can I get back from where I am?  I have SQL access to the
> backing store, so if I knew what to change I could un-shib the instance
> and start over.  I'd rather not just do a complete load from the
> database without looking around a bit first.

The way to get back to where you started should be easy -- check the vcl.affiliation database
table, and make sure that the 'shibonly' field is set to 0 for your institution.
Also, make sure that the affiliation configuration in .ht-inc/conf.php is no longer pointing
to the Shibboleth login location.
And, as is always the case with Shibboleth, restart your browser.

Aaron

> 
> 
> On Fri, Aug 17, 2012 at 04:58:33PM +0000, Aaron Coburn wrote:
>> 
>>> Many thanks, but we're still on 2.2.  Are there lots of differences?
>> 
>> Not really.
>> 
>> The main difference is that there is no "ALLOWADDSHIBUSERS" constant, so you can
just skip the item related to that. You will just not be able to manually add a user to a
group before that user has logged in for the first time.
>> 
>> 
>> 
>>> On Fri, Aug 17, 2012 at 01:08:39AM +0000, Aaron Coburn wrote:
>>>>  Michael,
>>>> 
>>>>  That page you mention is generally correct, but it is very incomplete.
>>>>  Rather than responding over email, I wrote an article on shibbolizing
>>>>  the VCL here:
>>>> 
>>>>  [1]http://people.apache.org/~acoburn/shibboleth.html
> <snip>


Mime
View raw message