EPrints Technical Mailing List Archive

See the EPrints wiki for instructions on how to join this mailing list and related information.

Message: #05525


< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Errors after Shibboleth login


Hi David, 

I already used the customized version of the login skript. Now I removed all the archives and created a new one. 

Because I have to a certificate for a certain URL, it must always be the same archive. 

I followed your advice and changed in foo/shibboleth/login eppn to uid. 

I use apache 2.4.7 so please have a look at my config. 

I didn’t get the part in the middle of your mail. At the location foo/cgi/shibboleth there is a skript that gives me all the attributes of the session. If I put my login at this place, I have to change some links in foo/cfg/cfg.d/zz_shibboleth.pl, or not? Login ist still at foo/shibboleth/login. 
Shell I delete the line 

my $url = URI->new( $session->config"https_url" )  . "/shibboleth/login" );
in foo/cfg/cfg.d/zz_shibboleth.pl

The behavior of the archive is now strange. I put my login-data at the IdPs screen and get a page not found. Rewriting exception. Apachelog has about 10 entries for one request (same time). BUT my user is in the Database!


I’m not sure whether I have to use 
require shib-session or
require valid-user

for my /shibboleth Location in apache config. 
Thanks
Nelli 





Am 24.03.2016 um 09:54 schrieb David R Newman <drn@ecs.soton.ac.uk>:

Hi Nelli,
 
You will need to customise your archive’s shibboleth/login file.  If you look under “EPrints /shibboleth/login script” in the customisation section ( http://wiki.eprints.org/w/Shibboleth#Customisation ) then you will see a different script to the one in the main “Configuring Apache and EPrints”.  I would suggest using the shibboleth/login script in the customisation section as a starting point rather than the one in the “Configuring Apache and EPrints” as the “Configuring Apache and EPrints” one assume accounts already exist and the login script does not create accounts.  Commonly with EPrints you may import your user accounts by another means.
 
It also does not look like you have an eppn Apache environment variable set from the Shibboleth attributes returned.  My advice would be to do a shibboleth login to your repository at http://<HOSTNAME>/cgi/shibbolethrather than  http://<HOSTNAME>/shibboleth/login to confirm exactly which environment variables are being set.  From what you say it sounds like you have uid and not eppn.  Therefore in the get_user sub of the customised shibboleth/login script you need to replace the two occurrences of eppn with uid.
 
The second issue you report sounds like it may be a problem with you using the Apache 2.4 configuration on an Apache 2.2 webserver.  Check the version of Apache you are running if it is not 2.4 or higher then you will need to use the configuration in http://wiki.eprints.org/w/Shibboleth#Apache_2.2_.28and_lower.29_Configuration_for_EPrints_Shibboleth_Integration  If this is not the case, then I will have a closer look at the configuration you included in your email below.
 
Regards

David Newman
 
From: eprints-tech-bounces@ecs.soton.ac.uk [mailto:eprints-tech-bounces@ecs.soton.ac.uk] On Behalf Of Funk, Nelli
Sent: 24 March 2016 07:55
To: eprints-tech@ecs.soton.ac.uk
Subject: [EP-tech] Errors after Shibboleth login
 
Hello,  
 
I’m new to eprints developing. My task was to make shibboleth working as login for eprints. 
The user who upload a document to eprints is a students and the document is his bachelor or master thesis. So they are unknown user for eprints. I need a login with autocreating user. I mainly tried two websites with different login-skripts 
 
 
 
I get a shibboleth session with all the attributes I need, but no user is createdin the eprints user table and I get a accout_required - page. 
My attributes are: 
  • uid
  • sn
  • givenname
  • eduPersonEntitlement
  • transientId
  • eduPersonScopedAffiliation
  • email
Maybe some of them are not really needed. But I suppose that in the instruction uid is not set, so the user can’t be stored in the database. 
 
 
In the second instruction the user is created, but the rewrite goes to https://myurl/cgi/users/home. The error page I get, is in german. I would translate it as a rewriting exception. "The page is rewrited to an endless loop. It may happen, if cookies are not set."
For this instruction there could be an error in my apache configuration, because other eprint archives we have without shibboleth, go to this URL after login and get a page with content. So here is my apache configuration for the v_host  in ssl:
 
<VirtualHost *:443>
  ServerName ….
  ServerAdmin ….
# SSL DEFINITIONS (deleted, because not important) 
 
Alias /shibboleth /usr/share/eprints/archives/myarchive/shibboleth
  <Location "/shibboleth">
    SetHandler perl-script
    PerlHandler ModPerl::Registry
    PerlSendHeader Off
    Options ExecCGI FollowSymLinks
 
    AuthType shibboleth
    # RequireSession Version von DFN...
    ShibRequireSession On
    # ShibRequestSetting requireSession 1
    # require shib-session
    require valid-user
  </Location>
 
  <Location /cgi/shibboleth>
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    Require shib-session
  </Location>
 
 
  <Location "">
   PerlSetVar EPrints_ArchiveID testshib
   Options +ExecCGI
   # Order allow,deny
   # Allow from all
   # Require all granted
  </Location>
 
  # Note that PerlTransHandler can't go inside
  # a "Location" block as it occurs before the
  # Location is known.
  PerlTransHandler +EPrints::Apache::Rewrite
 
  CustomLog /var/log/apache2/my_access_ssl.log combined
  ErrorLog  /var/log/apache2/my_error_ssl.log
 
 
</VirtualHost>
 
I don’t know how to solve my problem and which one is easier. If I missed anything or the explanation is not clear, just ask. 
It would be fine, if someone could help me. 
Regards
Nelli Funk
--------------------------------------------------
Nelli Funk
Universitäts- und Landesbibliothek 
Magdalenenstr. 8
64289 Darmstadt

Tel.: 06151 16-76227
 
*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/

--------------------------------------------------
Nelli Funk
Universitäts- und Landesbibliothek 
Magdalenenstr. 8
64289 Darmstadt

Tel.: 06151 16-76227