EPrints Technical Mailing List Archive

Message: #07136

< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First

Re: [EP-tech] Shibboleth and local login

Now I got it. I completely get rid of any https://wiki.eprints.org/w/Webserver_authentication instruction and followed exaclty your guide ( https://wiki.eprints.org/w/Shibboleth ) and... it works!
Can someone update https://wiki.eprints.org/w/Webserver_authentication about being not working? 

Also the /cgi/users/login local authentication works perfectly.
The only problem now is that you get a 500 if the user has not been created before. So I copied what they did for webserver auth (login-autocreate), and updated the login script get_user routine: 

sub get_user {
  my ( $username, $email ) = ( undef, "" );
  if( $ENV{REMOTE_USER} ) {
   #( $username ) = split( /@/, $ENV{eppn}, 2);
   $username = $ENV{REMOTE_USER};
   $username = lc( $username );
   $email = $ENV{REMOTE_USER};
  }
  return unless EPrints::Utils::is_set( $username );
  my $user = $session->user_by_username( $username );

  if( !defined $user )
  {
    $user = EPrints::DataObj::User::create( $session, "user" );
    $user->set_value( "username", $username );
  }

  $user->set_value( "email", $email );
  $user->commit;
  return $user;
}
If someone don't want to autocreate user, then just do a redirect instead of creating a user (better do a logout using $c->{on_logout} before?) 

Really thanks!


Il 07/02/2018 15:33, David R Newman ha scritto:

Hi Yuri,

The instructions I wrote at  https://wiki.eprints.org/w/Shibboleth have
a config file call zz_shibboleth.pl in your archives's cfg/cfg.d/ that
uses the following line in the get_login_url sub:

my $url = URI->new( $session->config( "https_url" )  .
"/shibboleth/login" );

This is the equivalent to what you have suggested below.

Also these instructions explain that you need to add the following to
your archive's ssl/securevhost.conf after the Include line for
EPRINTS_PATH/cfg/apache_ssl/ARCHIVENAME.conf, substituting foo for your
archive name below:

Alias /shibboleth /opt/eprints3/archives/foo/shibboleth
<Location "/shibboleth">
   SetHandler perl-script
   PerlHandler ModPerl::Registry
   PerlSendHeader Off
   Options ExecCGI FollowSymLinks

   AuthType shibboleth
   ShibRequestSetting requireSession 1
   require shib-session
</Location>

<Location /cgi/shibboleth>
   AuthType shibboleth
   ShibRequestSetting requireSession 1
   require shib-session
</Location>

The second Location block is not absolutely necessary unless you want
to deploy the /cgi/shibboleth test script.

With this config, I can go to /cgi/users/login on http or https and not
be redirected to /shibboleth/login

Regards

David Newman

On Wed, 2018-02-07 at 15:10 +0100, Yuri wrote:

What about:

To avoid the loop, in auth.pl I've changed this:

       my $url = URI->new( $session->get_repository-

get_conf("base_url" )."/shibboleth/login" ); <- base_url is http, no

shibboleth, so the server keep redirecting over and over

     to:

        my $url = "https://<mysite>/shibboleth/login";

because of (from perl_lib/EPrints/Apache/Auth.pm):

                    if( $repository->current_url ne
$repository->current_url( path => "cgi", "users/login" ) )
                    {
EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login
first" );
                            EPrints::Apache::AnApache::header_out(
$r,
"Location", $login_url );
EPrints::Apache::AnApache::send_http_header( $r );
                            return DONE;
                    }

This create a loop in authentication because it doesn'nt check for
/shibboleth/login but just for /cgi/users/login.

Il 07/02/2018 14:48, Yuri ha scritto:

Il 07/02/2018 11:04, David R Newman ha scritto:

Hi Yuri,

Actually you will find if you click on the the Login link it
actually
takes you to /cgi/users/home, when you have configured
Shibboleth, this
will redirect to /shibboleth/login rather than /cgi/users/login.
     If you create a link directly to /cgi/users/login this will
allow you to
still use local login.

No, I tried but it sends me to Shibboleth auth. This is because
/cgi/users/login is sent to https and thus to shibboleth because /
in
https is protected by shibboleth. Just protecting /shibboleth in
https
does not work. You can login but you get no user from apache. I
think it
has to do with remote_user be passed only when you've a protected
location, so if you're on /cgi you don't get the user while if
you're on
/shibboleth yes.

Can you share your https/eprints config? I'm using Debian stretch
and
Eprints 3.3.16 installed from tar.gz


I go direct to /cgi/users/login all the time
for repositories I support where I am not part of the institution
itself.

The only downside of having a direct login link is you may not be
logged into the page you clicked the local login link on.
  However, I
think you can probably do something clever with you template to
write
the current path into the href for html of this link.
On a side issue, I am the most recent person to significantly
update
the Shibboleth page on wiki.eprints.org.  I am aware of a couple
of
errors.  One is will the /shibboleth/login code without user
creation.

The user is created using login-autocreate


    I have been meaning to get round to fixing this.  Also, there
is an
issue with the /shibboleth/login code that does create user
accounts
because it does not render correctly and misses out a load of
empty
string definitions in the following line:

my ($username, $given, $family, $email) = (undef, '', '', '');

Yes, I've this but just cosmetic. Thanks for your help.


I will endeavour to correct these issues today.

Thanks!


Regards

David Newman

On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote:

Hi!

I'm following: https://wiki.eprints.org/w/Webserver_authenticat
ion

     I've found this in :

                    if( $repository->current_url ne
$repository->current_url( path => "cgi", "users/login" ) )
                    {
EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to
login
first" );
EPrints::Apache::AnApache::header_out( $r, 
"Location", $login_url );
EPrints::Apache::AnApache::send_http_header( $r );
                            return DONE;
                    }

this create a loop in authentication because it doesn'nt check
for
/shibboleth/login! perl_lib/EPrints/Apache/Auth.pm

My question is also how I can insert a link to a local
authentication
because if I follow a link to /cgi/users/login, I get
redirected to
shibboleth auth. Is it because of the lines above?

To avoid the loop, in auth.pl I've changed this:

       my $url = URI->new( $session->get_repository->get_conf(
"base_url" )
. "/shibboleth/login" ); <- base_url is http, no shibboleth, so
the
server keep redirecting over and over

     to:

        my $url = "https://<mysite>/shibboleth/login";

So, I think the guide is incomplete or there's something not
clear to
me...

Il 14/12/2017 09:11, Yuri ha scritto:

Ok, so I've just to add a link to /shibboleth/login in
/cgi/users/login for people which want to login using
shibboleth,
isn't it?

For redirects it is not a problem, but I think
/cgi/users/login
already save the loginparams so send you to the wanted page.


Il 13/12/2017 11:25, David R Newman ha scritto:

Hi Yuri,

The actual login page is http://HOSTNAME/cgi/users/login yo
u
could
include this link for people who want to login using local
login.
     However, must the links that require you to login will
still
always
redirect to shibboleth, so you will have to instruct you
local
uses
that they must click on the local login to ensure they are
logged
in
before trying to use any of the logged in user
functionality,

You might want to do something clever with the login link
to
ensure the
user gets returned to the same page they were on before
they
realised
they need to login.  I am not sure how to do this off the
top of
my
head.

Regards

David Newman

On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote:

Hi!

      reading and implementing this guide:

https://wiki.eprints.org/w/Shibboleth

      every login is handled by Shibboleth. Is there a way
to let
the
user
choose betsween local and Shibboleth login?


*** Options: http://mailman.ecs.soton.ac.uk/mailman/listi
nfo/ep
rints-
tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/

*** Options:
http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tec
h
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep
rints-
tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/epri
nts-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprint
s-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/

*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
*** Archive: http://www.eprints.org/tech.php/
*** EPrints community wiki: http://wiki.eprints.org/
*** EPrints developers Forum: http://forum.eprints.org/