EPrints Technical Mailing List Archive
See the EPrints wiki for instructions on how to join this mailing list and related information.
Message: #07136
< Previous (by date) | Next (by date) > | < Previous (in thread) | Next (in thread) > | Messages - Most Recent First | Threads - Most Recent First
Re: [EP-tech] Shibboleth and local login
- To: <eprints-tech@ecs.soton.ac.uk>
- Subject: Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Date: Thu, 8 Feb 2018 11:15:19 +0100
Now I got it. I completely get rid of any https://wiki.eprints.org/w/Webserver_authentication instruction and followed exaclty your guide ( https://wiki.eprints.org/w/Shibboleth ) and... it works!
Can someone update https://wiki.eprints.org/w/Webserver_authentication about being not working?
Also the /cgi/users/login local authentication works perfectly.The only problem now is that you get a 500 if the user has not been created before. So I copied what they did for webserver auth (login-autocreate), and updated the login script get_user routine:
sub get_user { my ( $username, $email ) = ( undef, "" ); if( $ENV{REMOTE_USER} ) { #( $username ) = split( /@/, $ENV{eppn}, 2); $username = $ENV{REMOTE_USER}; $username = lc( $username ); $email = $ENV{REMOTE_USER}; } return unless EPrints::Utils::is_set( $username ); my $user = $session->user_by_username( $username ); if( !defined $user ) { $user = EPrints::DataObj::User::create( $session, "user" ); $user->set_value( "username", $username ); } $user->set_value( "email", $email ); $user->commit; return $user; }If someone don't want to autocreate user, then just do a redirect instead of creating a user (better do a logout using $c->{on_logout} before?)
Really thanks! Il 07/02/2018 15:33, David R Newman ha scritto:
Hi Yuri, The instructions I wrote at https://wiki.eprints.org/w/Shibboleth have a config file call zz_shibboleth.pl in your archives's cfg/cfg.d/ that uses the following line in the get_login_url sub: my $url = URI->new( $session->config( "https_url" ) . "/shibboleth/login" ); This is the equivalent to what you have suggested below. Also these instructions explain that you need to add the following to your archive's ssl/securevhost.conf after the Include line for EPRINTS_PATH/cfg/apache_ssl/ARCHIVENAME.conf, substituting foo for your archive name below: Alias /shibboleth /opt/eprints3/archives/foo/shibboleth <Location "/shibboleth"> SetHandler perl-script PerlHandler ModPerl::Registry PerlSendHeader Off Options ExecCGI FollowSymLinks AuthType shibboleth ShibRequestSetting requireSession 1 require shib-session </Location> <Location /cgi/shibboleth> AuthType shibboleth ShibRequestSetting requireSession 1 require shib-session </Location> The second Location block is not absolutely necessary unless you want to deploy the /cgi/shibboleth test script. With this config, I can go to /cgi/users/login on http or https and not be redirected to /shibboleth/login Regards David Newman On Wed, 2018-02-07 at 15:10 +0100, Yuri wrote:What about: To avoid the loop, in auth.pl I've changed this: my $url = URI->new( $session->get_repository-get_conf("base_url" )."/shibboleth/login" ); <- base_url is http, noshibboleth, so the server keep redirecting over and over to: my $url = "https://<mysite>/shibboleth/login"; because of (from perl_lib/EPrints/Apache/Auth.pm): if( $repository->current_url ne $repository->current_url( path => "cgi", "users/login" ) ) { EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login first" ); EPrints::Apache::AnApache::header_out( $r, "Location", $login_url ); EPrints::Apache::AnApache::send_http_header( $r ); return DONE; } This create a loop in authentication because it doesn'nt check for /shibboleth/login but just for /cgi/users/login. Il 07/02/2018 14:48, Yuri ha scritto:Il 07/02/2018 11:04, David R Newman ha scritto:Hi Yuri, Actually you will find if you click on the the Login link it actually takes you to /cgi/users/home, when you have configured Shibboleth, this will redirect to /shibboleth/login rather than /cgi/users/login. If you create a link directly to /cgi/users/login this will allow you to still use local login.No, I tried but it sends me to Shibboleth auth. This is because /cgi/users/login is sent to https and thus to shibboleth because / in https is protected by shibboleth. Just protecting /shibboleth in https does not work. You can login but you get no user from apache. I think it has to do with remote_user be passed only when you've a protected location, so if you're on /cgi you don't get the user while if you're on /shibboleth yes. Can you share your https/eprints config? I'm using Debian stretch and Eprints 3.3.16 installed from tar.gzI go direct to /cgi/users/login all the time for repositories I support where I am not part of the institution itself. The only downside of having a direct login link is you may not be logged into the page you clicked the local login link on. However, I think you can probably do something clever with you template to write the current path into the href for html of this link. On a side issue, I am the most recent person to significantly update the Shibboleth page on wiki.eprints.org. I am aware of a couple of errors. One is will the /shibboleth/login code without user creation.The user is created using login-autocreateI have been meaning to get round to fixing this. Also, there is an issue with the /shibboleth/login code that does create user accounts because it does not render correctly and misses out a load of empty string definitions in the following line: my ($username, $given, $family, $email) = (undef, '', '', '');Yes, I've this but just cosmetic. Thanks for your help.I will endeavour to correct these issues today.Thanks!Regards David Newman On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote:Hi! I'm following: https://wiki.eprints.org/w/Webserver_authenticat ion I've found this in : if( $repository->current_url ne $repository->current_url( path => "cgi", "users/login" ) ) { EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login first" );EPrints::Apache::AnApache::header_out( $r,"Location", $login_url ); EPrints::Apache::AnApache::send_http_header( $r ); return DONE; } this create a loop in authentication because it doesn'nt check for /shibboleth/login! perl_lib/EPrints/Apache/Auth.pm My question is also how I can insert a link to a local authentication because if I follow a link to /cgi/users/login, I get redirected to shibboleth auth. Is it because of the lines above? To avoid the loop, in auth.pl I've changed this: my $url = URI->new( $session->get_repository->get_conf( "base_url" ) . "/shibboleth/login" ); <- base_url is http, no shibboleth, so the server keep redirecting over and over to: my $url = "https://<mysite>/shibboleth/login"; So, I think the guide is incomplete or there's something not clear to me... Il 14/12/2017 09:11, Yuri ha scritto:Ok, so I've just to add a link to /shibboleth/login in /cgi/users/login for people which want to login using shibboleth, isn't it? For redirects it is not a problem, but I think /cgi/users/login already save the loginparams so send you to the wanted page. Il 13/12/2017 11:25, David R Newman ha scritto:Hi Yuri, The actual login page is http://HOSTNAME/cgi/users/login yo u could include this link for people who want to login using local login. However, must the links that require you to login will still always redirect to shibboleth, so you will have to instruct you local uses that they must click on the local login to ensure they are logged in before trying to use any of the logged in user functionality, You might want to do something clever with the login link to ensure the user gets returned to the same page they were on before they realised they need to login. I am not sure how to do this off the top of my head. Regards David Newman On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote:Hi! reading and implementing this guide: https://wiki.eprints.org/w/Shibboleth every login is handled by Shibboleth. Is there a way to let the user choose betsween local and Shibboleth login? *** Options: http://mailman.ecs.soton.ac.uk/mailman/listi nfo/ep rints- tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tec h *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep rints- tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/epri nts-tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprint s-tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints- tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/*** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech *** Archive: http://www.eprints.org/tech.php/ *** EPrints community wiki: http://wiki.eprints.org/ *** EPrints developers Forum: http://forum.eprints.org/
- Follow-Ups:
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- References:
- [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: David R Newman <drn@ecs.soton.ac.uk>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- Re: [EP-tech] Shibboleth and local login
- From: David R Newman <drn@ecs.soton.ac.uk>
- Re: [EP-tech] Shibboleth and local login
- From: Yuri <yurj@alfa.it>
- [EP-tech] Shibboleth and local login
- Prev by Date: Re: [EP-tech] Shibboleth and local login
- Next by Date: Re: [EP-tech] Shibboleth and local login
- Previous by thread: [EP-tech] EPrints/CRIS
- Next by thread: [EP-tech] DOI handling in orcid_support_advance
- Index(es):