[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[EP-tech] Shibboleth and local login



Now I got it. I completely get rid of any 
https://wiki.eprints.org/w/Webserver_authentication instruction and 
followed exaclty your guide ( https://wiki.eprints.org/w/Shibboleth ) 
and... it works!

Can someone update https://wiki.eprints.org/w/Webserver_authentication 
about being not working?

Also the /cgi/users/login local authentication works perfectly.

The only problem now is that you get a 500 if the user has not been 
created before. So I copied what they did for webserver auth 
(login-autocreate), and updated the login script get_user routine:

sub get_user {
 ? my ( $username, $email ) = ( undef, "" );
 ? if( $ENV{REMOTE_USER} ) {
 ?? #( $username ) = split( /@/, $ENV{eppn}, 2);
 ?? $username = $ENV{REMOTE_USER};
 ?? $username = lc( $username );
 ?? $email = $ENV{REMOTE_USER};
 ? }
 ? return unless EPrints::Utils::is_set( $username );
 ? my $user = $session->user_by_username( $username );

 ? if( !defined $user )
 ? {
 ??? $user = EPrints::DataObj::User::create( $session, "user" );
 ??? $user->set_value( "username", $username );
 ? }

 ? $user->set_value( "email", $email );
 ? $user->commit;
 ? return $user;
}

If someone don't want to autocreate user, then just do a redirect 
instead of creating a user (better do a logout using $c->{on_logout} 
before?)

Really thanks!


Il 07/02/2018 15:33, David R Newman ha scritto:
> Hi Yuri,
>
> The instructions I wrote at ?https://wiki.eprints.org/w/Shibboleth?have
> a config file call zz_shibboleth.pl in your archives's cfg/cfg.d/ that
> uses the following line in the get_login_url sub:
>
> my $url = URI->new( $session->config( "https_url" )??.
> "/shibboleth/login" );
>
> This is the equivalent to what you have suggested below.
>
> Also these instructions explain that you need to add the following to
> your archive's ssl/securevhost.conf after the Include line for
> EPRINTS_PATH/cfg/apache_ssl/ARCHIVENAME.conf, substituting foo for your
> archive name below:
>
> Alias /shibboleth /opt/eprints3/archives/foo/shibboleth
> <Location "/shibboleth">
>  ? SetHandler perl-script
>  ? PerlHandler ModPerl::Registry
>  ? PerlSendHeader Off
>  ? Options ExecCGI FollowSymLinks
>
>  ? AuthType shibboleth
>  ? ShibRequestSetting requireSession 1
>  ? require shib-session
> </Location>
>
> <Location /cgi/shibboleth>
>  ? AuthType shibboleth
>  ? ShibRequestSetting requireSession 1
>  ? require shib-session
> </Location>
>
> The second Location block is not absolutely necessary unless you want
> to deploy the /cgi/shibboleth test script.
>
> With this config, I can go to /cgi/users/login on http or https and not
> be redirected to /shibboleth/login
>
> Regards
>
> David Newman
>
> On Wed, 2018-02-07 at 15:10 +0100, Yuri wrote:
>> What about:
>>
>> To avoid the loop, in auth.pl I've changed this:
>>
>>  ? ??? my $url = URI->new( $session->get_repository-
>>> get_conf("base_url" )."/shibboleth/login" ); <- base_url is http, no
>> shibboleth, so the server keep redirecting over and over
>>
>>  ? ??to:
>>
>>  ? ???? my $url = "https://<mysite>/shibboleth/login";
>>
>> because of (from perl_lib/EPrints/Apache/Auth.pm):
>>
>>  ?????????????????? if( $repository->current_url ne
>> $repository->current_url( path => "cgi", "users/login" ) )
>>  ?????????????????? {
>> EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to login
>> first" );
>>  ?????????????????????????? EPrints::Apache::AnApache::header_out(
>> $r,
>> "Location", $login_url );
>> EPrints::Apache::AnApache::send_http_header( $r );
>>  ?????????????????????????? return DONE;
>>  ?????????????????? }
>>
>> This create a loop in authentication because it doesn'nt check for
>> /shibboleth/login but just for /cgi/users/login.
>>
>> Il 07/02/2018 14:48, Yuri ha scritto:
>>> Il 07/02/2018 11:04, David R Newman ha scritto:
>>>> Hi Yuri,
>>>>
>>>> Actually you will find if you click on the the Login link it
>>>> actually
>>>> takes you to /cgi/users/home, when you have configured
>>>> Shibboleth, this
>>>> will redirect to /shibboleth/login rather than /cgi/users/login.
>>>>  ????If you create a link directly to /cgi/users/login this will
>>>> allow you to
>>>> still use local login.
>>> No, I tried but it sends me to Shibboleth auth. This is because
>>> /cgi/users/login is sent to https and thus to shibboleth because /
>>> in
>>> https is protected by shibboleth. Just protecting /shibboleth in
>>> https
>>> does not work. You can login but you get no user from apache. I
>>> think it
>>> has to do with remote_user be passed only when you've a protected
>>> location, so if you're on /cgi you don't get the user while if
>>> you're on
>>> /shibboleth yes.
>>>
>>> Can you share your https/eprints config? I'm using Debian stretch
>>> and
>>> Eprints 3.3.16 installed from tar.gz
>>>
>>>> I go direct to /cgi/users/login all the time
>>>> for repositories I support where I am not part of the institution
>>>> itself.
>>>>
>>>> The only downside of having a direct login link is you may not be
>>>> logged into the page you clicked the local login link on.
>>>>  ?However, I
>>>> think you can probably do something clever with you template to
>>>> write
>>>> the current path into the href for html of this link.
>>>> On a side issue, I am the most recent person to significantly
>>>> update
>>>> the Shibboleth page on wiki.eprints.org. ?I am aware of a couple
>>>> of
>>>> errors. ?One is will the /shibboleth/login code without user
>>>> creation.
>>> The user is created using login-autocreate
>>>
>>>>  ? ?I have been meaning to get round to fixing this. ?Also, there
>>>> is an
>>>> issue with the /shibboleth/login code that does create user
>>>> accounts
>>>> because it does not render correctly and misses out a load of
>>>> empty
>>>> string definitions in the following line:
>>>>
>>>> my ($username, $given, $family, $email) = (undef, '', '', '');
>>> Yes, I've this but just cosmetic. Thanks for your help.
>>>
>>>> I will endeavour to correct these issues today.
>>> Thanks!
>>>
>>>> Regards
>>>>
>>>> David Newman
>>>>
>>>> On Wed, 2018-02-07 at 10:03 +0100, Yuri wrote:
>>>>> Hi!
>>>>>
>>>>> I'm following: https://wiki.eprints.org/w/Webserver_authenticat
>>>>> ion
>>>>>
>>>>>  ? ??I've found this in :
>>>>>
>>>>>  ? ???????????????? if( $repository->current_url ne
>>>>> $repository->current_url( path => "cgi", "users/login" ) )
>>>>>  ? ???????????????? {
>>>>> EPrints::Apache::AnApache::send_status_line( $r, 302, "Need to
>>>>> login
>>>>> first" );
>>>>>                            
>>>>> EPrints::Apache::AnApache::header_out( $r,
>>>>> "Location", $login_url );
>>>>> EPrints::Apache::AnApache::send_http_header( $r );
>>>>>  ? ???????????????????????? return DONE;
>>>>>  ? ???????????????? }
>>>>>
>>>>> this create a loop in authentication because it doesn'nt check
>>>>> for
>>>>> /shibboleth/login! perl_lib/EPrints/Apache/Auth.pm
>>>>>
>>>>> My question is also how I can insert a link to a local
>>>>> authentication
>>>>> because if I follow a link to /cgi/users/login, I get
>>>>> redirected to
>>>>> shibboleth auth. Is it because of the lines above?
>>>>>
>>>>> To avoid the loop, in auth.pl I've changed this:
>>>>>
>>>>>  ? ??? my $url = URI->new( $session->get_repository->get_conf(
>>>>> "base_url" )
>>>>> . "/shibboleth/login" ); <- base_url is http, no shibboleth, so
>>>>> the
>>>>> server keep redirecting over and over
>>>>>
>>>>>  ? ??to:
>>>>>
>>>>>  ? ???? my $url = "https://<mysite>/shibboleth/login";
>>>>>
>>>>> So, I think the guide is incomplete or there's something not
>>>>> clear to
>>>>> me...
>>>>>
>>>>> Il 14/12/2017 09:11, Yuri ha scritto:
>>>>>> Ok, so I've just to add a link to /shibboleth/login in
>>>>>> /cgi/users/login for people which want to login using
>>>>>> shibboleth,
>>>>>> isn't it?
>>>>>>
>>>>>> For redirects it is not a problem, but I think
>>>>>> /cgi/users/login
>>>>>> already save the loginparams so send you to the wanted page.
>>>>>>
>>>>>>
>>>>>> Il 13/12/2017 11:25, David R Newman ha scritto:
>>>>>>> Hi Yuri,
>>>>>>>
>>>>>>> The actual login page is http://HOSTNAME/cgi/users/login?yo
>>>>>>> u
>>>>>>> could
>>>>>>> include this link for people who want to login using local
>>>>>>> login.
>>>>>>>  ? ??However, must the links that require you to login will
>>>>>>> still
>>>>>>> always
>>>>>>> redirect to shibboleth, so you will have to instruct you
>>>>>>> local
>>>>>>> uses
>>>>>>> that they must click on the local login to ensure they are
>>>>>>> logged
>>>>>>> in
>>>>>>> before trying to use any of the logged in user
>>>>>>> functionality,
>>>>>>>
>>>>>>> You might want to do something clever with the login link
>>>>>>> to
>>>>>>> ensure the
>>>>>>> user gets returned to the same page they were on before
>>>>>>> they
>>>>>>> realised
>>>>>>> they need to login. ?I am not sure how to do this off the
>>>>>>> top of
>>>>>>> my
>>>>>>> head.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> David Newman
>>>>>>>
>>>>>>> On Wed, 2017-12-13 at 10:53 +0100, Yuri wrote:
>>>>>>>> Hi!
>>>>>>>>
>>>>>>>>  ? ???reading and implementing this guide:
>>>>>>>>
>>>>>>>> https://wiki.eprints.org/w/Shibboleth
>>>>>>>>
>>>>>>>>  ? ???every login is handled by Shibboleth. Is there a way
>>>>>>>> to let
>>>>>>>> the
>>>>>>>> user
>>>>>>>> choose betsween local and Shibboleth login?
>>>>>>>>
>>>>>>>>
>>>>>>>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listi
>>>>>>>> nfo/ep
>>>>>>>> rints-
>>>>>>>> tech
>>>>>>>> *** Archive: http://www.eprints.org/tech.php/
>>>>>>>> *** EPrints community wiki: http://wiki.eprints.org/
>>>>>>>> *** EPrints developers Forum: http://forum.eprints.org/
>>>>>>> *** Options:
>>>>>>> http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tec
>>>>>>> h
>>>>>>> *** Archive: http://www.eprints.org/tech.php/
>>>>>>> *** EPrints community wiki: http://wiki.eprints.org/
>>>>>>> *** EPrints developers Forum: http://forum.eprints.org/
>>>>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/ep
>>>>> rints-
>>>>> tech
>>>>> *** Archive: http://www.eprints.org/tech.php/
>>>>> *** EPrints community wiki: http://wiki.eprints.org/
>>>>> *** EPrints developers Forum: http://forum.eprints.org/
>>>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/epri
>>>> nts-tech
>>>> *** Archive: http://www.eprints.org/tech.php/
>>>> *** EPrints community wiki: http://wiki.eprints.org/
>>>> *** EPrints developers Forum: http://forum.eprints.org/
>>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprint
>>> s-tech
>>> *** Archive: http://www.eprints.org/tech.php/
>>> *** EPrints community wiki: http://wiki.eprints.org/
>>> *** EPrints developers Forum: http://forum.eprints.org/
>> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-
>> tech
>> *** Archive: http://www.eprints.org/tech.php/
>> *** EPrints community wiki: http://wiki.eprints.org/
>> *** EPrints developers Forum: http://forum.eprints.org/
> *** Options: http://mailman.ecs.soton.ac.uk/mailman/listinfo/eprints-tech
> *** Archive: http://www.eprints.org/tech.php/
> *** EPrints community wiki: http://wiki.eprints.org/
> *** EPrints developers Forum: http://forum.eprints.org/