vcld setup error
Hello, I am working on the initial vcld setup. This is what we get when we run vcld —setup: [root@vcltst bin]# ./vcld --setup VCL Management Node Setup Select a module to configure: [vcld] Make a selection (1, 'c' to cancel): 1 *** Choice must be an integer between 1 and 0 *** Any choice except c will result in the above error. Any ideas why this is happening ? Regards, Al Quiros Unix System Administrator Florida International University
RE: $_SERVER variables for use in Shibauth
Thanks, I added at the top of shibauth/index.php (for debug purposes); mail(ERROREMAIL, DEBUG EMAIL, $_SERVER['SERVER_NAME'], '', $mailParams); and I get the correct value in an email sent to admin. But, again when I put; mail(ERROREMAIL, DEBUG EMAIL, $_SERVER['mail'], '', $mailParams); I get an empty email. So it looks like shibauth/index.php is getting some, but not all variables. I'm not sure if this is a vcl, php, apache or shib issue. Thanks for your help. Yanik From: Aaron Coburn [mailto:acob...@amherst.edu] Sent: Friday, October 14, 2011 12:46 PM To: vcl-user@incubator.apache.org Subject: Re: $_SERVER variables for use in Shibauth Yanik, what you describe is correct regarding how eppn is split on the @ character. It is possible to modify the shibauth/index.php script to use just $_SERVER['mail']; you will need to make a good number of modifications throughout the file, though. But I would really recommend asking the admin of your IdP to release the appropriate set of attributes to the SP running the VCL. That includes at a minimum: eppn, affiliation and mail, plus either sn and givenName or displayName. The IdP admin should be able to set up an AttributeFilterPolicy specifically for your application so it won't affect which attributes are released to any other SP. I would also be cautious about using the mail value in place of eppn -- at our institution, at least, I cannot rely on any necessary correspondence between the two (even though in most cases they are equivalent). Aaron On Oct 14, 2011, at 11:50 AM, Yannick Charbonneau wrote: Thanks. Here is what I'm trying to do; (I know, it's ugly) Our IDP doesn't return eppn, but returns mail (email address of authenticated user). I've modified the code (shibauth/index.php) to use $_SERVER['mail'] as opposed to $_SERVER['eppn']. This is the only value I'm trying to get in shibauth/index.php, if I understand the code, it splits eppn in 2 using the @ and puts the first part in $username before inserting into user table. I get users with names of @, which causes all sorts of problems. My test php script displays $_SERVER['mail'] with the correct value in it, however, vcl does NOT appear to get this value. Yanik From: Aaron Coburn [mailto:acob...@amherst.edu] Sent: Friday, October 14, 2011 11:42 AM To: vcl-user@incubator.apache.orgmailto:vcl-user@incubator.apache.org Subject: Re: $_SERVER variables for use in Shibauth Yanik, the shib-related $_SERVER vars will be empty outside the shib-protected directory (/shibauth). Are they empty in the /shibauth directory, too (i.e. the same directory you put your test PHP page)? Aaron On Oct 14, 2011, at 11:34 AM, Yannick Charbonneau wrote: Hi All, Still working on my Shibboleth integration. For some unknown reason within vcl my $_SERVER variables are empty. I have a php test page which displays the values and I can see them. But within VCL, empty. Anybody seen this before? Thanks Yanik
Re: $_SERVER variables for use in Shibauth
Yanik, you should start by making sure that apache is configured to enable shibboleth authentication on the shibauth directory. For example: Location /shibauth AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user /Location On Oct 14, 2011, at 12:54 PM, Yannick Charbonneau wrote: Thanks, I added at the top of shibauth/index.php (for debug purposes); mail(ERROREMAIL, DEBUG EMAIL, $_SERVER['SERVER_NAME'], '', $mailParams); and I get the correct value in an email sent to admin. But, again when I put; mail(ERROREMAIL, DEBUG EMAIL, $_SERVER[‘mail’], '', $mailParams); I get an empty email. So it looks like shibauth/index.php is getting some, but not all variables. I’m not sure if this is a vcl, php, apache or shib issue. Thanks for your help. Yanik From: Aaron Coburn [mailto:acob...@amherst.edu] Sent: Friday, October 14, 2011 12:46 PM To: vcl-user@incubator.apache.org Subject: Re: $_SERVER variables for use in Shibauth Yanik, what you describe is correct regarding how eppn is split on the @ character. It is possible to modify the shibauth/index.php script to use just $_SERVER['mail']; you will need to make a good number of modifications throughout the file, though. But I would really recommend asking the admin of your IdP to release the appropriate set of attributes to the SP running the VCL. That includes at a minimum: eppn, affiliation and mail, plus either sn and givenName or displayName. The IdP admin should be able to set up an AttributeFilterPolicy specifically for your application so it won't affect which attributes are released to any other SP. I would also be cautious about using the mail value in place of eppn -- at our institution, at least, I cannot rely on any necessary correspondence between the two (even though in most cases they are equivalent). Aaron On Oct 14, 2011, at 11:50 AM, Yannick Charbonneau wrote: Thanks. Here is what I’m trying to do; (I know, it’s ugly) Our IDP doesn’t return eppn, but returns “mail” (email address of authenticated user). I’ve modified the code (shibauth/index.php) to use $_SERVER[‘mail’] as opposed to $_SERVER[‘eppn’]. This is the only value I’m trying to get in shibauth/index.php, if I understand the code, it splits eppn in 2 using the @ and puts the first part in $username before inserting into user table. I get users with names of “@”, which causes all sorts of problems. My test php script displays $_SERVER[‘mail’] with the correct value in it, however, vcl does NOT appear to get this value. Yanik From: Aaron Coburn [mailto:acob...@amherst.edu] Sent: Friday, October 14, 2011 11:42 AM To: vcl-user@incubator.apache.org Subject: Re: $_SERVER variables for use in Shibauth Yanik, the shib-related $_SERVER vars will be empty outside the shib-protected directory (/shibauth). Are they empty in the /shibauth directory, too (i.e. the same directory you put your test PHP page)? Aaron On Oct 14, 2011, at 11:34 AM, Yannick Charbonneau wrote: Hi All, Still working on my Shibboleth integration. For some unknown reason within vcl my $_SERVER variables are empty. I have a php test page which displays the values and I can see them. But within VCL, empty. Anybody seen this before? Thanks Yanik
RE: $_SERVER variables for use in Shibauth
THANK YOU, that pointed me in the right direction. I now see my variables. Yanik From: Aaron Coburn [mailto:acob...@amherst.edu] Sent: Friday, October 14, 2011 1:21 PM To: vcl-user@incubator.apache.org Subject: Re: $_SERVER variables for use in Shibauth Yanik, you should start by making sure that apache is configured to enable shibboleth authentication on the shibauth directory. For example: Location /shibauth AuthType shibboleth ShibRequestSetting requireSession 1 require valid-user /Location On Oct 14, 2011, at 12:54 PM, Yannick Charbonneau wrote: Thanks, I added at the top of shibauth/index.php (for debug purposes); mail(ERROREMAIL, DEBUG EMAIL, $_SERVER['SERVER_NAME'], '', $mailParams); and I get the correct value in an email sent to admin. But, again when I put; mail(ERROREMAIL, DEBUG EMAIL, $_SERVER['mail'], '', $mailParams); I get an empty email. So it looks like shibauth/index.php is getting some, but not all variables. I'm not sure if this is a vcl, php, apache or shib issue. Thanks for your help. Yanik From: Aaron Coburn [mailto:acob...@amherst.edu] Sent: Friday, October 14, 2011 12:46 PM To: vcl-user@incubator.apache.orgmailto:vcl-user@incubator.apache.org Subject: Re: $_SERVER variables for use in Shibauth Yanik, what you describe is correct regarding how eppn is split on the @ character. It is possible to modify the shibauth/index.php script to use just $_SERVER['mail']; you will need to make a good number of modifications throughout the file, though. But I would really recommend asking the admin of your IdP to release the appropriate set of attributes to the SP running the VCL. That includes at a minimum: eppn, affiliation and mail, plus either sn and givenName or displayName. The IdP admin should be able to set up an AttributeFilterPolicy specifically for your application so it won't affect which attributes are released to any other SP. I would also be cautious about using the mail value in place of eppn -- at our institution, at least, I cannot rely on any necessary correspondence between the two (even though in most cases they are equivalent). Aaron On Oct 14, 2011, at 11:50 AM, Yannick Charbonneau wrote: Thanks. Here is what I'm trying to do; (I know, it's ugly) Our IDP doesn't return eppn, but returns mail (email address of authenticated user). I've modified the code (shibauth/index.php) to use $_SERVER['mail'] as opposed to $_SERVER['eppn']. This is the only value I'm trying to get in shibauth/index.php, if I understand the code, it splits eppn in 2 using the @ and puts the first part in $username before inserting into user table. I get users with names of @, which causes all sorts of problems. My test php script displays $_SERVER['mail'] with the correct value in it, however, vcl does NOT appear to get this value. Yanik From: Aaron Coburn [mailto:acob...@amherst.edu] Sent: Friday, October 14, 2011 11:42 AM To: vcl-user@incubator.apache.orgmailto:vcl-user@incubator.apache.org Subject: Re: $_SERVER variables for use in Shibauth Yanik, the shib-related $_SERVER vars will be empty outside the shib-protected directory (/shibauth). Are they empty in the /shibauth directory, too (i.e. the same directory you put your test PHP page)? Aaron On Oct 14, 2011, at 11:34 AM, Yannick Charbonneau wrote: Hi All, Still working on my Shibboleth integration. For some unknown reason within vcl my $_SERVER variables are empty. I have a php test page which displays the values and I can see them. But within VCL, empty. Anybody seen this before? Thanks Yanik
Re: vcld setup error
We did and got it working. Thanks, Anu On 10/14/11 4:14 PM, Andy Kurth andy_ku...@ncsu.edu wrote: Also, in vcld.conf, remove the quotes from these lines: LockerWrtUser='anu' wrtPass='anu2011vcl' Change to: LockerWrtUser=anu wrtPass=anu2011vcl -Andy On Fri, Oct 14, 2011 at 4:09 PM, Anu Chirinos a...@fiu.edu wrote: We solved it, the .conf file had fully qualified name and db had localhost. Anu On 10/14/11 3:55 PM, Anu Chirinos a...@fiu.edu http://a...@fiu.edu wrote: PHP version: 5.3.3 Including .ht-inc/conf.php ... * successfully included .ht-inc/conf.php Checking COOKIEDOMAIN setting in .ht-inc/conf.php ... * COOKIEDOMAIN (.fiu.edu http://fiu.edu ) appears to be set correctly Checking that BASEURL in conf.php is set to use https ... * BASEURL correctly set to use https Checking that SCRIPT is set appropriately ... * SCRIPT appears to be set correctly Checking that .ht-inc/maintenance directory exists ... * /.ht-inc/maintenance directory exists Checking that .ht-inc/maintenance directory is writable ... * Maintenance directory is writable Testing for required php extensions ... * All required modules are installed Checking values in .ht-inc/secrets.php ... * all required values in .ht-inc/secrets.php appear to be set Testing mysql connection ... * Successfully connected to mysql on localhost * Successfully selected database (vcl) on localhost Testing mcrypt ... * Successfully encrypted test string * Successfully decrypted test string checking openssl encryption keys ... * successfully created private key from private key file * successfully created public key from public key file Testing openssl encryption ... * successfully encrypted test string * successfully decrypted test string Testing for existance of dojo directory ... * dojo directory exists * dojo directory is readable Checking value of PHP display_errors ... * display_errors: disabled * NOTE: Displaying errors in a production system is a security risk; however, * while getting VCL up and running, having them displayed makes debugging * a little easier. Edit your php.ini file to modify this setting. Done On 10/14/11 3:32 PM, Anu Chirinos a...@fiu.edu http://a...@fiu.edu wrote: Here is what we have LOG 2530| 2011-10-14 15:42:38|2530|vcld:main(131)|unable to retrieve management node information from database |2530| ( 0) vcld, main (line: 131) ^[:^Z [6]+ Stopped tail -f /var/log/vcld.log [root@vcltst vcl]# /usr/local/vcl/bin/vcld.conf # REQUIRED Configuration settings # FQDN: DNS name of the management node # Example: mgtnode1.hpc.someschool.edu http://mgtnode1.hpc.someschool.edu FQDN=vcltst.fiu.edu http://vcltst.fiu.edu # processname: name to call VCL daemon process # Default: vcld processname=vcld # log: log file location # Default: /var/log/vcld.log # If left undefined it will be named according to the above processname # i.e. /var/log/$PROCESSNAME.log log=/var/log/vcld.log # pidfile: process id file location # Default: /var/run/vcld.pid # If left undefined it will be named according to the above processname # i.e. /var/run/$PROCESSNAME.pid pidfile=/var/run/vcld.pid # Database connection information # database: name of MySQL database (required) database=vcl # server: IP address or FQDN of the database server (required) server=localhost # LockerWrtUser: MySQL user account name with write privileges (required) LockerWrtUser='anu' # wrtPass: MySQL password of the above LockerWrtUser (required) # Any length is supported by MySQL # Must be a string of characters: A-Z a-z 0-9 wrtPass='anu2011vcl' On 10/14/11 2:13 PM, Andy Kurth andy_ku...@ncsu.edu http://andy_ku...@ncsu.edu wrote: I'm guessing it isn't able to connect to the database. You should see a list of numbered modules. What does /var/log/vcld.log contain? -Andy On Fri, Oct 14, 2011 at 12:12 PM, Evelio Quiros evq...@fiu.edu http://evq...@fiu.edu wrote: Hello, I am working on the initial vcld setup. This is what we get when we run vcld —setup: [root@vcltst bin]# ./vcld --setup VCL Management Node Setup Select a module to configure: [vcld] Make a selection (1, 'c' to cancel): 1 *** Choice must be an integer between 1 and 0 *** Any choice except c will result in the above error. Any ideas why this is happening ? Regards, Al Quiros Unix System Administrator Florida International University