Michael, You can start by deleting userid 11 from the database. It looks to me as though the Shib attributes are not being properly passed into the VCL. I would start by performing a test in your shibauth directory:
First, create a file, such as test.php. Its contents can be as simple as: <?php phpinfo(); ?> View that page in a browser -- you should be forced to authenticate first; verify that the shibboleth attributes are present (e.g. do a search for 'eppn'). If that proves to be OK, then login to the VCL through your IdP At this point, check the database to see what values were just added to the users table. You should have a proper value in unityid, and affiliationid should not be 1. You should also have values in firstname and lastname. If that is all OK, then login as admin@Local (restart your browser first), adding this new user to the adminUsers@Local group (from the Manage Groups menu) Now logout and log back in through your IdP. At this point, you should have the appropriate privileges. Let me know if any of those steps fail. BTW, the privilege tree you described is perfectly fine -- I just have mine organized differently. Aaron -- Aaron Coburn Systems Administrator and Programmer Academic Technology Services, Amherst College [email protected]<mailto:[email protected]> On Sep 5, 2012, at 3:26 PM, Michael Jinks <[email protected]<mailto:[email protected]>> wrote: On Tue, Sep 04, 2012 at 09:18:46PM +0000, Aaron Coburn wrote: There are a number possibilities here, but first you should investigate why there are two unityid values for mjinks. Presumably those are from different affiliations? Yeah. The first was probably created while we were using direct LDAP for authN, and the second appeared with the addition of Shib. I did add both id's to the adminUsers group, no luck. (You may want to consider removing one of those accounts from the database). I've now done that; see below for an account of the results. And are you certain that, when you login via Shibboleth, that the active userid (i.e. 6 or 10 in your case) is the same as the userid that you added to the adminUsers group? Yep; added both to be sure. Also, you need to make sure that the adminUsers group has been added to the privilege tree properly within the VCL. For that, login as the admin@Local user, then go to "Privileges" and select the "VCL" node in the privilege tree. The "adminUsers@Local" group should be listed under "Users". If it isn't, add it and make sure that the privileges cascade. Well, this is fun... If I select the "VCL" node itself, I don't see any adminUsers@Local under "User Groups". If I select the "admin" node directly beneath VCL, then adminUsers@Local does appear under "User Groups", with all privileges checked including "Cascade to Child Nodes". If that doesn't lead to anything, I would recommend verifying that the $authMechs configuration is correct. I'll paste my complete authMechs section below. But first: I deleted both 'mjinks' records from the user table (after removing their foreign key dependencies). Then I re-visited my management node's web UI with a live Shib cookie. Now, when I look through the user table, there's no mjinks, but there is a new record created when I came to the UI, and it's clearly wrong: ql> select id, unityid, affiliationid, firstname, lastname from user where id='11'; +----+---------+---------------+-----------+----------+ | id | unityid | affiliationid | firstname | lastname | +----+---------+---------------+-----------+----------+ | 11 | @ | 1 | | | +----+---------+---------------+-----------+----------+ 1 row in set (0.00 sec) Any idea what might be causing this? I'm starting to wonder if I just need to start over, yet again, with a blank database. Anyhow, here's our complete authMechs stanza, kruft and all: $authMechs = array( "UChicago Single Sign-On" => array( "type" => "redirect", "URL" => "/Shibboleth.sso/Login?target=/shibauth&entityID=urn:mace:incommon:uchicago.edu", "affiliationid" => 0, "help" => "Use \"UChicago Single Sign-On\" to log in with your UChicago ID."), "Local Account" => array("type" => "local", "affiliationid" => 1, "help" => "You probably don't want \"Local Account\" unless you are are an administrator of the VCL system."), "CNet-Example" => array("type" => "ldap", "server" => "ldap.uchicago.edu<http://ldap.uchicago.edu>", "binddn" => "ou=people,dc=uchicago,dc=edu", "userid" => "uid=%s,ou=people,dc=uchicago,dc=edu", "unityid" => "uid", "firstname" => "givenName", "lastname" => "sn", "email" => "mail", "defaultemail" => "@uchicago.edu<http://uchicago.edu>", #"lookupuserbeforeauth" => 1, #"lookupuserfield" => "uid", #"masterlogin" => "", #"masterpwd" => "", "affiliationid" => 3, "help" => "The \"CNet-Example\" option is for testing and will probably go away in the future."), ); On Sep 4, 2012, at 3:34 PM, Michael Jinks <[email protected]<mailto:[email protected]>> wrote: Bumping this; I didn't hear anything back when I posted the message below, about a week and a half ago. Also, I've since discovered that my Shib-backed account doesn't appear to have any privileges at all; in spite of having all the permissions boxes checked, I still don't have access to any VM images or to any but the most basic elements of the UI. What did I miss? This is on VCL 2.2.1. Thanks, -m On Fri, Aug 24, 2012 at 01:54:42PM -0500, Michael Jinks wrote: I just got back around to trying Josh's instructions for giving my Shib user account admin rights: On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote: Michael, Probably the simplest thing to do is to add your shibboleth based user to the adminUsers group directly in the database. Here's what to do: 1) get the id of your user: SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here'; 2) note the returned id 3) get the id of the adminUsers group: SELECT id FROM usergroup WHERE name = 'adminUsers'; 4) note the returned id 5) add a record to the usergroupmembers table: INSERT INTO usergroupmembers (userid, usergroupid) VALUES (id_from_step_2, id_from_step_4); Then, your shibboleth account should have admin access (assuming you left the adminUsers group having admin access). The good news is that (with some help from our IDM folks) I have Shib working for my devel VCL instance, and my account is logged in currently. The bad news is that I still don't have admin rights. The only navigation links on the VCL page are "HOME", "New Reservation", "Block Allocation", "User Preferences", "Statistics", and "Logout". Not sure if this is relevant or not, but when I did step 1 above, I got two records back instead of one: +----+---------+ | id | unityid | +----+---------+ | 6 | mjinks | | 10 | mjinks | +----+---------+ When I tried to add them to the adminUsers group, I found that id 6 was already there, probably as a result of my previous efforts to get this working. I added id 10 as well, but that didn't make any difference. I'm able to use the "Logout" button and log back in as a local admin, thank goodness... When I go to the "Privileges" page, I find that "Cascade to Child Nodes" is set for the adminUsers@Local group, and permissions there are a Christmas tree, all boxes checked. Any idea what else I might have missed? Thanks as always. --Michael -- Michael Jinks :: [email protected]<mailto:[email protected]> :: 773-469-9688 University of Chicago IT Services -- Michael Jinks :: [email protected]<mailto:[email protected]> :: 773-469-9688 University of Chicago IT Services
