Bug 1257213
Summary: | Attribute mapping issue (locality as state) | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Veronika Kabatova <vkabatov> |
Component: | ipsilon | Assignee: | Rob Crittenden <rcritten> |
Status: | CLOSED ERRATA | QA Contact: | Namita Soman <nsoman> |
Severity: | unspecified | Docs Contact: | |
Priority: | medium | ||
Version: | 7.2 | CC: | drieden, nkinder, puiterwijk, spoore |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipsilon-1.0.0-8.el7 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-11-19 10:51:07 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Veronika Kabatova
2015-08-26 14:00:17 UTC
Upstream ticket: https://fedorahosted.org/ipsilon/ticket/161 Fixed upstream. master: d6b77227c3a6b777f9a782f3b5dfa9885a2be645 [root@client1 httpd]# rpm -q ipsilon-client ipsilon-client-1.0.0-8.el7.noarch [root@client1 httpd]# grep MellonSetEnvNoPrefix /etc/httpd/conf.d/ipsilon-saml.conf MellonSetEnvNoPrefix REMOTE_USER_STATE state MellonSetEnvNoPrefix REMOTE_USER_CITY city MellonSetEnvNoPrefix REMOTE_USER_STREET street But, in the web browser, I see this: REMOTE_USER_STATE=mycity REMOTE_USER_STREET=mystreet So it appears that either I have done something wrong in testing or I'm still seeing the issue. What version is this supposed to be fixed in? It works for me: [root@puiterwijk---ipsilon-test saml2sp]# rpm -q ipsilon-client ipsilon ipsilon-client-1.0.0-8.el7.noarch ipsilon-1.0.0-8.el7.noarch REMOTE_USER_CITY=MyCity REMOTE_USER_STATE=MyState Note that this is fixed on the server-side, not the client side, and you will need to re-run ipsilon-server-install with a clean slate to get it to map the attributes correctly. Or at the very least, fix the LookupUserAttr lines in /etc/httpd/conf.d/ipsilon-*.conf to look like: LookupUserAttr st REMOTE_USER_STATE LookupUserAttr locality REMOTE_USER_CITY You're right. When I reinstalled cleanly this work. Verified. Version :: ipsilon-1.0.0-8.el7.noarch Results :: on IDP: [root@idp ~]# ipsilon-server-install --ipa=yes --info-sssd=yes --form=yes Installation initiated Installing default config files Configuring environment helpers Searching for keytab in: /etc/httpd/conf/http.keytab... Found! Configuring login managers Configuring Info provider Configured SSSD domain testrelm.test Redirecting to /bin/systemctl restart sssd.service Configuring Authentication Providers Generating a 2048 bit RSA private key ....................................................................................+++ .................................+++ writing new private key to '/var/lib/ipsilon/idp/saml2/idp.key' ----- Installation complete. Please restart HTTPD to enable the IdP instance. # Keys for apache were already set up: [root@idp ~]# grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/tls/certs/server.pem SSLCertificateKeyFile /etc/pki/tls/private/server.key [root@idp ~]# file /etc/pki/tls/certs/server.pem /etc/pki/tls/private/server.key /etc/pki/tls/certs/server.pem: PEM certificate /etc/pki/tls/private/server.key: ASCII text [root@idp ~]# ipa service-show HTTP/`hostname` Principal: HTTP/idp.testrelm.test Certificate: MIIEnjCCA4agAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUwODE5MjEyNTIxWhcNMTcwODE5MjEyNTIxWjA0MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRowGAYDVQQDDBFpZHAudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJh0eRRFQe8srT7m+kd/GV+kQAixzzY1PqJZwmvkXI1RgkfulURJuJMpKEbtCaWWXIHGZvNQt8Cm9odNJw9mVUPWCP3oLs3NIEKR+TMXelw5FiglbsJLojqQXvaQtBUUQNH/ZEugTdMP3iEIjxIzDn2fAy/BSF2Lmzegsa7Nbdwz1+y+kyFdjt1Q0AbqzkVVtHDcjy97LC6b7esIOCVmFHIoa+5Un3npC1W3/aqkPtkXtXNcS0kXQp+vHOB+yrG44oQG5kZ79NX61URMX5II4RYcB0xxEUqKh/YmOEI8db+rAE2VaJeD+bfpc2sC1ROvEdCGMSfasr/5IInr3K1l9+sCAwEAAaOCAbUwggGxMB8GA1UdIwQYMBaAFDyeVVcxaObVIlpPCG8omNix0n23MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRAeSOtUJk3bO2lCT7U6p72Y9RKvzCBhAYDVR0RBH0we6A0BgorBgEEAYI3FAIDoCYMJEhUVFAvaWRwLnRlc3RyZWxtLnRlc3RAVEVTVFJFTE0uVEVTVKBDBgYrBgEFAgKgOTA3oA8bDVRFU1RSRUxNLlRFU1ShJDAioAMCAQGhGzAZGwRIVFRQGxFpZHAudGVzdHJlbG0udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAj9DSgzUrGOZJmHJKk/G0G9TbpWhQ5uKjc0p3XesZeu8JvFad7jOSr3GJtrm9T+EHRqOrYUjiPnBg7pZbNogw31tU7QsRu8+trOlH/NN8OhvTiFmaf+zVt8I5rnCNWavBvhlGSSp3DDKSyAXfF6CyQ/oPtjJ09beyIx8nu4gw4kodd9Q8OHF3uFcMkchez8bfDf1trE0r9hZ04WRYWUuLiagUOnwvEohXfJnWIVrhksmkMKWELimiZOdw6ORiamqyGhzqwPy358SAigTC9dcsPSGsnI3DV8u4ECY3scjp7zO8iyUe/nXFS9ruz+qBOSxL1FO1nEpH8DmVOYc17PjuOg== Keytab: True Managed by: idp.testrelm.test Subject: CN=idp.testrelm.test,O=TESTRELM.TEST Serial Number: 11 Serial Number (hex): 0xB Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Wed Aug 19 21:25:21 2015 UTC Not After: Sat Aug 19 21:25:21 2017 UTC Fingerprint (MD5): a9:66:e0:a1:cc:0b:b6:4d:d5:64:64:e7:f0:53:59:8b Fingerprint (SHA1): e9:fd:1d:60:50:ff:b9:03:14:25:b2:58:49:aa:5e:c4:0c:48:b8:24 [root@idp ~]# systemctl restart httpd [root@idp ~]# Then on SP: [root@client1 ~]# ipsilon-client-install --saml-auth /secure \ > --saml-sp-name $(hostname -s) \ > --saml-idp-url https://idp.testrelm.test/idp Generating a 2048 bit RSA private key ..................................+++ ............................................................................+++ writing new private key to '/etc/httpd/saml2/client1.testrelm.test/certificate.key' ----- admin password: # Keys/certificates were already setup here as well for apache: [root@client1 ~]# grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf SSLCertificateFile /etc/pki/tls/certs/server.pem SSLCertificateKeyFile /etc/pki/tls/private/server.key [root@client1 ~]# file /etc/pki/tls/certs/server.pem /etc/pki/tls/private/server.key /etc/pki/tls/certs/server.pem: PEM certificate /etc/pki/tls/private/server.key: ASCII text [root@client1 ~]# kinit admin Password for admin: [root@client1 ~]# ipa service-show HTTP/`hostname` Principal: HTTP/client1.testrelm.test Certificate: MIIErDCCA5SgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUwODE5MjEzNTI1WhcNMTcwODE5MjEzNTI1WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVjbGllbnQxLnRlc3RyZWxtLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbeZYAFZVphb9tVRawfHN4VdW8oWfTVnWb4tNmKiTvIpeT34TV732CG1WkEgIeV7Y6p4YL5H8pFEGOWWWKKn2QuHDBjYSkQp0GjWOQjHyfr8W3/hfe9fVeBsLQJ1P23NQpQSZL0izjebDMiWTMIQcVaZQeh/NAS8x00xgXuQRl2zKFuyqO9NQEmHsjoHa73K5gStkkhQ22a3eGTtZyjeY2kcBOdO5Ijp45DMceyDSYPztAhTaROekNDVbwKX0trDLWDfSf0nfZp3GVnxxFD3oOebQtJRaKD9XArP+2tyPyh1vDcp1eLurXqvNgK+8RIllWltxJ+esN/+wKfbk/and1AgMBAAGjggG/MIIBuzAfBgNVHSMEGDAWgBQ8nlVXMWjm1SJaTwhvKJjYsdJ9tzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYDVR0fBHEwbzBtoDWgM4YxaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUQzeC8v5cgjW60/Ea9L4S/UPc5JkwgY4GA1UdEQSBhjCBg6A4BgorBgEEAYI3FAIDoCoMKEhUVFAvY2xpZW50MS50ZXN0cmVsbS50ZXN0QFRFU1RSRUxNLlRFU1SgRwYGKwYBBQICoD0wO6APGw1URVNUUkVMTS5URVNUoSgwJqADAgEBoR8wHRsESFRUUBsVY2xpZW50MS50ZXN0cmVsbS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQASn75BxGOAJDiOymeU7ypfg6ERRpLYQhEDOFM66jOm2b2aI07KIVG3QR8JX51bJSv5rtPDDycpaKjvzXcqB0jSap3MsqiBjn31eyicYzMjriGrzAiRjubhhHPzvUfnjSUWMHetXyOexH+1Q1xeE22k+J2QJrNsdPjCXkwsv/77Wiqmu0NKgGNBCF5Qv0pk2qiPMY+84UqGzNapYCYrhvP3MLfhvgPq+IgvKX8cHkoeC0LOYkFNNC5w5nTI3yr92651llGp4Aka/4j1aBDmCvNj7a1ZN9bNTYNmqVejg0p39nIbLL+Cx6HipNFk4OESnDkB4nFFprYU4Toz04ZuDRIj Keytab: False Managed by: client1.testrelm.test Subject: CN=client1.testrelm.test,O=TESTRELM.TEST Serial Number: 12 Serial Number (hex): 0xC Issuer: CN=Certificate Authority,O=TESTRELM.TEST Not Before: Wed Aug 19 21:35:25 2015 UTC Not After: Sat Aug 19 21:35:25 2017 UTC Fingerprint (MD5): 67:ae:19:2b:72:11:5f:a7:f9:ef:3d:ed:38:de:bf:b6 Fingerprint (SHA1): a4:7d:db:c6:5f:de:71:88:2f:08:52:b9:e4:72:fe:3c:00:09:22:41 [root@client1 ~]# [root@client1 ~]# cp /etc/httpd/conf.d/ipsilon-saml.conf /etc/httpd/conf.d/ipsilon-saml.conf.mybackup [root@client1 ~]# sed -i '/<Location \/>/a \ MellonSetEnvNoPrefix REMOTE_USER_STATE state' /etc/httpd/conf.d/ipsilon-saml.conf [root@client1 ~]# sed -i '/<Location \/>/a \ MellonSetEnvNoPrefix REMOTE_USER_CITY city' /etc/httpd/conf.d/ipsilon-saml.conf [root@client1 ~]# sed -i '/<Location \/>/a \ MellonSetEnvNoPrefix REMOTE_USER_STREET street' /etc/httpd/conf.d/ipsilon-saml.conf [root@client1 ~]# sed -i '/\/secure/a \ Options +Includes' /etc/httpd/conf.d/ipsilon-saml.conf [root@client1 ~]# sed -i '/\/secure/a \ AddOutputFilter INCLUDES .html' /etc/httpd/conf.d/ipsilon-saml.conf [root@client1 ~]# diff /etc/httpd/conf.d/ipsilon-saml.conf /etc/httpd/conf.d/ipsilon-saml.conf.mybackup 4,6d3 < MellonSetEnvNoPrefix REMOTE_USER_STREET street < MellonSetEnvNoPrefix REMOTE_USER_CITY city < MellonSetEnvNoPrefix REMOTE_USER_STATE state 26,27d22 < AddOutputFilter INCLUDES .html < Options +Includes [root@client1 ~]# systemctl restart httpd This is what I now see when logging into https://client1.testrelm.test/secure from my browser: REMOTE_USER_CITY=mycity REMOTE_USER_CITY_0=mycity REMOTE_USER_STATE=mystate REMOTE_USER_STATE_0=mystate REMOTE_USER_STREET=mystreet REMOTE_USER_STREET_0=mystreet So, values match variables as set in config. Looks good now. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHEA-2015-2319.html |