Bug 1257213

Summary: Attribute mapping issue (locality as state)
Product: Red Hat Enterprise Linux 7 Reporter: Veronika Kabatova <vkabatov>
Component: ipsilonAssignee: Rob Crittenden <rcritten>
Status: CLOSED ERRATA QA Contact: Namita Soman <nsoman>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.2CC: drieden, nkinder, puiterwijk, spoore
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ipsilon-1.0.0-8.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-19 10:51:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Veronika Kabatova 2015-08-26 14:00:17 UTC 
Description of problem:
Using ipsilon with infosssd, IPA-user additional attribute "city" is used as "locality", which is then reported to "REMOTE_USER_STATE". Attribute "state" (or "st") isn't reported at all.

Version-Release number of selected component (if applicable):
ipsilon-1.0.0-7.el7.noarch
ipsilon-infosssd-1.0.0-7.el7.noarch


How reproducible:
Always.

Steps to Reproduce:
1. Have ipa-enrolled machine with ipsilon server (with ipsilon-infosssd and ipsilon-authform enabled (ipsilon-server-install --form yes --info-sssd yes)) and ipsilon client with mod_auth_mellon, where "MellonSetEnvNoPrefix" are set to REMOTE_USER_*.
2. Create IPA-user, fill additional attributes for street, city and state.
3. Look up how REMOTE_USER_* variables are populated.

Actual results:
REMOTE_USER_STATE contains the "city" value, while the actual "state" value is not shown.

Expected results:
REMOTE_USER_STATE contains the "state" value, REMOTE_USER_CITY contains the "city" value.

Additional info:
Comment 3 Nathan Kinder 2015-08-26 16:37:11 UTC 
Upstream ticket:
https://fedorahosted.org/ipsilon/ticket/161
Comment 4 Rob Crittenden 2015-08-31 18:20:05 UTC 
Fixed upstream.

master: d6b77227c3a6b777f9a782f3b5dfa9885a2be645
Comment 7 Scott Poore 2015-09-02 22:06:48 UTC 

[root@client1 httpd]# rpm -q ipsilon-client
ipsilon-client-1.0.0-8.el7.noarch

[root@client1 httpd]# grep MellonSetEnvNoPrefix /etc/httpd/conf.d/ipsilon-saml.conf
    MellonSetEnvNoPrefix REMOTE_USER_STATE state
    MellonSetEnvNoPrefix REMOTE_USER_CITY  city
    MellonSetEnvNoPrefix REMOTE_USER_STREET street

But, in the web browser, I see this:

REMOTE_USER_STATE=mycity 
REMOTE_USER_STREET=mystreet 

So it appears that either I have done something wrong in testing or I'm still seeing the issue.

What version is this supposed to be fixed in?
Comment 8 Patrick Uiterwijk 2015-09-04 02:05:01 UTC 
It works for me:

[root@puiterwijk---ipsilon-test saml2sp]# rpm -q ipsilon-client ipsilon
ipsilon-client-1.0.0-8.el7.noarch
ipsilon-1.0.0-8.el7.noarch


REMOTE_USER_CITY=MyCity
REMOTE_USER_STATE=MyState


Note that this is fixed on the server-side, not the client side, and you will need to re-run ipsilon-server-install with a clean slate to get it to map the attributes correctly.

Or at the very least, fix the LookupUserAttr lines in /etc/httpd/conf.d/ipsilon-*.conf to look like:
  LookupUserAttr st REMOTE_USER_STATE
  LookupUserAttr locality REMOTE_USER_CITY
Comment 9 Scott Poore 2015-09-04 15:13:24 UTC 
You're right.  When I reinstalled cleanly this work.  

Verified.

Version ::

ipsilon-1.0.0-8.el7.noarch

Results ::

on IDP:
[root@idp ~]# ipsilon-server-install --ipa=yes --info-sssd=yes --form=yes
Installation initiated
Installing default config files
Configuring environment helpers
Searching for keytab in: /etc/httpd/conf/http.keytab... Found!
Configuring login managers
Configuring Info provider
Configured SSSD domain testrelm.test
Redirecting to /bin/systemctl restart  sssd.service
Configuring Authentication Providers
Generating a 2048 bit RSA private key
....................................................................................+++
.................................+++
writing new private key to '/var/lib/ipsilon/idp/saml2/idp.key'
-----
Installation complete.
Please restart HTTPD to enable the IdP instance.

# Keys for apache were already set up:

[root@idp ~]# grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/server.pem
SSLCertificateKeyFile /etc/pki/tls/private/server.key

[root@idp ~]# file /etc/pki/tls/certs/server.pem /etc/pki/tls/private/server.key
/etc/pki/tls/certs/server.pem:   PEM certificate
/etc/pki/tls/private/server.key: ASCII text

[root@idp ~]# ipa service-show HTTP/`hostname`
  Principal: HTTP/idp.testrelm.test
  Certificate: MIIEnjCCA4agAwIBAgIBCzANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUwODE5MjEyNTIxWhcNMTcwODE5MjEyNTIxWjA0MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRowGAYDVQQDDBFpZHAudGVzdHJlbG0udGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJh0eRRFQe8srT7m+kd/GV+kQAixzzY1PqJZwmvkXI1RgkfulURJuJMpKEbtCaWWXIHGZvNQt8Cm9odNJw9mVUPWCP3oLs3NIEKR+TMXelw5FiglbsJLojqQXvaQtBUUQNH/ZEugTdMP3iEIjxIzDn2fAy/BSF2Lmzegsa7Nbdwz1+y+kyFdjt1Q0AbqzkVVtHDcjy97LC6b7esIOCVmFHIoa+5Un3npC1W3/aqkPtkXtXNcS0kXQp+vHOB+yrG44oQG5kZ79NX61URMX5II4RYcB0xxEUqKh/YmOEI8db+rAE2VaJeD+bfpc2sC1ROvEdCGMSfasr/5IInr3K1l9+sCAwEAAaOCAbUwggGxMB8GA1UdIwQYMBaAFDyeVVcxaObVIlpPCG8omNix0n23MD8GCCsGAQUFBwEBBDMwMTAvBggrBgEFBQcwAYYjaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjB4BgNVHR8EcTBvMG2gNaAzhjFodHRwOi8vaXBhLWNhLnRlc3RyZWxtLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBRAeSOtUJk3bO2lCT7U6p72Y9RKvzCBhAYDVR0RBH0we6A0BgorBgEEAYI3FAIDoCYMJEhUVFAvaWRwLnRlc3RyZWxtLnRlc3RAVEVTVFJFTE0uVEVTVKBDBgYrBgEFAgKgOTA3oA8bDVRFU1RSRUxNLlRFU1ShJDAioAMCAQGhGzAZGwRIVFRQGxFpZHAudGVzdHJlbG0udGVzdDANBgkqhkiG9w0BAQsFAAOCAQEAj9DSgzUrGOZJmHJKk/G0G9TbpWhQ5uKjc0p3XesZeu8JvFad7jOSr3GJtrm9T+EHRqOrYUjiPnBg7pZbNogw31tU7QsRu8+trOlH/NN8OhvTiFmaf+zVt8I5rnCNWavBvhlGSSp3DDKSyAXfF6CyQ/oPtjJ09beyIx8nu4gw4kodd9Q8OHF3uFcMkchez8bfDf1trE0r9hZ04WRYWUuLiagUOnwvEohXfJnWIVrhksmkMKWELimiZOdw6ORiamqyGhzqwPy358SAigTC9dcsPSGsnI3DV8u4ECY3scjp7zO8iyUe/nXFS9ruz+qBOSxL1FO1nEpH8DmVOYc17PjuOg==
  Keytab: True
  Managed by: idp.testrelm.test
  Subject: CN=idp.testrelm.test,O=TESTRELM.TEST
  Serial Number: 11
  Serial Number (hex): 0xB
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed Aug 19 21:25:21 2015 UTC
  Not After: Sat Aug 19 21:25:21 2017 UTC
  Fingerprint (MD5): a9:66:e0:a1:cc:0b:b6:4d:d5:64:64:e7:f0:53:59:8b
  Fingerprint (SHA1): e9:fd:1d:60:50:ff:b9:03:14:25:b2:58:49:aa:5e:c4:0c:48:b8:24



[root@idp ~]# systemctl restart httpd
[root@idp ~]#

Then on SP:

[root@client1 ~]# ipsilon-client-install --saml-auth /secure \
>     --saml-sp-name $(hostname -s) \
>     --saml-idp-url https://idp.testrelm.test/idp
Generating a 2048 bit RSA private key
..................................+++
............................................................................+++
writing new private key to '/etc/httpd/saml2/client1.testrelm.test/certificate.key'
-----
admin password:

# Keys/certificates were already setup here as well for apache:

[root@client1 ~]# grep ^SSLCertificate /etc/httpd/conf.d/ssl.conf
SSLCertificateFile /etc/pki/tls/certs/server.pem
SSLCertificateKeyFile /etc/pki/tls/private/server.key

[root@client1 ~]# file /etc/pki/tls/certs/server.pem /etc/pki/tls/private/server.key
/etc/pki/tls/certs/server.pem:   PEM certificate
/etc/pki/tls/private/server.key: ASCII text

[root@client1 ~]# kinit admin
Password for admin: 

[root@client1 ~]# ipa service-show HTTP/`hostname`
  Principal: HTTP/client1.testrelm.test
  Certificate: MIIErDCCA5SgAwIBAgIBDDANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTUwODE5MjEzNTI1WhcNMTcwODE5MjEzNTI1WjA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVjbGllbnQxLnRlc3RyZWxtLnRlc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCbeZYAFZVphb9tVRawfHN4VdW8oWfTVnWb4tNmKiTvIpeT34TV732CG1WkEgIeV7Y6p4YL5H8pFEGOWWWKKn2QuHDBjYSkQp0GjWOQjHyfr8W3/hfe9fVeBsLQJ1P23NQpQSZL0izjebDMiWTMIQcVaZQeh/NAS8x00xgXuQRl2zKFuyqO9NQEmHsjoHa73K5gStkkhQ22a3eGTtZyjeY2kcBOdO5Ijp45DMceyDSYPztAhTaROekNDVbwKX0trDLWDfSf0nfZp3GVnxxFD3oOebQtJRaKD9XArP+2tyPyh1vDcp1eLurXqvNgK+8RIllWltxJ+esN/+wKfbk/and1AgMBAAGjggG/MIIBuzAfBgNVHSMEGDAWgBQ8nlVXMWjm1SJaTwhvKJjYsdJ9tzA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYDVR0fBHEwbzBtoDWgM4YxaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUQzeC8v5cgjW60/Ea9L4S/UPc5JkwgY4GA1UdEQSBhjCBg6A4BgorBgEEAYI3FAIDoCoMKEhUVFAvY2xpZW50MS50ZXN0cmVsbS50ZXN0QFRFU1RSRUxNLlRFU1SgRwYGKwYBBQICoD0wO6APGw1URVNUUkVMTS5URVNUoSgwJqADAgEBoR8wHRsESFRUUBsVY2xpZW50MS50ZXN0cmVsbS50ZXN0MA0GCSqGSIb3DQEBCwUAA4IBAQASn75BxGOAJDiOymeU7ypfg6ERRpLYQhEDOFM66jOm2b2aI07KIVG3QR8JX51bJSv5rtPDDycpaKjvzXcqB0jSap3MsqiBjn31eyicYzMjriGrzAiRjubhhHPzvUfnjSUWMHetXyOexH+1Q1xeE22k+J2QJrNsdPjCXkwsv/77Wiqmu0NKgGNBCF5Qv0pk2qiPMY+84UqGzNapYCYrhvP3MLfhvgPq+IgvKX8cHkoeC0LOYkFNNC5w5nTI3yr92651llGp4Aka/4j1aBDmCvNj7a1ZN9bNTYNmqVejg0p39nIbLL+Cx6HipNFk4OESnDkB4nFFprYU4Toz04ZuDRIj
  Keytab: False
  Managed by: client1.testrelm.test
  Subject: CN=client1.testrelm.test,O=TESTRELM.TEST
  Serial Number: 12
  Serial Number (hex): 0xC
  Issuer: CN=Certificate Authority,O=TESTRELM.TEST
  Not Before: Wed Aug 19 21:35:25 2015 UTC
  Not After: Sat Aug 19 21:35:25 2017 UTC
  Fingerprint (MD5): 67:ae:19:2b:72:11:5f:a7:f9:ef:3d:ed:38:de:bf:b6
  Fingerprint (SHA1): a4:7d:db:c6:5f:de:71:88:2f:08:52:b9:e4:72:fe:3c:00:09:22:41
[root@client1 ~]# 


[root@client1 ~]# cp /etc/httpd/conf.d/ipsilon-saml.conf /etc/httpd/conf.d/ipsilon-saml.conf.mybackup

[root@client1 ~]# sed -i '/<Location \/>/a \    MellonSetEnvNoPrefix REMOTE_USER_STATE state' /etc/httpd/conf.d/ipsilon-saml.conf

[root@client1 ~]# sed -i '/<Location \/>/a \    MellonSetEnvNoPrefix REMOTE_USER_CITY  city' /etc/httpd/conf.d/ipsilon-saml.conf

[root@client1 ~]# sed -i '/<Location \/>/a \    MellonSetEnvNoPrefix REMOTE_USER_STREET street' /etc/httpd/conf.d/ipsilon-saml.conf

[root@client1 ~]# sed -i '/\/secure/a \    Options +Includes' /etc/httpd/conf.d/ipsilon-saml.conf

[root@client1 ~]# sed -i '/\/secure/a \    AddOutputFilter INCLUDES .html' /etc/httpd/conf.d/ipsilon-saml.conf

[root@client1 ~]# diff /etc/httpd/conf.d/ipsilon-saml.conf /etc/httpd/conf.d/ipsilon-saml.conf.mybackup
4,6d3
<     MellonSetEnvNoPrefix REMOTE_USER_STREET street
<     MellonSetEnvNoPrefix REMOTE_USER_CITY  city
<     MellonSetEnvNoPrefix REMOTE_USER_STATE state
26,27d22
<     AddOutputFilter INCLUDES .html
<     Options +Includes

[root@client1 ~]# systemctl restart httpd


This is what I now see when logging into https://client1.testrelm.test/secure from my browser:

REMOTE_USER_CITY=mycity
REMOTE_USER_CITY_0=mycity
REMOTE_USER_STATE=mystate
REMOTE_USER_STATE_0=mystate
REMOTE_USER_STREET=mystreet
REMOTE_USER_STREET_0=mystreet

So, values match variables as set in config.  Looks good now.
Comment 10 errata-xmlrpc 2015-11-19 10:51:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHEA-2015-2319.html