Bug 1167796 - mod_auth_mellon large scale interoperabilty patches (and a bugfix)
Summary: mod_auth_mellon large scale interoperabilty patches (and a bugfix)
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: mod_auth_mellon
Version: 6.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Simo Sorce
QA Contact: Namita Soman
: 1195884 (view as bug list)
Depends On:
Blocks: 1075802 1167844
TreeView+ depends on / blocked
Reported: 2014-11-25 12:41 UTC by Jarek Polok
Modified: 2019-07-11 08:23 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Users of the lasso packages could previously experience several problems related to Red Hat Enterprise Linux interoperability with Microsoft Active Directory Federation Services (ADFS). Authentication against ADFS failed when using the mod_auth_mellon module. In addition, in Apache sessions, the limit for the number of elements was insufficient and multi-value variables were not supported. Also, the MellonCond parameter did not work when used together with the MellonSetEnv(NoPrefix) parameter. This update fixes the above described problems with ADFS interoperability. (BZ#1160636, BZ#1167796)
Clone Of:
: 1167844 (view as bug list)
Last Closed: 2015-07-22 05:45:11 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1253 normal SHIPPED_LIVE lasso bug fix update 2015-07-20 17:50:05 UTC

Description Jarek Polok 2014-11-25 12:41:56 UTC
Description of problem:

Current version of mod_auth_mellon in 6.6 (0.8.0) suffers from few problems
not allowing us to deploy it at large organization scale:

1.) The generated apache session environment size is limited to 128 elements
    (env. variables): in our MS ADFS environment that number of elements can be 
    as high as 1024 (user groups) - current implementation of mod_auth_mellon 
    exits with 'internal server error' in such case. 

    [ https://github.com/UNINETT/mod_auth_mellon/issues/10 ]

2.) related to 1.) - by default generated environment contains series of 
    variables named alike MYVAR_0=val0 , MYVAR_1=val1 .. etc (single values). 
    This is not very practical for programmatic comparisons .. (and makes 
    porting of in-house applications from other auth. providers complicated)
    Multivalue variables alike MYVAR=val0;val1;... etc as for example 
    shibboleth/mod_shib generates seem to be more suitable for that purpose.

    [  https://github.com/UNINETT/mod_auth_mellon/pull/9 ]

3.) a bug: MellonCond does not work with MellonSetEnv(NoPrefix)

    [ https://github.com/UNINETT/mod_auth_mellon/issues/12 ]

Patches fixing above problems (merged upstream, apply cleanly on 0.8.0-3 in 6.6):

1). https://github.com/UNINETT/mod_auth_mellon/commit/75f6df7d49175915155b618e38a0eba3b7ae9389

2). https://github.com/UNINETT/mod_auth_mellon/commit/f02f4c7c7c47c853da61865cd5982e75f7177dcf

3). https://github.com/UNINETT/mod_auth_mellon/commit/6e8958f8311be0a772b6034b2a62cd923fb58c83

Note: same patches would be needed for upcoming RHEL 7.1 mod_auth_mellon 

Please consider adding above patches to next mod_auth_mellon releases.

Best Regards


PS: for full MS ADFS interoperabilty also this fix is needed: https://bugzilla.redhat.com/show_bug.cgi?id=1160636

Comment 11 Simo Sorce 2015-02-24 19:51:30 UTC
*** Bug 1195884 has been marked as a duplicate of this bug. ***

Comment 14 errata-xmlrpc 2015-07-22 05:45:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.