On Tue, Sep 04, 2012 at 09:18:46PM +0000, Aaron Coburn wrote:
>
> There are a number possibilities here, but first you should investigate why
> there are two unityid values for mjinks. Presumably those are from different
> affiliations?
Yeah. The first was probably created while we were using direct LDAP
for authN, and the second appeared with the addition of Shib. I did add
both id's to the adminUsers group, no luck.
> (You may want to consider removing one of those accounts from the database).
I've now done that; see below for an account of the results.
> And are you certain that, when you login via Shibboleth, that the active
> userid (i.e. 6 or 10 in your case) is the same as the userid that you added
> to the adminUsers group?
Yep; added both to be sure.
> Also, you need to make sure that the adminUsers group has been added to the
> privilege tree properly within the VCL. For that, login as the admin@Local
> user, then go to "Privileges" and select the "VCL" node in the privilege
> tree. The "adminUsers@Local" group should be listed under "Users". If it
> isn't, add it and make sure that the privileges cascade.
Well, this is fun...
If I select the "VCL" node itself, I don't see any adminUsers@Local
under "User Groups". If I select the "admin" node directly beneath VCL,
then adminUsers@Local does appear under "User Groups", with all
privileges checked including "Cascade to Child Nodes".
> If that doesn't lead to anything, I would recommend verifying that the
> $authMechs configuration is correct.
I'll paste my complete authMechs section below.
But first: I deleted both 'mjinks' records from the user table (after
removing their foreign key dependencies). Then I re-visited my
management node's web UI with a live Shib cookie. Now, when I look
through the user table, there's no mjinks, but there is a new record
created when I came to the UI, and it's clearly wrong:
ql> select id, unityid, affiliationid, firstname, lastname from user where
id='11';
+----+---------+---------------+-----------+----------+
| id | unityid | affiliationid | firstname | lastname |
+----+---------+---------------+-----------+----------+
| 11 | @ | 1 | | |
+----+---------+---------------+-----------+----------+
1 row in set (0.00 sec)
Any idea what might be causing this?
I'm starting to wonder if I just need to start over, yet again, with a
blank database.
Anyhow, here's our complete authMechs stanza, kruft and all:
$authMechs = array(
"UChicago Single Sign-On" => array(
"type" => "redirect",
"URL" =>
"/Shibboleth.sso/Login?target=/shibauth&entityID=urn:mace:incommon:uchicago.edu",
"affiliationid" => 0,
"help" => "Use \"UChicago Single Sign-On\" to log in with your
UChicago ID."),
"Local Account" => array("type" => "local",
"affiliationid" => 1,
"help" => "You probably don't want \"Local Account\" unless you
are are an administrator of the VCL system."),
"CNet-Example" => array("type" => "ldap",
"server" => "ldap.uchicago.edu",
"binddn" => "ou=people,dc=uchicago,dc=edu",
"userid" => "uid=%s,ou=people,dc=uchicago,dc=edu",
"unityid" => "uid",
"firstname" => "givenName",
"lastname" => "sn",
"email" => "mail",
"defaultemail" => "@uchicago.edu",
#"lookupuserbeforeauth" => 1,
#"lookupuserfield" => "uid",
#"masterlogin" => "",
#"masterpwd" => "",
"affiliationid" => 3,
"help" => "The \"CNet-Example\" option is for testing and
will probably go away in the future."),
);
> On Sep 4, 2012, at 3:34 PM, Michael Jinks <[email protected]> wrote:
>
> > Bumping this; I didn't hear anything back when I posted the message
> > below, about a week and a half ago. Also, I've since discovered that
> > my Shib-backed account doesn't appear to have any privileges at all;
> > in spite of having all the permissions boxes checked, I still don't
> > have access to any VM images or to any but the most basic elements of
> > the UI. What did I miss?
> >
> > This is on VCL 2.2.1.
> >
> > Thanks,
> > -m
> >
> >
> > On Fri, Aug 24, 2012 at 01:54:42PM -0500, Michael Jinks wrote:
> >> I just got back around to trying Josh's instructions for giving my Shib
> >> user account admin rights:
> >>
> >> On Wed, Aug 22, 2012 at 11:29:54AM -0400, Josh Thompson wrote:
> >>>
> >>> Michael,
> >>>
> >>> Probably the simplest thing to do is to add your shibboleth based user
> >>> to the adminUsers group directly in the database. Here's what to do:
> >>>
> >>> 1) get the id of your user:
> >>> SELECT id, unityid FROM user WHERE unityid = 'your_user_id_here';
> >>> 2) note the returned id
> >>> 3) get the id of the adminUsers group:
> >>> SELECT id FROM usergroup WHERE name = 'adminUsers';
> >>> 4) note the returned id
> >>> 5) add a record to the usergroupmembers table:
> >>> INSERT INTO usergroupmembers
> >>> (userid, usergroupid) VALUES
> >>> (id_from_step_2, id_from_step_4);
> >>>
> >>> Then, your shibboleth account should have admin access (assuming you
> >>> left the adminUsers group having admin access).
> >>
> >> The good news is that (with some help from our IDM folks) I have Shib
> >> working for my devel VCL instance, and my account is logged in currently.
> >>
> >> The bad news is that I still don't have admin rights. The only
> >> navigation links on the VCL page are "HOME", "New Reservation", "Block
> >> Allocation", "User Preferences", "Statistics", and "Logout".
> >>
> >> Not sure if this is relevant or not, but when I did step 1 above, I got
> >> two records back instead of one:
> >>
> >> +----+---------+
> >> | id | unityid |
> >> +----+---------+
> >> | 6 | mjinks |
> >> | 10 | mjinks |
> >> +----+---------+
> >>
> >> When I tried to add them to the adminUsers group, I found that id 6 was
> >> already there, probably as a result of my previous efforts to get this
> >> working. I added id 10 as well, but that didn't make any difference.
> >>
> >> I'm able to use the "Logout" button and log back in as a local admin,
> >> thank goodness... When I go to the "Privileges" page, I find that
> >> "Cascade to Child Nodes" is set for the adminUsers@Local group, and
> >> permissions there are a Christmas tree, all boxes checked.
> >>
> >> Any idea what else I might have missed?
> >>
> >> Thanks as always.
> >>
> >> --Michael
> >
> > --
> > Michael Jinks :: [email protected] :: 773-469-9688
> > University of Chicago IT Services
>
--
Michael Jinks :: [email protected] :: 773-469-9688
University of Chicago IT Services
