Michael, when a user logs in through Shibboleth, is that user added to any groups? This might be something like "shib-student@MYAFFILIATION" or "shib-staff@MYAFFILIATION".
You should verify that you have a node in the privilege tree to which these groups will be added. For instance, you might have two nodes: VCL/My Affiliation/Students and VCL/My Affiliation/Staff. Or, perhaps, just VCL/My Affiliation/All Users. Whatever you decide, you need to make sure that the appropriate user groups are added to that node (or nodes) and that each group has at least the imageCheckOut permission enabled. Looking at the page you referenced, the only thing I would add is to make sure of two items: For the computer group that you added to the node in the privilege tree, make sure that the actual computers defined in the VCL are mapped to that group (Go to Manage Computers -> Edit Computer Grouping) And second, if you go to Management Nodes -> Edit Management Node Mapping, make sure that your computer group is mapped to your management node group (e.g. "allManagementNodes"). And from Management Nodes -> Edit Management Node Grouping, make sure that your actual management node is mapped to the management node group (e.g. "allManagementNodes") Hope that helps, Aaron On Sep 6, 2012, at 6:51 PM, Michael Jinks <[email protected]> wrote: > Sorry to be a pest about this, but I'm out of ideas and getting > inquiries about the status of this issue. > > I've just re-stepped through: > > https://cwiki.apache.org/VCL/granting-access-to-a-new-image.html > > Still no joy. Shib accounts have no rights to check out any images. > > > > On Thu, Sep 06, 2012 at 12:18:09AM -0500, Michael Jinks wrote: >> I can log in with Shib now, and I have admin privileges, but I don't >> have rights to access any computer images. >> >> If I move Shib configs out of the way and log in as a local admin, >> everything looks fine, images are available and assigned to virtual >> hosts and so forth. >> >> I've thrashed around all over the Privileges section, turning on every >> privilege I can find for my own account and for the >> "shib-staff@UCHICAGO" group. Under "Privileges" -> "Additional User >> Permissions", every box is checked (copied from admin@Local). But >> when I go to the "New Reservation" tab, I still get "Selection not >> currently available" no matter which image I select from the dropdown. >> >> I've adjusted the isAvailable function in utils.php to return >> differentiating codes depending on which test fails. The return code >> I'm getting now points to the allocComputer function coming back empty, >> but that doesn't tell me much about why that's the case, and it isn't >> obvious to me how to get better debugging information from that test. >> >> I know we ran into the same symptoms when we were trying to get local >> accounts to work, but I don't remember what the fix ended up being. >> >> >> -- >> Michael Jinks :: [email protected] >> University of Chicago IT Services > > -- > Michael Jinks :: [email protected] :: 773-469-9688 > University of Chicago IT Services
