On Fri, Sep 07, 2012 at 01:21:59AM +0000, Aaron Coburn wrote: > Michael, > when a user logs in through Shibboleth, is that user added to any groups? > This might be something like "shib-student@MYAFFILIATION" or > "shib-staff@MYAFFILIATION".
Well... not sure. If I go to "Privileges", under the "User Groups" section, we have three groups: "adminUsers@Local", "shib-admin@UCHICAGO", and "shib-staff@UCHICAGO". If I mouse over adminUsers@Local, I get a popup with "admin@Local". If I mouse over "shib-admin@UCHICAGO" I get a popup saying "(empty group)". If I mouse over "shib-staff@UCHICAGO" I get a popup saying "(not authorized to view membership)". This while logged in as admin@Local. Are user-specific permissins irrelevant? I have a Shib account that appears under the "Users" privilege list, with all the permissins boxes checked, but it doesn't seem to get me anything other than admin privileges. Dos assignment to groups happen within VCL or would that need to happen at the IdP? If in VCL, I can't find the interface. > You should verify that you have a node in the privilege tree to which these > groups will be added. How does that happen? Our privilege tree is currently what comes out of the box: there's the parent node, "VCL", and two children, "admin" and "newimages". The stuff I described above is all from the "VCL" node, and cascades to the lower nodes. > For instance, you might have two nodes: VCL/My Affiliation/Students and > VCL/My Affiliation/Staff. Or, perhaps, just VCL/My Affiliation/All Users. > Whatever you decide, you need to make sure that the appropriate user groups > are added to that node (or nodes) and that each group has at least the > imageCheckOut permission enabled. Did my description of our priv tree above answer that or are we talking about different things? > Looking at the page you referenced, the only thing I would add is to make > sure of two items: > > For the computer group that you added to the node in the privilege tree, make > sure that the actual computers defined in the VCL are mapped to that group > (Go to Manage Computers -> Edit Computer Grouping) All our computers are in the "All VM Computers" and "newvmimages" groups, and no others. > And second, if you go to Management Nodes -> Edit Management Node Mapping, > make sure that your computer group is mapped to your management node group > (e.g. "allManagementNodes"). And from Management Nodes -> Edit Management > Node Grouping, make sure that your actual management node is mapped to the > management node group (e.g. "allManagementNodes") If I go to "Manage Management Nodes" -> "Edit Management Node Mapping", I get a graph with a single row of checkboxes. "allManagementNodes" has ticks under "All VM Computers", "allComputers", "newimages", and "newvmimages". Under "Management Node Grouping", we have one node, and it's a member of "allManagementNodes". I think all of that was necessary to get working with local accounts.
