Quantcast

Shibboleth authentication for Roundup

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Shibboleth authentication for Roundup

Tonu Mikk
Hello, 

I am interested in using Shibboleth authentication for Roundup Issue Tracker.  One of the attributes returned by Shibboleth is REMOTE_USER.  I was hoping that I would be able to use the REMOTE_USER by Roundup Issue tracker and have the user log in upon successful Shibboleth authentication as long as their REMOTE_USER value matches the username in the tracker. This doesn't seem to work.  I enabled Python Debug in the Virtual config to see where the error appears and I include it below.  

I tried the virtual host file in two ways - using the line "RequestHeader set REMOTE-USER %{REMOTE_USER}s" and without it. And in both cases the Python debug presents the same error:
  File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line 538, in inner_main
    raise NotFound(e)

NotFound: Shibboleth.sso

Looking for advice on how to proceed.  Thank you!

I have configured the tracker using Apache and mod-python with the following virtual host configuration:

<VirtualHost xxx.xxx.xxx.xxx:443>
        ServerName      mydomain.com
        ServerAdmin     [hidden email]

        AliasMatch ^/@@file(.*) /swadm/roundup/trackers/wcag/html$1
        AliasMatch ^/(?!@@file)(.*) /swadm/roundup/trackers/wcag/html/dummy.py/$1

        DocumentRoot    /swadm/roundup/trackers/wcag/html

        <Directory      /swadm/roundup/trackers/wcag/html>
                # Default allow policy
                Order Deny,Allow
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        Require valid-user
        RequestHeader set REMOTE-USER %{REMOTE_USER}s

        </Directory>

        AddHandler      python-program .py
        PythonOptimize  On
        PythonPath      "sys.path + ['/usr/lib64/python2.6/site-packages']"
        PythonHandler   roundup.cgi.apache
        PythonOption    TrackerHome     /swadm/roundup/trackers/wcag
        PythonDebug On

      # SSL information omitted for brevity.
</VirtualHost>

Python Debug:
MOD_PYTHON ERROR

ProcessId:      23377
Interpreter:    'mydomain.com'

ServerName:     'mydomain.com'
DocumentRoot:   '/swadm/roundup/trackers/wcag/html'

URI:            '/Shibboleth.sso/SAML2/POST'
Location:       None
Directory:      None
Filename:       '/swadm/roundup/trackers/wcag/html/dummy.py'
PathInfo:       '/Shibboleth.sso/SAML2/POST'

Phase:          'PythonHandler'
Handler:        'roundup.cgi.apache'

Traceback (most recent call last):

  File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line 1540, in HandlerDispatch
    default=default_handler, arg=req, silent=hlist.silent)

  File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line 1232, in _process_target
    result = _execute_target(config, req, object, arg)

  File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line 1131, in _execute_target
    result = object(arg)

  File "/usr/lib/python2.6/site-packages/roundup/cgi/apache.py", line 135, in handler
    _client.main()

  File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line 367, in main
    self.inner_main()

  File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line 538, in inner_main
    raise NotFound(e)

NotFound: Shibboleth.sso

--
Tonu Mikk
Adaptive Technologist | Disability Resource Center | diversity.umn.edu/disability
University of Minnesota | umn.edu 
[hidden email] | 612-625-3307

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shibboleth authentication for Roundup

Tom Ekberg
Tonu,

Not sure this will help, but did you enable the shib2 apache module?

Tom Ekberg
Senior Computer Specialist, Lab Medicine
University of Washington Medical Center
1959 NE Pacific St, MS 357110
Seattle WA 98195
work: (206) 598-8544
email: [hidden email]

On Thu, 23 Feb 2017, Tonu Mikk wrote:

> Date: Thu, 23 Feb 2017 10:37:25 -0600
> From: Tonu Mikk <[hidden email]>
> To: [hidden email]
> Subject: [Roundup-users] Shibboleth authentication for Roundup
>
> Hello, 
> I am interested in using Shibboleth authentication for Roundup Issue Tracker.  One of the attributes returned by Shibboleth is REMOTE_USER.  I was hoping that I would
> be able to use the REMOTE_USER by Roundup Issue tracker and have the user log in upon successful Shibboleth authentication as long as their REMOTE_USER value matches
> the username in the tracker. This doesn't seem to work.  I enabled Python Debug in the Virtual config to see where the error appears and I include it below.  
>
> I tried the virtual host file in two ways - using the line "RequestHeader set REMOTE-USER %{REMOTE_USER}s" and without it. And in both cases the Python debug presents
> the same error:
>
>   File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line 538, in inner_main
>     raise NotFound(e)
>
> NotFound: Shibboleth.sso
>
> Looking for advice on how to proceed.  Thank you!
>
> I have configured the tracker using Apache and mod-python with the following virtual host configuration:
>
> <VirtualHost xxx.xxx.xxx.xxx:443>
>         ServerName      mydomain.com
>         ServerAdmin     [hidden email]
>
>         AliasMatch ^/@@file(.*) /swadm/roundup/trackers/wcag/html$1
>         AliasMatch ^/(?!@@file)(.*) /swadm/roundup/trackers/wcag/html/dummy.py/$1
>
>         DocumentRoot    /swadm/roundup/trackers/wcag/html
>
>         <Directory      /swadm/roundup/trackers/wcag/html>
>                 # Default allow policy
>                 Order Deny,Allow
>         AuthType shibboleth
>         ShibRequestSetting requireSession 1
>         Require valid-user
>         RequestHeader set REMOTE-USER %{REMOTE_USER}s
>
>         </Directory>
>
>         AddHandler      python-program .py
>         PythonOptimize  On
>         PythonPath      "sys.path + ['/usr/lib64/python2.6/site-packages']"
>         PythonHandler   roundup.cgi.apache
>         PythonOption    TrackerHome     /swadm/roundup/trackers/wcag
>         PythonDebug On
>
>       # SSL information omitted for brevity.
> </VirtualHost>
>
> Python Debug:
>
> MOD_PYTHON ERROR
>
> ProcessId:      23377
> Interpreter:    'mydomain.com'
>
> ServerName:     'mydomain.com'
> DocumentRoot:   '/swadm/roundup/trackers/wcag/html'
>
> URI:            '/Shibboleth.sso/SAML2/POST'
> Location:       None
> Directory:      None
> Filename:       '/swadm/roundup/trackers/wcag/html/dummy.py'
> PathInfo:       '/Shibboleth.sso/SAML2/POST'
>
> Phase:          'PythonHandler'
> Handler:        'roundup.cgi.apache'
>
> Traceback (most recent call last):
>
>   File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line 1540, in HandlerDispatch
>     default=default_handler, arg=req, silent=hlist.silent)
>
>   File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line 1232, in _process_target
>     result = _execute_target(config, req, object, arg)
>
>   File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line 1131, in _execute_target
>     result = object(arg)
>
>   File "/usr/lib/python2.6/site-packages/roundup/cgi/apache.py", line 135, in handler
>     _client.main()
>
>   File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line 367, in main
>     self.inner_main()
>
>   File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line 538, in inner_main
>     raise NotFound(e)
>
> NotFound: Shibboleth.sso
>
> --
> Tonu Mikk
> Adaptive Technologist | Disability Resource Center | diversity.umn.edu/disability
> University of Minnesota | umn.edu 
> [hidden email] | 612-625-3307
>
>

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shibboleth authentication for Roundup

Tonu Mikk
Yes.  I should have mentioned that when I access the URL for the tracker, I am presented with the Shibboleth login window.  I successfully authenticate and then get the error from Roundup.

On Thu, Feb 23, 2017 at 12:31 PM, Tom Ekberg <[hidden email]> wrote:
Tonu,

Not sure this will help, but did you enable the shib2 apache module?

Tom Ekberg
Senior Computer Specialist, Lab Medicine
University of Washington Medical Center
1959 NE Pacific St, MS 357110
Seattle WA 98195
work: <a href="tel:%28206%29%20598-8544" value="+12065988544" target="_blank">(206) 598-8544
email: [hidden email]

On Thu, 23 Feb 2017, Tonu Mikk wrote:

Date: Thu, 23 Feb 2017 10:37:25 -0600
From: Tonu Mikk <[hidden email]>
To: [hidden email]
Subject: [Roundup-users] Shibboleth authentication for Roundup


Hello, 
I am interested in using Shibboleth authentication for Roundup Issue Tracker.  One of the attributes returned by Shibboleth is REMOTE_USER.  I was hoping that I would
be able to use the REMOTE_USER by Roundup Issue tracker and have the user log in upon successful Shibboleth authentication as long as their REMOTE_USER value matches
the username in the tracker. This doesn't seem to work.  I enabled Python Debug in the Virtual config to see where the error appears and I include it below.  

I tried the virtual host file in two ways - using the line "RequestHeader set REMOTE-USER %{REMOTE_USER}s" and without it. And in both cases the Python debug presents
the same error:

  File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line 538, in inner_main
    raise NotFound(e)

NotFound: Shibboleth.sso

Looking for advice on how to proceed.  Thank you!

I have configured the tracker using Apache and mod-python with the following virtual host configuration:

<VirtualHost xxx.xxx.xxx.xxx:443>
        ServerName      mydomain.com
        ServerAdmin     [hidden email]

        AliasMatch ^/@@file(.*) /swadm/roundup/trackers/wcag/html$1
        AliasMatch ^/(?!@@file)(.*) /swadm/roundup/trackers/wcag/html/dummy.py/$1

        DocumentRoot    /swadm/roundup/trackers/wcag/html

        <Directory      /swadm/roundup/trackers/wcag/html>
                # Default allow policy
                Order Deny,Allow
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        Require valid-user
        RequestHeader set REMOTE-USER %{REMOTE_USER}s

        </Directory>

        AddHandler      python-program .py
        PythonOptimize  On
        PythonPath      "sys.path + ['/usr/lib64/python2.6/site-packages']"
        PythonHandler   roundup.cgi.apache
        PythonOption    TrackerHome     /swadm/roundup/trackers/wcag
        PythonDebug On

      # SSL information omitted for brevity.
</VirtualHost>

Python Debug:

MOD_PYTHON ERROR

ProcessId:      23377
Interpreter:    'mydomain.com'

ServerName:     'mydomain.com'
DocumentRoot:   '/swadm/roundup/trackers/wcag/html'

URI:            '/Shibboleth.sso/SAML2/POST'
Location:       None
Directory:      None
Filename:       '/swadm/roundup/trackers/wcag/html/dummy.py'
PathInfo:       '/Shibboleth.sso/SAML2/POST'

Phase:          'PythonHandler'
Handler:        'roundup.cgi.apache'

Traceback (most recent call last):

  File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line 1540, in HandlerDispatch
    default=default_handler, arg=req, silent=hlist.silent)

  File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line 1232, in _process_target
    result = _execute_target(config, req, object, arg)

  File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line 1131, in _execute_target
    result = object(arg)

  File "/usr/lib/python2.6/site-packages/roundup/cgi/apache.py", line 135, in handler
    _client.main()

  File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line 367, in main
    self.inner_main()

  File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line 538, in inner_main
    raise NotFound(e)

NotFound: Shibboleth.sso

--
Tonu Mikk
Adaptive Technologist | Disability Resource Center | diversity.umn.edu/disability
University of Minnesota | umn.edu 
[hidden email] | <a href="tel:612-625-3307" value="+16126253307" target="_blank">612-625-3307





--
Tonu Mikk
Adaptive Technologist | Disability Resource Center | diversity.umn.edu/disability
University of Minnesota | umn.edu 
[hidden email] | 612-625-3307

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shibboleth authentication for Roundup

Ralf Schlatterbeck-3
On Thu, Feb 23, 2017 at 12:52:49PM -0600, Tonu Mikk wrote:
> Yes.  I should have mentioned that when I access the URL for the tracker, I
> am presented with the Shibboleth login window.  I successfully authenticate
> and then get the error from Roundup.

Have you set
http_auth = yes
in the section [web]
in config.ini in your tracker directory?

>From the documentation of that option:
# Whether to use HTTP Basic Authentication, if present.
# Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION
# variables supplied by your web server (in that order).
# Set this option to 'no' if you do not wish to use HTTP Basic
# Authentication in your web interface.
# Allowed values: yes, no
# Default: yes

If it still doesn't work it almost certainly is a problem of your
browser configuration not roundup.
I'm using that option in several production systems with Kerberos
authentication.

Looking at the error message it looks like the shibboleth mechanism
is trying to find Shibboleth.sso.
Now roundup by default ships files with the path prefix
@@file/

So you probably need some additional apache magic to ship
/Shibboleth.sso directly via apache not via roundup or talk
apache into shipping @@file/Shibboleth.sso and put that file
into the html directory of your tracker.


Ralf

>
> On Thu, Feb 23, 2017 at 12:31 PM, Tom Ekberg <[hidden email]> wrote:
>
> > Tonu,
> >
> > Not sure this will help, but did you enable the shib2 apache module?
> >
> > Tom Ekberg
> > Senior Computer Specialist, Lab Medicine
> > University of Washington Medical Center
> > 1959 NE Pacific St, MS 357110
> > Seattle WA 98195
> > work: (206) 598-8544
> > email: [hidden email]
> >
> > On Thu, 23 Feb 2017, Tonu Mikk wrote:
> >
> > Date: Thu, 23 Feb 2017 10:37:25 -0600
> >> From: Tonu Mikk <[hidden email]>
> >> To: [hidden email]
> >> Subject: [Roundup-users] Shibboleth authentication for Roundup
> >>
> >>
> >> Hello,
> >> I am interested in using Shibboleth authentication for Roundup Issue
> >> Tracker.  One of the attributes returned by Shibboleth is REMOTE_USER.  I
> >> was hoping that I would
> >> be able to use the REMOTE_USER by Roundup Issue tracker and have the user
> >> log in upon successful Shibboleth authentication as long as their
> >> REMOTE_USER value matches
> >> the username in the tracker. This doesn't seem to work.  I enabled Python
> >> Debug in the Virtual config to see where the error appears and I include it
> >> below.
> >>
> >> I tried the virtual host file in two ways - using the line "RequestHeader
> >> set REMOTE-USER %{REMOTE_USER}s" and without it. And in both cases the
> >> Python debug presents
> >> the same error:
> >>
> >>   File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line
> >> 538, in inner_main
> >>     raise NotFound(e)
> >>
> >> NotFound: Shibboleth.sso
> >>
> >> Looking for advice on how to proceed.  Thank you!
> >>
> >> I have configured the tracker using Apache and mod-python with the
> >> following virtual host configuration:
> >>
> >> <VirtualHost xxx.xxx.xxx.xxx:443>
> >>         ServerName      mydomain.com
> >>         ServerAdmin     [hidden email]
> >>
> >>         AliasMatch ^/@@file(.*) /swadm/roundup/trackers/wcag/html$1
> >>         AliasMatch ^/(?!@@file)(.*) /swadm/roundup/trackers/wcag/html/
> >> dummy.py/$1
> >>
> >>         DocumentRoot    /swadm/roundup/trackers/wcag/html
> >>
> >>         <Directory      /swadm/roundup/trackers/wcag/html>
> >>                 # Default allow policy
> >>                 Order Deny,Allow
> >>         AuthType shibboleth
> >>         ShibRequestSetting requireSession 1
> >>         Require valid-user
> >>         RequestHeader set REMOTE-USER %{REMOTE_USER}s
> >>
> >>         </Directory>
> >>
> >>         AddHandler      python-program .py
> >>         PythonOptimize  On
> >>         PythonPath      "sys.path + ['/usr/lib64/python2.6/site-pa
> >> ckages']"
> >>         PythonHandler   roundup.cgi.apache
> >>         PythonOption    TrackerHome     /swadm/roundup/trackers/wcag
> >>         PythonDebug On
> >>
> >>       # SSL information omitted for brevity.
> >> </VirtualHost>
> >>
> >> Python Debug:
> >>
> >> MOD_PYTHON ERROR
> >>
> >> ProcessId:      23377
> >> Interpreter:    'mydomain.com'
> >>
> >> ServerName:     'mydomain.com'
> >> DocumentRoot:   '/swadm/roundup/trackers/wcag/html'
> >>
> >> URI:            '/Shibboleth.sso/SAML2/POST'
> >> Location:       None
> >> Directory:      None
> >> Filename:       '/swadm/roundup/trackers/wcag/html/dummy.py'
> >> PathInfo:       '/Shibboleth.sso/SAML2/POST'
> >>
> >> Phase:          'PythonHandler'
> >> Handler:        'roundup.cgi.apache'
> >>
> >> Traceback (most recent call last):
> >>
> >>   File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line
> >> 1540, in HandlerDispatch
> >>     default=default_handler, arg=req, silent=hlist.silent)
> >>
> >>   File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line
> >> 1232, in _process_target
> >>     result = _execute_target(config, req, object, arg)
> >>
> >>   File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line
> >> 1131, in _execute_target
> >>     result = object(arg)
> >>
> >>   File "/usr/lib/python2.6/site-packages/roundup/cgi/apache.py", line
> >> 135, in handler
> >>     _client.main()
> >>
> >>   File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line
> >> 367, in main
> >>     self.inner_main()
> >>
> >>   File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line
> >> 538, in inner_main
> >>     raise NotFound(e)
> >>
> >> NotFound: Shibboleth.sso
> >>
> >> --
> >> Tonu Mikk
> >> Adaptive Technologist | Disability Resource Center |
> >> diversity.umn.edu/disability
> >> University of Minnesota | umn.edu
> >> [hidden email] | 612-625-3307
> >>
> >>
> >>
>
>
> --
> Tonu Mikk
> Adaptive Technologist | Disability Resource Center |
> diversity.umn.edu/disability
> University of Minnesota | umn.edu
> [hidden email] | 612-625-3307

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot

> _______________________________________________
> Roundup-users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/roundup-users


--
Dr. Ralf Schlatterbeck                  Tel:   +43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: [hidden email]

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shibboleth authentication for Roundup

Tonu Mikk
Yes, the config.ini has the http_auth = yes.

The problem is most certainly in the Apache configuration.  I am using the Apache and mod_python configuration from Roundup documentation.  From the documentation it looks like the Apache and mod_python is the only option for HTTPS connection which is required for Shibboleth. 

I consulted the Shibboleth mailing list and learned that the Shibboleth.sso is a virtual resource and therefore cannot be excluded using the AliasMatch rules as those require a pointer to a filesystem resource.  One suggestion was to write the AliasMatch rules in such a way that would prevent the Shibboleth.sso from being caught in the first place.  I haven't found a way to do this yet and would gladly accept suggestions :-).

Thanks!

 

 

On Fri, Feb 24, 2017 at 3:46 AM, Ralf Schlatterbeck <[hidden email]> wrote:
On Thu, Feb 23, 2017 at 12:52:49PM -0600, Tonu Mikk wrote:
> Yes.  I should have mentioned that when I access the URL for the tracker, I
> am presented with the Shibboleth login window.  I successfully authenticate
> and then get the error from Roundup.

Have you set
http_auth = yes
in the section [web]
in config.ini in your tracker directory?

>From the documentation of that option:
# Whether to use HTTP Basic Authentication, if present.
# Roundup will use either the REMOTE_USER or HTTP_AUTHORIZATION
# variables supplied by your web server (in that order).
# Set this option to 'no' if you do not wish to use HTTP Basic
# Authentication in your web interface.
# Allowed values: yes, no
# Default: yes

If it still doesn't work it almost certainly is a problem of your
browser configuration not roundup.
I'm using that option in several production systems with Kerberos
authentication.

Looking at the error message it looks like the shibboleth mechanism
is trying to find Shibboleth.sso.
Now roundup by default ships files with the path prefix
@@file/

So you probably need some additional apache magic to ship
/Shibboleth.sso directly via apache not via roundup or talk
apache into shipping @@file/Shibboleth.sso and put that file
into the html directory of your tracker.


Ralf

>
> On Thu, Feb 23, 2017 at 12:31 PM, Tom Ekberg <[hidden email]> wrote:
>
> > Tonu,
> >
> > Not sure this will help, but did you enable the shib2 apache module?
> >
> > Tom Ekberg
> > Senior Computer Specialist, Lab Medicine
> > University of Washington Medical Center
> > 1959 NE Pacific St, MS 357110
> > Seattle WA 98195
> > work: <a href="tel:%28206%29%20598-8544" value="+12065988544">(206) 598-8544
> > email: [hidden email]
> >
> > On Thu, 23 Feb 2017, Tonu Mikk wrote:
> >
> > Date: Thu, 23 Feb 2017 10:37:25 -0600
> >> From: Tonu Mikk <[hidden email]>
> >> To: [hidden email]
> >> Subject: [Roundup-users] Shibboleth authentication for Roundup
> >>
> >>
> >> Hello,
> >> I am interested in using Shibboleth authentication for Roundup Issue
> >> Tracker.  One of the attributes returned by Shibboleth is REMOTE_USER.  I
> >> was hoping that I would
> >> be able to use the REMOTE_USER by Roundup Issue tracker and have the user
> >> log in upon successful Shibboleth authentication as long as their
> >> REMOTE_USER value matches
> >> the username in the tracker. This doesn't seem to work.  I enabled Python
> >> Debug in the Virtual config to see where the error appears and I include it
> >> below.
> >>
> >> I tried the virtual host file in two ways - using the line "RequestHeader
> >> set REMOTE-USER %{REMOTE_USER}s" and without it. And in both cases the
> >> Python debug presents
> >> the same error:
> >>
> >>   File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line
> >> 538, in inner_main
> >>     raise NotFound(e)
> >>
> >> NotFound: Shibboleth.sso
> >>
> >> Looking for advice on how to proceed.  Thank you!
> >>
> >> I have configured the tracker using Apache and mod-python with the
> >> following virtual host configuration:
> >>
> >> <VirtualHost xxx.xxx.xxx.xxx:443>
> >>         ServerName      mydomain.com
> >>         ServerAdmin     [hidden email]
> >>
> >>         AliasMatch ^/@@file(.*) /swadm/roundup/trackers/wcag/html$1
> >>         AliasMatch ^/(?!@@file)(.*) /swadm/roundup/trackers/wcag/html/
> >> dummy.py/$1
> >>
> >>         DocumentRoot    /swadm/roundup/trackers/wcag/html
> >>
> >>         <Directory      /swadm/roundup/trackers/wcag/html>
> >>                 # Default allow policy
> >>                 Order Deny,Allow
> >>         AuthType shibboleth
> >>         ShibRequestSetting requireSession 1
> >>         Require valid-user
> >>         RequestHeader set REMOTE-USER %{REMOTE_USER}s
> >>
> >>         </Directory>
> >>
> >>         AddHandler      python-program .py
> >>         PythonOptimize  On
> >>         PythonPath      "sys.path + ['/usr/lib64/python2.6/site-pa
> >> ckages']"
> >>         PythonHandler   roundup.cgi.apache
> >>         PythonOption    TrackerHome     /swadm/roundup/trackers/wcag
> >>         PythonDebug On
> >>
> >>       # SSL information omitted for brevity.
> >> </VirtualHost>
> >>
> >> Python Debug:
> >>
> >> MOD_PYTHON ERROR
> >>
> >> ProcessId:      23377
> >> Interpreter:    'mydomain.com'
> >>
> >> ServerName:     'mydomain.com'
> >> DocumentRoot:   '/swadm/roundup/trackers/wcag/html'
> >>
> >> URI:            '/Shibboleth.sso/SAML2/POST'
> >> Location:       None
> >> Directory:      None
> >> Filename:       '/swadm/roundup/trackers/wcag/html/dummy.py'
> >> PathInfo:       '/Shibboleth.sso/SAML2/POST'
> >>
> >> Phase:          'PythonHandler'
> >> Handler:        'roundup.cgi.apache'
> >>
> >> Traceback (most recent call last):
> >>
> >>   File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line
> >> 1540, in HandlerDispatch
> >>     default=default_handler, arg=req, silent=hlist.silent)
> >>
> >>   File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line
> >> 1232, in _process_target
> >>     result = _execute_target(config, req, object, arg)
> >>
> >>   File "/usr/lib64/python2.6/site-packages/mod_python/importer.py", line
> >> 1131, in _execute_target
> >>     result = object(arg)
> >>
> >>   File "/usr/lib/python2.6/site-packages/roundup/cgi/apache.py", line
> >> 135, in handler
> >>     _client.main()
> >>
> >>   File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line
> >> 367, in main
> >>     self.inner_main()
> >>
> >>   File "/usr/lib/python2.6/site-packages/roundup/cgi/client.py", line
> >> 538, in inner_main
> >>     raise NotFound(e)
> >>
> >> NotFound: Shibboleth.sso
> >>
> >> --
> >> Tonu Mikk
> >> Adaptive Technologist | Disability Resource Center |
> >> diversity.umn.edu/disability
> >> University of Minnesota | umn.edu
> >> [hidden email] | <a href="tel:612-625-3307" value="+16126253307">612-625-3307
> >>
> >>
> >>
>
>
> --
> Tonu Mikk
> Adaptive Technologist | Disability Resource Center |
> diversity.umn.edu/disability
> University of Minnesota | umn.edu
> [hidden email] | <a href="tel:612-625-3307" value="+16126253307">612-625-3307

> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot

> _______________________________________________
> Roundup-users mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/roundup-users


--
Dr. Ralf Schlatterbeck                  Tel:   <a href="tel:%2B43%2F2243%2F26465-16" value="+4322432646516">+43/2243/26465-16
Open Source Consulting                  www:   http://www.runtux.com
Reichergasse 131, A-3411 Weidling       email: [hidden email]



--
Tonu Mikk
Adaptive Technologist | Disability Resource Center | diversity.umn.edu/disability
University of Minnesota | umn.edu 
[hidden email] | 612-625-3307

------------------------------------------------------------------------------
Announcing the Oxford Dictionaries API! The API offers world-renowned
dictionary content that is easy and intuitive to access. Sign up for an
account today to start using our lexical data to power your apps and
projects. Get started today and enter our developer competition.
http://sdm.link/oxford
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shibboleth authentication for Roundup

Georg Lehner
In reply to this post by Tonu Mikk
On 02/23/2017 10:37 AM, Tonu Mikk wrote:
[..]

>
> <VirtualHost xxx.xxx.xxx.xxx:443>
>         ServerName      mydomain.com <http://mydomain.com>
>         ServerAdmin     [hidden email] <mailto:[hidden email]>
>
>         AliasMatch ^/@@file(.*) /swadm/roundup/trackers/wcag/html$1
>         AliasMatch ^/(?!@@file)(.*)
> /swadm/roundup/trackers/wcag/html/dummy.py/$1 <http://dummy.py/$1>
>
>         DocumentRoot    /swadm/roundup/trackers/wcag/html
>
>         <Directory      /swadm/roundup/trackers/wcag/html>
>                 # Default allow policy
>                 Order Deny,Allow
>         AuthType shibboleth
>         ShibRequestSetting requireSession 1
>         Require valid-user
>         RequestHeader set REMOTE-USER %{REMOTE_USER}s
>
>         </Directory>
>
>         AddHandler      python-program .py
>         PythonOptimize  On
>         PythonPath      "sys.path + ['/usr/lib64/python2.6/site-packages']"
>         PythonHandler   roundup.cgi.apache
>         PythonOption    TrackerHome     /swadm/roundup/trackers/wcag
>         PythonDebug On
>
>       # SSL information omitted for brevity.
> </VirtualHost>
>
> Python Debug:
>
> MOD_PYTHON ERROR
>
> ProcessId:      23377
> Interpreter:    'mydomain.com <http://mydomain.com>'
>
> ServerName:     'mydomain.com <http://mydomain.com>'
> DocumentRoot:   '/swadm/roundup/trackers/wcag/html'
>
> URI:            '/Shibboleth.sso/SAML2/POST'
> Location:       None
> Directory:      None
> Filename:       '/swadm/roundup/trackers/wcag/html/dummy.py'
> PathInfo:       '/Shibboleth.sso/SAML2/POST'
>
> Phase:          'PythonHandler'
> Handler:        'roundup.cgi.apache'
>
[..]

Hello,

The first AliasMatch lines, would not match '/Shibboleth.sso...'

The second seems to be a contrived way of "match anything else", and
maps '/Shibboleth.sso/...' to:

  /swadm/roundup/trackers/wcag/html/dummy.py/Shibboleth.sso/SAML2/POST'

which is not what you want.

You could rather do something like:

   AliasMatch  ^/(?!Shibboleth.sso)(.*)
/swadm/roundup/trackers/wcag/html/dummy.py/$1

so that '/Shibboleth.sso...' is not matched and handled otherwise by Apache.

IMHO a more stable approach would be a good planning of URI namespaces,
where your tracker uris are prefixed by some path, e.g. '/issues'.  This
eases the matching magic.  The "landing page" '/'  could simply redirect
to '/issues/something' if you can't or don't want to communicate the
'/issues' prefix to your users.

Best Regards,

   Georg Lehner


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shibboleth authentication for Roundup

Tonu Mikk
You could rather do something like:

   AliasMatch  ^/(?!Shibboleth.sso)(.*)
/swadm/roundup/trackers/wcag/html/dummy.py/$1

This did the trick and Shibboleth login began to work.  Thank you Georg for thinking about this and providing an answer!

In case this is of interest... by default Shibboleth returns the Remote-User attribute in the form of an email.  In order to make Shibboleth work with Roundup, I needed to change the username into an email address to match the Remote_User value.  

On Tue, Mar 21, 2017 at 10:42 AM, Georg Lehner <[hidden email]> wrote:
On 02/23/2017 10:37 AM, Tonu Mikk wrote:
[..]
>
> <VirtualHost xxx.xxx.xxx.xxx:443>
>         ServerName      mydomain.com <http://mydomain.com>
>         ServerAdmin     [hidden email] <mailto:[hidden email]>
>
>         AliasMatch ^/@@file(.*) /swadm/roundup/trackers/wcag/html$1
>         AliasMatch ^/(?!@@file)(.*)
> /swadm/roundup/trackers/wcag/html/dummy.py/$1 <http://dummy.py/$1>
>
>         DocumentRoot    /swadm/roundup/trackers/wcag/html
>
>         <Directory      /swadm/roundup/trackers/wcag/html>
>                 # Default allow policy
>                 Order Deny,Allow
>         AuthType shibboleth
>         ShibRequestSetting requireSession 1
>         Require valid-user
>         RequestHeader set REMOTE-USER %{REMOTE_USER}s
>
>         </Directory>
>
>         AddHandler      python-program .py
>         PythonOptimize  On
>         PythonPath      "sys.path + ['/usr/lib64/python2.6/site-packages']"
>         PythonHandler   roundup.cgi.apache
>         PythonOption    TrackerHome     /swadm/roundup/trackers/wcag
>         PythonDebug On
>
>       # SSL information omitted for brevity.
> </VirtualHost>
>
> Python Debug:
>
> MOD_PYTHON ERROR
>
> ProcessId:      23377
> Interpreter:    'mydomain.com <http://mydomain.com>'
>
> ServerName:     'mydomain.com <http://mydomain.com>'
> DocumentRoot:   '/swadm/roundup/trackers/wcag/html'
>
> URI:            '/Shibboleth.sso/SAML2/POST'
> Location:       None
> Directory:      None
> Filename:       '/swadm/roundup/trackers/wcag/html/dummy.py'
> PathInfo:       '/Shibboleth.sso/SAML2/POST'
>
> Phase:          'PythonHandler'
> Handler:        'roundup.cgi.apache'
>
[..]

Hello,

The first AliasMatch lines, would not match '/Shibboleth.sso...'

The second seems to be a contrived way of "match anything else", and
maps '/Shibboleth.sso/...' to:

  /swadm/roundup/trackers/wcag/html/dummy.py/Shibboleth.sso/SAML2/POST'

which is not what you want.

You could rather do something like:

   AliasMatch  ^/(?!Shibboleth.sso)(.*)
/swadm/roundup/trackers/wcag/html/dummy.py/$1

so that '/Shibboleth.sso...' is not matched and handled otherwise by Apache.

IMHO a more stable approach would be a good planning of URI namespaces,
where your tracker uris are prefixed by some path, e.g. '/issues'.  This
eases the matching magic.  The "landing page" '/'  could simply redirect
to '/issues/something' if you can't or don't want to communicate the
'/issues' prefix to your users.

Best Regards,

   Georg Lehner


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users



--
Tonu Mikk
Adaptive Technologist | Disability Resource Center | diversity.umn.edu/disability
University of Minnesota | umn.edu 
[hidden email] | 612-625-3307

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shibboleth authentication for Roundup

John P. Rouillard

Hi Tonu:

In message
<CABDFm8iYnX6+wZZb2kYnQ6FZsBy_nXP9LSBszkLLTVqxzGmV=[hidden email].
com>,

Tonu Mikk writes:
[Georg wrote:]

>You could rather do something like:
>
>   AliasMatch  ^/(?!Shibboleth.sso)(.*)
>/swadm/roundup/trackers/wcag/html/dummy.py/$1
>
>This did the trick and Shibboleth login began to work.  Thank you
>Georg for thinking about this and providing an answer!
>
>In case this is of interest... by default Shibboleth returns the
>Remote-User attribute in the form of an email.  In order to make
>Shibboleth work with Roundup, I needed to change the username
>into an email address to match the Remote_User value.

Would you be willing to write up the key parts of your apache config
and roundup config and post it on the wiki for people looking for it
in the future?

If so let me know and I'll send you the info you need to create an
account. If you want to write it I can add it to the wiki and credit
you.

I was also going to mention that there should be a way by creating a
new login action to do a lookup by email address and map that to a
user. However REMOTE_USER bypasses that mechanism.

I think using the the web server to authenticate against Kerberos or
AD will return domain\user as the REMOTE_USER. Being able to change
that value would be useful.

Does anybody think we need to open a ticket to add the ability to
map/process the REMOTE_USER variable?

Have a great day and congrats Tonu on getting the login working.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Shibboleth authentication for Roundup

Tonu Mikk
John, I would be glad to write in the wiki.  Thanks for checking!

On Tue, Mar 21, 2017 at 5:53 PM, John P. Rouillard <[hidden email]> wrote:

Hi Tonu:

In message
<CABDFm8iYnX6+wZZb2kYnQ6FZsBy_nXP9LSBszkLLTVqxzGmV=w@mail.gmail.
com>,

Tonu Mikk writes:
[Georg wrote:]
>You could rather do something like:
>
>   AliasMatch  ^/(?!Shibboleth.sso)(.*)
>/swadm/roundup/trackers/wcag/html/dummy.py/$1
>
>This did the trick and Shibboleth login began to work.  Thank you
>Georg for thinking about this and providing an answer!
>
>In case this is of interest... by default Shibboleth returns the
>Remote-User attribute in the form of an email.  In order to make
>Shibboleth work with Roundup, I needed to change the username
>into an email address to match the Remote_User value.

Would you be willing to write up the key parts of your apache config
and roundup config and post it on the wiki for people looking for it
in the future?

If so let me know and I'll send you the info you need to create an
account. If you want to write it I can add it to the wiki and credit
you.

I was also going to mention that there should be a way by creating a
new login action to do a lookup by email address and map that to a
user. However REMOTE_USER bypasses that mechanism.

I think using the the web server to authenticate against Kerberos or
AD will return domain\user as the REMOTE_USER. Being able to change
that value would be useful.

Does anybody think we need to open a ticket to add the ability to
map/process the REMOTE_USER variable?

Have a great day and congrats Tonu on getting the login working.

--
                                -- rouilj
John Rouillard
===========================================================================
My employers don't acknowledge my existence much less my opinions.



--
Tonu Mikk
Adaptive Technologist | Disability Resource Center | diversity.umn.edu/disability
University of Minnesota | umn.edu 
[hidden email] | 612-625-3307

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Roundup-users mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/roundup-users
Loading...