>>> On 18/02/2010 at 18:25, in message
<[log in to unmask]>, Jon Warbrick
<[log in to unmask]> wrote:
> On Thu, 18 Feb 2010, Peter Schober wrote:
>
>> * Andy Swiffin <[log in to unmask]> [2010-02-18 18:08]:
>>> ShibRequireAll On
>>>
>>> Then it starts working as expected.
>>
>> This sounds to me like there is some other requirement (e.g. "require
>> valid-user") in place somewhere which will match -- maybe in another
>> part of the filesystem (its parent directory?), or maybe as part of
>> the webserver's configuration? Just guessing...
>
> Or perhaps in shibboleth2.xml? Under Apache, access control can be
> configured both in the Apache configuration files and in shibboleth2.xml -
> sanity suggests only using one or the other.
>
Absolutely - the possibility of access control being managed in 3 places is a sure route to insanity....
AFAIK there is nothing in the httpd conf to do this and there certainly isn't in the shibboleth2.xml which I do have control over. But the fact that "ShibRequireAll On" fixes it does indicate that there may be something in the apache config that is doing it. This is my first experience of rolling out the SP into an environment I don't own, haven't deployed and have no say over - i.e. welcome to the "real" world :-)
I have little experience of configuring Apache as a campus web server - other people here do this, so I expect that as we bring real applications into the shibboleth authentication fold I'm going to have to work closely with the people who know about this stuff.
I'm just glad I was able to find a workround that demonstrated that we could do authorisation based on attributes, that's all thats needed for now. The web people were quite excited by what I was able to show them yesterday. I have a nasty feeling I'm going to have to become very competent in yet another persons area in order to be able to support this....
Andy
************************************************************
Please consider the environment. Do you really need to print this email?
|