Hi Sami,
You should use the Moonshot repo for FreeRADIUS - It contains some modifications that the main repo ("base", I assume) does not. Sam Hartman has mentioned that he may provide us with updated RPMs in the near future.
I recently posted some instructions for CentOS on here, I'll be happy to forward those over to you, if you wish. They could also be useful for RedHat.
With Regards
Stefan
-----Original Message-----
From: Moonshot community list [mailto:[log in to unmask]] On Behalf Of Sami Silén
Sent: 25 April 2013 12:17
To: [log in to unmask]
Subject: Freeradius IdP questions
Hi,
We are configuring moonshot pilot environment for the proof of concept studies. Things are not going too smoothly but gladly we manage to get forward step by step, thanks to support from community members.
Currently we're using freeradius 2.1.12 and I would like to know is it decent enough? I am copying saml assertion from the inner-tunnel to outer-tunnel and I have to do that line by line (in configuration it seems to be impossible to copy array). Our SP receives this assertion but parsing fails "ERROR XMLTooling.ParserPool : fatal error on line 2, column 690, message: expected end of tag 'ns0:AudienceRestriction'". Assertion seems to be fine when it leaves from radius.
I have also tried to build freeradius version 3, but python module fails with that.
Error: rlm_python:python_load_function: module 'freeradius_aa' is not found Thu Apr 25 13:49:29 2013 : Error: rlm_python:EXCEPT:<type 'exceptions.ImportError'>: /usr/lib64/python2.6/lib-dynload/timemodule.so: undefined symbol: PyExc_ValueError Thu Apr 25 13:49:29 2013 : Error: rlm_python:python_load_function: failed to import python function 'freeradius_aa.instantiate'
Thu Apr 25 13:49:29 2013 : Error: /usr/local/etc/raddb/mods-enabled/modules_python[1]: Instantiation failed for module "python"
Thu Apr 25 13:49:29 2013 : Error: /usr/local/etc/raddb/sites-enabled/moonshot-inner-tunnel[292]: Failed to find "python" in the "modules" section.
Thu Apr 25 13:49:29 2013 : Error: /usr/local/etc/raddb/sites-enabled/moonshot-inner-tunnel[263]: Errors parsing post-auth section.
Like you see we're using AA. Currently I have understood that ECP handler must be configured so that authentication goes thru with preconfigured password. I feel this ankward because I dont want to expose unprotected ECP handler or break it at any sense. I think that working around it could be possible if we would have apache at the front of IdP. then we could bypass authentication for localhost, but I dont think it's possible with plain Jetty/Tomcat.
Sadly our environment is RPM based. I have noticed that Debian repository for moonshot packages is quite active and it even contains trust_router. Is there configuration examples for it anywhere.
Best regards,
// Sami
--
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
|