On 6/18/13 9:45 AM, "Stefan Paetow" <[log in to unmask]> wrote:
>Hi,
>
>So I'm trying to use pam_gss.so to provide federated login. The good news
>so far is that authentication succeeds, but Shibboleth fails to extract
>an attribute (or multiple attributes):
Please, please turn off that XMLObject logging category. That's serious
noise. The default logging files turn off DEBUG for selected categories
that aren't relevant. Could be the console one doesn't, you might look at
shibd.logger for examples.
After that, I'll have to review the logging code in the GSS plugin to
recall what it does and what would be in the log in different cases. I
might have to suggest adding some.
>Segmentation fault (core dumped)
That would be a bug, obviously.
>In /etc/shibboleth, I've split my attribute map, so that my GSSAPI
>attributes are maintained in a different file. My gss-attribute-map.xml
>(which is correctly linked in shibboleth2.xml to the GSSAPI
>AttributeResolver) contains this:
>
> <GSSAPIAttribute name="urn:ietf:params:gss-eap:radius-avp
>urn:x-radius:89" id="eppn" />
> <GSSAPIAttribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="eppn" />
I don't think that second one would make sense. You may be confused here,
you don't put SAML attributes in that configuration, that stays where it
always is. The GSS extractor runs against naming attribute extensions
present in the initiator name, and those are spec'd to have those two part
names, I think, with the space in the middle.
-- Scott
|