Hello Kalle,
thanks for your information. In my case, using native.logger didn't
work, but it did work console.logger. I set there the logging level to
DEBUG and it started giving information.
The only GSS related problem I saw is the following:
2013-06-18 08:03:08 DEBUG Shibboleth.AttributeExtractor.XML : unable to
extract attributes, unknown XML object type:
{urn:mace:shibboleth:2.0:attribute-map}GSSAPIName
But, plugins.so is loaded as shown here:
2013-06-18 08:03:08 INFO XMLTooling.Config : loading extension: plugins.so
2013-06-18 08:03:08 INFO XMLTooling.Config : loaded extension:
/usr/local/moonshot/lib/shibboleth/plugins.so
2013-06-18 08:03:08 DEBUG Shibboleth.Config : loaded out of process
extension library (plugins.so)
And the command "nm /usr/local/moonshot/lib/shibboleth/plugins.so | grep
-i gss" returns:
U GSS_C_NT_EXPORT_NAME@@gssapi_krb5_2_MIT
000164b0 t _GLOBAL__I_GSSAPIAttributeExtractor.cpp
00017c90 W _ZN5boost10scoped_ptrIN6shibsp19GSSAPIExtractorImplEED1Ev
000165d0 T _ZN6shibsp15GSSAPIExtractor15background_loadEv
00018330 W _ZN6shibsp15GSSAPIExtractorD0Ev
00018130 W _ZN6shibsp15GSSAPIExtractorD1Ev
00016500 T
_ZN6shibsp19GSSAPIExtractorImplC1EPKN11xercesc_3_110DOMElementERN7log4cpp8CategoryE
00016560 T
_ZN6shibsp19GSSAPIExtractorImplC2EPKN11xercesc_3_110DOMElementERN7log4cpp8CategoryE
00016810 T
_ZN6shibsp22GSSAPIExtractorFactoryERKPKN11xercesc_3_110DOMElementE
00018a80 W
_ZNK6shibsp15GSSAPIExtractor15getAttributeIdsERSt6vectorISsSaISsEE
00017580 T
_ZNK6shibsp15GSSAPIExtractor17extractAttributesERKNS_11ApplicationEPKN8opensaml7saml2md14RoleDescriptorERKN10xmltooling9XMLObjectERSt6vectorIPNS_9AttributeESaISF_EE
00016990 T
_ZNK6shibsp19GSSAPIExtractorImpl17extractAttributesEP15gss_name_structP22gss_buffer_desc_structRSt6vectorIPNS_9AttributeESaIS7_EE
000174b0 T
_ZNK6shibsp19GSSAPIExtractorImpl17extractAttributesEP15gss_name_structRSt6vectorIPNS_9AttributeESaIS5_EE
00017b40 W
_ZNSt8_Rb_treeISsSt4pairIKSsN6shibsp19GSSAPIExtractorImpl4RuleEESt10_Select1stIS5_ESt4lessISsESaIS5_EE8_M_eraseEPSt13_Rb_tree_nodeIS5_E
00024700 V _ZTCN6shibsp15GSSAPIExtractorE0_NS_18AttributeExtractorE
00024740 V _ZTCN6shibsp15GSSAPIExtractorE4_N10xmltooling17ReloadableXMLFileE
000247a0 V _ZTIN6shibsp15GSSAPIExtractorE
0001fe8b V _ZTSN6shibsp15GSSAPIExtractorE
000246d8 V _ZTTN6shibsp15GSSAPIExtractorE
00024660 V _ZTVN6shibsp15GSSAPIExtractorE
000165c0 T _ZThn4_N6shibsp15GSSAPIExtractor15background_loadEv
00018320 W _ZThn4_N6shibsp15GSSAPIExtractorD0Ev
00018120 W _ZThn4_N6shibsp15GSSAPIExtractorD1Ev
00018310 W _ZTv0_n12_N6shibsp15GSSAPIExtractorD0Ev
00018110 W _ZTv0_n12_N6shibsp15GSSAPIExtractorD1Ev
0001f304 r _ZZ25xmltooling_extension_initE11_GSSAPIName
0001f2e8 r _ZZ25xmltooling_extension_initE14_GSSAPIContext
0001fea6 r
_ZZNK6shibsp15GSSAPIExtractor17extractAttributesERKNS_11ApplicationEPKN8opensaml7saml2md14RoleDescriptorERKN10xmltooling9XMLObjectERSt6vectorIPNS_9AttributeESaISF_EEE11_GSSAPIName
0001febc r
_ZZNK6shibsp15GSSAPIExtractor17extractAttributesERKNS_11ApplicationEPKN8opensaml7saml2md14RoleDescriptorERKN10xmltooling9XMLObjectERSt6vectorIPNS_9AttributeESaISF_EEE14_GSSAPIContext
U gss_delete_sec_context@@gssapi_krb5_2_MIT
U gss_get_name_attribute@@gssapi_krb5_2_MIT
U gss_import_name@@gssapi_krb5_2_MIT
U gss_import_sec_context@@gssapi_krb5_2_MIT
U gss_inquire_context@@gssapi_krb5_2_MIT
U gss_inquire_name@@gssapi_krb5_2_MIT
U gss_release_buffer@@gssapi_krb5_2_MIT
U gss_release_buffer_set@@gssapi_krb5_2_MIT
U gss_release_name@@gssapi_krb5_2_MIT
Regards,
Alejandro
> HI Alejandro & co,
>
> I have at tome point been fighting with similar issues. First of all, what I found really helpful was to use the native.logger in shibboleth.xml and configuring log4j.rootCategory=DEBUG in the native.logger configuration file.
>
> Nowadays I always use gss-server and gss-client for testing. With the native logger set to debug, the gss-server prints a ton of information about what shibboleth actually does. After I realized this, my life got much easier.
>
> In my current setup (based on debian live DVD) I don't map any radius attributes to the local-login-user. At the moment I use the eppn as local-login-user. I got it working by commenting out the original eppn mapping from attribute-map and replacing it with.
>
> <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="local-login-user">
> <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
> </Attribute>
>
> With some quick testing, I can't seem to map the radius attributes either. I'm not sure if I'm missing something, or if something changed in the newer version.
>
> Cheers,
> Kalle
>
>
> ----- Original Message -----
> From: "Alejandro Perez Mendez" <[log in to unmask]>
> To: [log in to unmask]
> Sent: Monday, 17 June, 2013 6:43:03 PM
> Subject: Re: SSH and authorization
>
> Thank you Sam,
>
> I also tried that when I figured out it was required. Now, although
> plugins.so file is being loaded (according to strace), it is still not
> working. Probably I'm lacking some configuration option somewhere.
> Hopefully enabling log will provide me with further details.
>
> Regards,
> Alejandro
>
>
> El 17/06/13 17:39, Sam Hartman escribió:
>> Check your shibboleth.xml config and make sure you're loading the
>> plugins.so extension.
>> There was some discussion of that here within the last week.
>> Needed for GSS attributes but not SAML.
|