Debug blog

I have been running some sites under a Shibboleth Service Provider for quite a long time. In some cases I had to modify applications written in PHP to be able to use Shibboleth authentication. But now I reached the point, when I had to implement Shibboleth authentication in my own application. Since I’m using Zend Framework for years, the natural way to achieve that was implementing a Shibboleth authentication adapter for the Zend_Auth component.

Actually, the task is quite simple, because all the required information is contained in the environment variables. The only “challenge” is to make sure the adapter is as generic and flexible as possible, so it can be deployed in various environments and applications. The configuration options for the adapter mostly specify the names of the attributes containing relevant information and possibly a mapping between the attribute names and the local names. Typical usage:

1
2
3
4
5
6
7
8
9
10
11
12

$auth = Zend_Auth::getInstance();
 
$authAdapter = new ShibbolethAdapter(array(
        'identityVar' => 'id', 
        'attrMap' => array(
            'uid' => 'id', 
            'cn' => 'name',
            'mail' => 'email'
        )
));
 
$result = $auth->authenticate($authAdapter);

Continue reading ‘Shibboleth authentication adapter for the Zend Framework’ »

For one of my projects I needed to implement a line of scrolling text at the top or at the bottom of the browser window. One of the options was to use the non-standard marquee HTML element, which I rejected for obvious reasons. Plus, it didn’t work very well – the motion was not smooth and there were too few options to customize its behaviour. So I decided to implement the text scrolling using Javascript.

There are plenty of code examples on the web. In fact, it’s fairly easy, you just need to update the text position using CSS properties. Since I’m used to the ExtJS framework i wrote a simple class using the Ext Core 3 library. Actually I didn’t need the high-level features of ExtJS, but I wanted to take advantage of the cross-borswer support, that’s why I used the low-level library Ext Core.
Continue reading ‘Simple horizontal text scrolling with Ext Core 3 (marquee replacement)’ »

Sometimes we need to maintain simple hashes, but at the same time we don’t want to have them cracked too easily. When using a hash function on a not too complex string (like a single word), there is a risk, that the hash can be cracked using rainbow tables in few minutes.
Continue reading ‘Relyiable hashes in PHP’ »

Sometimes we need to initialize an object based on another object. Typically, if we have a class MyClass and subclass MyExtendedClass with some additional functionality, we may need to turn a MyClass object into a MyExtendedClass object. How to do that easily in PHP?

Continue reading ‘Initializing objects from other objects in PHP’ »

There was an issue in the new version of Shibboleth IdP 2.1 causing some custom settings of the LDAP data connector to be ignored. To be more specific, the poolMaxSize, searchTimeLimit and maxResultSize attributes were affected. It has been fixed in the subversion repository, but at this time, no new version has been scheduled for release.

Building the IdP from source is very easy, just follow the instructions (at the bottom of the page). However, at this time there is still a small issue. Before running the “mvn -DskipTests install” command, open the java-idp-main/java-idp/pom.xml file and change the version of the shibboleth-common library from 1.1.0 to 1.1.1 in the dependency section. Otherwise, the older version is being packed instead of the fixed one.

DokuWiki is a standards compliant, simple to use Wiki, mainly aimed at creating documentation of any kind. It is targeted at developer teams, workgroups and small companies. It has a simple but powerful syntax which makes sure the datafiles remain readable outside the Wiki and eases the creation of structured texts. All data is stored in plain text files – no database is required. (description taken from DokuWiki homepage)

The Shibboleth System is a standards based, open source software package for web single sign-on across or within organizational boundaries. It allows sites to make informed authorization decisions for individual access of protected online resources in a privacy-preserving manner.

Making DokuWiki authenticate through Shibboleth is fairly easy due to the extensible DokuWiki authentication framework, which allows using different authentication backends easily. The Shibboleth backend itself only needs to check for some environment variables and determine user’s username and info.

You can get more information and download the backend at its homepage:

Dokuwiki Shibboleth Authentication Backend

Feel free to comment.

Ok, it’s not Queen, it’s Brian and Roger, technically half of the former Queen. It doesn’t really matter since they carry the real Queen spirit. Paul Rodgers is not Freddie and never tried to be, although many people try to compare them. They cannot be compared. It’s clear, that without Freddie Queen will never be the band it was before. But that doesn’t mean they should retire. Both Brian and Roger are brilliant musicians and I think it’s totally OK they go on with the show under the name of Queen. It’s something like your beloved wife dies, you grieve for years, but finally you find strength to live and find another woman. It doesn’t mean you forgot the first one and it doesn’t mean that life with the second one will be the same. But it can be good too, though in other way.

Continue reading ‘Queen + Paul Rodgers live in Prague, 2008’ »

There are some other issues in the new version of Shibboleth IdP. Though, they may be too specific, to affect the wider audience.

Due to a bug, it is not possible to set the maximum number of results returned by the LDAP DataConnector. The value of the corresponding attriubute maxResultSize is being ignored and the default value of 1 is used instead:

https://bugs.internet2.edu/jira/browse/SIDP-246

Normally it is a desired behaviour – one result set per user. But in case of a secondary connector used for gathering additional information like, for example, group information, more results may be expected. So if you use such connectors, do not upgrade to 2.1.0 until there is a fix.

The second issue is rather small and affects only IdPs using the UserPassword authentication handler with a custom login page. The Java API has been changed, so you need to replace all request.getParameter() calls with request.getAttribute() in your templates (login.jsp).

A new version of Shibboleth Identity Provider is available. It fixes a vulnerability in the UsernamePassword login handler, but it contains some new features as well. Obviously, the new version was released in a hurry, because there are some issues with the installer – apparently it overwrites the old configuration even if the user selects no to. A new installer is being planned for the next release.

Continue reading ‘Shibboleth IdP 2.1 is out’ »

Some people have blogs just because they are famous and people read them for the same reason. Other people got famous through their blogs, because they wrote about interesting and/or controversial things. And what I’m blogging about? I, like many others, don’t really know and I don’t really know if I’ll be able to write regularly. I guess, I’ll have this blog mostly for me myself and probably for few people from my close surroundings. For a long time I planned to write about so many things – events from my life, ideas and achievements from my professional career (if any) or just thing I stumble upon a find interesting enough to be shared (and probably commented by me). And after years I’ll have some kind of a window back to those times. Now I regret I didn’t start earlier, but better late than never. And if some other people read that too, no harm done, it’ll be some kind of a bonus .