Comments for Debug blog http://blog.debug.cz Just another nerd gets his blog... Mon, 10 May 2010 08:11:28 +0000 http://wordpress.org/?v=2.9.1 hourly 1 Comment on Dokuwiki Shibboleth authentication backend by procaccia http://blog.debug.cz/shibboleth/dokuwiki-shibboleth-authentication-backend/comment-page-1#comment-57 procaccia Mon, 10 May 2010 08:11:28 +0000 http://blog.debug.cz/?p=76#comment-57 It's not a bug , neither a mis-configuration of the ACL. It's just a silly Carriage Return left at the end of the file pointed by $conf['auth']['shib']['customgroups_file'] that added a CR at the begening of every media :-( (0a FF D8 ....) instead of (FF D8 ....) I removed the CR at the end of my custom_group file, and now it works fine. It’s not a bug , neither a mis-configuration of the ACL.
It’s just a silly Carriage Return left at the end of the file pointed by $conf['auth']['shib']['customgroups_file'] that added a CR at the begening of every media :-(
(0a FF D8 ….) instead of (FF D8 ….)
I removed the CR at the end of my custom_group file, and now it works fine.

]]> Comment on Dokuwiki Shibboleth authentication backend by procaccia http://blog.debug.cz/shibboleth/dokuwiki-shibboleth-authentication-backend/comment-page-1#comment-56 procaccia Sun, 09 May 2010 10:22:29 +0000 http://blog.debug.cz/?p=76#comment-56 When shib plugin is enabled and you restrict acces to namespace with ACL, media files/images aren't anymore visible :-( I double check my ACL and file permissions, no way . is this a bug ? example user:* @shibusers 1 for example, when accessing doku.php?id=user:shibusers:dsi page which contains images, before installing shib plugins (with @user acl 1 access at that time !) images were visible to a logged in user (plain), as soon as I enable shib auth, page and group access works fine, but not for images :-( . please help. thanks . When shib plugin is enabled and you restrict acces to namespace with ACL, media files/images aren’t anymore visible :-(
I double check my ACL and file permissions, no way . is this a bug ?

example
user:* @shibusers 1

for example, when accessing doku.php?id=user:shibusers:dsi page which contains images, before installing shib plugins (with @user acl 1 access at that time !) images were visible to a logged in user (plain), as soon as I enable shib auth, page and group access works fine, but not for images :-( .

please help.
thanks .

]]> Comment on Dokuwiki Shibboleth authentication backend by micro http://blog.debug.cz/shibboleth/dokuwiki-shibboleth-authentication-backend/comment-page-1#comment-52 micro Tue, 09 Mar 2010 19:12:37 +0000 http://blog.debug.cz/?p=76#comment-52 you should put that part of the configuration in local.protected.php. When you save the settings in the admin panel, only local.php is modified. Thanks for the plugin! Regards, micro you should put that part of the configuration in local.protected.php.

When you save the settings in the admin panel, only local.php is modified.

Thanks for the plugin!

Regards,
micro

]]> Comment on Dokuwiki Shibboleth authentication backend by procaccia http://blog.debug.cz/shibboleth/dokuwiki-shibboleth-authentication-backend/comment-page-1#comment-50 procaccia Sun, 24 Jan 2010 09:07:58 +0000 http://blog.debug.cz/?p=76#comment-50 Sorry, I finally found the problem enable debug helped a lot, thanks for that fonctionnality The problem comes from the admin page (id=start&do=admin&page=config), when I edit config from the admin web interface of dokuwiki, it rewrites the config, but wrongly for entitlement_groups :-( original: $conf['auth']['shib']['entitlement_groups'] = array( 'student' => 'student', 'member' => 'member', 'invite' => 'invite', 'employee' => 'employee' ); had been rewriten to #$conf['auth']['shib']['entitlement_groups'] = 'array( \'student\' => \'student\', \'invite\' => \'invite\', \'member\' => \'member\' \'employee\' => \'employee\' )'; which seems to be syntaxly wrong regarding debug message: [Thu Jan 07 22:23:38 2010] [error] [client 82.230.31.137] entitlement groups not configured [Thu Jan 07 22:23:38 2010] [error] [client 82.230.31.137] Array\n(\n [uid] => Procaccia\n [name] => Procaccia\n [mail] => procacci@enst.fr\n [grps] => Array\n (\n [0] => shibusers\n [1] => intraIT\n )\n\n)\n now I have that I reset the ['entitlement_groups'] = array(... in multiple lines manually in local.php, I have no more the "entitlement groups not configured" error in apache error_log, and "invite" shib group is now set :-): [Thu Jan 07 22:28:36 2010] [error] [client 82.230.31.137] Array\n(\n [uid] => Procaccia\n [name] => Procaccia\n [mail] => procacci@enst.fr\n [grps] => Array\n (\n [0] => shibusers\n [1] => intraIT\n [2] => invite\n )\n\n)\n I've checked ACL based on those shib group (?do=check also confirm that it is set), everything seems fine, I'll post that positive experience on your blog when all my test will be concluant. Thanks again for that wonderfull and powerfull plugin ! Sorry, I finally found the problem
enable debug helped a lot, thanks for that fonctionnality
The problem comes from the admin page (id=start&do=admin&page=config), when I edit config from the admin web interface of dokuwiki, it rewrites the config, but wrongly for entitlement_groups :-(

original:
$conf['auth']['shib']['entitlement_groups'] = array(
’student’ => ’student’,
‘member’ => ‘member’,
‘invite’ => ‘invite’,
‘employee’ => ‘employee’
);

had been rewriten to

#$conf['auth']['shib']['entitlement_groups'] = ‘array( \’student\’ => \’student\’, \’invite\’ => \’invite\’, \’member\’ => \’member\’ \’employee\’ => \’employee\’ )’;
which seems to be syntaxly wrong regarding debug message:

[Thu Jan 07 22:23:38 2010] [error] [client 82.230.31.137] entitlement groups not configured
[Thu Jan 07 22:23:38 2010] [error] [client 82.230.31.137] Array\n(\n [uid] => Procaccia\n [name] => Procaccia\n [mail] => procacci@enst.fr\n [grps] => Array\n (\n [0] => shibusers\n [1] => intraIT\n )\n\n)\n

now I have that I reset the ['entitlement_groups'] = array(… in multiple lines manually in local.php, I have no more the “entitlement groups not configured” error in apache error_log, and “invite” shib group is now set :-) :
[Thu Jan 07 22:28:36 2010] [error] [client 82.230.31.137] Array\n(\n [uid] => Procaccia\n [name] => Procaccia\n [mail] => procacci@enst.fr\n [grps] => Array\n (\n [0] => shibusers\n [1] => intraIT\n [2] => invite\n )\n\n)\n

I’ve checked ACL based on those shib group (?do=check also confirm that it is set), everything seems fine, I’ll post that positive experience on your blog when all my test will be concluant.

Thanks again for that wonderfull and powerfull plugin !

]]> Comment on Dokuwiki Shibboleth authentication backend by entitlement_groups http://blog.debug.cz/shibboleth/dokuwiki-shibboleth-authentication-backend/comment-page-1#comment-49 entitlement_groups Wed, 06 Jan 2010 18:04:28 +0000 http://blog.debug.cz/?p=76#comment-49 finally, allocating dynamically groups based on shib attributes value does'nt seem to work :-( I did a wrong test with too much open ACL in my previous post. Now I checked again with a better test, and it doesn't work as expected. I use the ?do=check option on the page I want to check ACL, and now I can clearly see that I am not in the expected groups . ?do=check on the start page after logged in with shib and a username that has "employee" for var_entitlement value only gives me: "You are part of the groups allusers" not the expected additional group "employee" :-( as programmed in $conf['auth']['shib']['entitlement_groups'] = array( ’student’ => ’student’, ‘employee’ => ‘employee’, ‘member’ => ‘member’ ); did I missed something ? I also read that all users not connected with 'plain' auth aren't in @user group which is supposed to group all connected users it's quite ambarasing, any help greatly appreciated . Regards . finally, allocating dynamically groups based on shib attributes value does’nt seem to work :-(
I did a wrong test with too much open ACL in my previous post.
Now I checked again with a better test, and it doesn’t work as expected.
I use the ?do=check option on the page I want to check ACL, and now I can clearly see that I am not in the expected groups .
?do=check on the start page after logged in with shib and a username that has “employee” for var_entitlement value only gives me:
“You are part of the groups allusers”
not the expected additional group “employee” :-(
as programmed in
$conf['auth']['shib']['entitlement_groups'] = array(
’student’ => ’student’,
‘employee’ => ‘employee’,
‘member’ => ‘member’
);

did I missed something ?
I also read that all users not connected with ‘plain’ auth aren’t in @user group which is supposed to group all connected users
it’s quite ambarasing, any help greatly appreciated .

Regards .

]]> Comment on Dokuwiki Shibboleth authentication backend by procaccia http://blog.debug.cz/shibboleth/dokuwiki-shibboleth-authentication-backend/comment-page-1#comment-48 procaccia Thu, 26 Nov 2009 16:18:01 +0000 http://blog.debug.cz/?p=76#comment-48 forget my request about howto allocate dynamic groups with shib I found it myself, the example with URL mislead me ... here's how I use it now with success: # 'var_entitlement' - The name of the attribute containing the user entitlement (eduPersonEntitlement) $conf['auth']['shib']['var_entitlement'] = 'unscoped-affiliation'; # 'entitlement_groups' - maps entitlements to user groups, 'var_entitlement' must be set $conf['auth']['shib']['entitlement_groups'] = array( 'student' => 'student', 'employee' => 'employee', 'member' => 'member' ); in my use case with edupersonAffiliation, when shibboleth retrieve user's edupersonnAffiliation attribute (rewrote to unscoped-affiliation here) if he is a student he gets affected in the "student" dokuwiki group . That works like a charm, very clever ! thanks again for your contribution to dokuwiki & shibboleth . regards . forget my request about howto allocate dynamic groups with shib
I found it myself, the example with URL mislead me …
here’s how I use it now with success:
# ‘var_entitlement’ – The name of the attribute containing the user entitlement (eduPersonEntitlement)
$conf['auth']['shib']['var_entitlement'] = ‘unscoped-affiliation’;

# ‘entitlement_groups’ – maps entitlements to user groups, ‘var_entitlement’ must be set
$conf['auth']['shib']['entitlement_groups'] = array(
’student’ => ’student’,
‘employee’ => ‘employee’,
‘member’ => ‘member’
);

in my use case with edupersonAffiliation, when shibboleth retrieve user’s edupersonnAffiliation attribute (rewrote to unscoped-affiliation here)
if he is a student he gets affected in the “student” dokuwiki group .
That works like a charm, very clever !
thanks again for your contribution to dokuwiki & shibboleth .

regards .

]]> Comment on Dokuwiki Shibboleth authentication backend by Robert Kelly http://blog.debug.cz/shibboleth/dokuwiki-shibboleth-authentication-backend/comment-page-1#comment-47 Robert Kelly Wed, 25 Nov 2009 18:32:28 +0000 http://blog.debug.cz/?p=76#comment-47 Hello Ivan, I just wanted to say thanks for your Shibboleth plugins for Dokuwiki. Great work! I'm using both the auth and login plugins and I only had one issue which I thought I'd let you know about. Clicking the logout button did not work for me. I'm new to Dokuwiki, especially its internals, but I managed to get it working by adding an exit() at the end of the logOff() function. (Saw it used in another auth plugin) I'm not sure if that is the correct way of making it work, but, it worked for me. It seems to prevent Dokuwiki from sending its own redirect. Thanks again, Rob Hello Ivan,
I just wanted to say thanks for your Shibboleth plugins for Dokuwiki.
Great work!
I’m using both the auth and login plugins and I only had one issue which I thought I’d let you know about.
Clicking the logout button did not work for me.
I’m new to Dokuwiki, especially its internals, but I managed to get it working by adding an exit() at the end of the logOff() function. (Saw it used in another auth plugin)
I’m not sure if that is the correct way of making it work, but, it worked for me.
It seems to prevent Dokuwiki from sending its own redirect.

Thanks again,
Rob

]]> Comment on Dokuwiki Shibboleth authentication backend by procaccia http://blog.debug.cz/shibboleth/dokuwiki-shibboleth-authentication-backend/comment-page-1#comment-46 procaccia Wed, 25 Nov 2009 15:05:42 +0000 http://blog.debug.cz/?p=76#comment-46 hello, thank you for this great shibboleth-dikuwiki plugin. It works fine for me for authenticating. For autorisation I have doubt on how to use var_entitlement to map dokuwiki groups !? here's what I did in local.php # 'var_entitlement' - The name of the attribute containing the user entitlement (eduPersonEntitlement) $conf['auth']['shib']['var_entitlement'] = 'unscoped-affiliation'; But I can't figure out how to use entitlement_groups # 'entitlement_groups' - maps entitlements to user groups, 'var_entitlement' must be set #$conf['auth']['shib']['entitlement_groups'] = array( # 'https://www.example.org/special' => 'special_group', # 'https://www.example.org/internal' => 'internal_group' #); here my unscoped-affiliation attributes conains values from edupersonAffiliation (faculty, member, employee, student ...) , how can I generate associated dokuwiki groups ? Thanks . hello,
thank you for this great shibboleth-dikuwiki plugin.
It works fine for me for authenticating.
For autorisation I have doubt on how to use var_entitlement to map dokuwiki groups !?
here’s what I did in local.php

# ‘var_entitlement’ – The name of the attribute containing the user entitlement (eduPersonEntitlement)
$conf['auth']['shib']['var_entitlement'] = ‘unscoped-affiliation’;

But I can’t figure out how to use entitlement_groups
# ‘entitlement_groups’ – maps entitlements to user groups, ‘var_entitlement’ must be set
#$conf['auth']['shib']['entitlement_groups'] = array(
# ‘https://www.example.org/special’ => ’special_group’,
# ‘https://www.example.org/internal’ => ‘internal_group’
#);

here my unscoped-affiliation attributes conains values from edupersonAffiliation (faculty, member, employee, student …) , how can I generate associated dokuwiki groups ?

Thanks .

]]>