null principal in attribute resolver
Paul Hethmon
paul.hethmon at clareitysecurity.com
Tue Nov 29 14:21:03 GMT 2011
Ok, as pointed out to me, Google is my friend:
The environment is composed of 2 nodes of which only one is responsible for authenticating. In front there is a balancer F5 bigip. There is no cluster.
I think the problem is related to the load, because in this period where the load is very low, the problem occurs rarely and in any case have never been able to replicatedespite the development and production environments are equal.
I can only send part of the log where I'm sure that has occurred.
What is the purpose of 2 nodes if only one is doing authentication? How is only one doing authentication? Do you have enough load to require 2 nodes or is that strictly for redundancy? If not for load, can you turn off one node and does the problem persist? What type of load do you see and what type of machines?
--
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
o) 865.824.1350
c) 865.250.3517
e) paul.hethmon at clareitysecurity.com
From: Daniele Russo <ruda76 at gmail.com<mailto:ruda76 at gmail.com>>
Reply-To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Tue, 29 Nov 2011 15:04:52 +0100
To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: null principal in attribute resolver
L'ambiente è composto da 2 nodi di cui solo uno è preposto all'autenticazione. Davanti c'è un bilanciatore F5 bigip. Non c'è cluster.
Penso che il problema è legato al carico, perchè in questo periodo dove il carico è molto basso il problema si verifica raramente e in ogni caso non sono mai riuscito a replicarlo nonostante gli ambienti di sviluppo e produzione siano uguali.
Posso solo inviare parte del log dove sono sicuro che si è verificato.
Thanks
2011/11/29 Paul Hethmon <paul.hethmon at clareitysecurity.com<mailto:paul.hethmon at clareitysecurity.com>>
Yes, we need to see the error. You'll need to approximate the same steps in production. We have to see the complete log info for that request that does not work. It has to show the initial authentication request, the login itself, the attribute resolution, and the final saml response to the client. You might also provide some set up information about your production site. Whether you have multiple servers, load balancer, clustering in place, etc. All of those things matter.
--
Paul Hethmon
Chief Software Architect
Clareity Security, LLC
o) 865.824.1350<tel:865.824.1350>
c) 865.250.3517<tel:865.250.3517>
e) paul.hethmon at clareitysecurity.com<mailto:paul.hethmon at clareitysecurity.com>
From: Daniele Russo <ruda76 at gmail.com<mailto:ruda76 at gmail.com>>
Reply-To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Date: Tue, 29 Nov 2011 14:53:03 +0100
To: Shibboleth Users <users at shibboleth.net<mailto:users at shibboleth.net>>
Subject: Re: null principal in attribute resolver
Hello Paul, this error does not occur to any request to login and aboveonly in production environment.
I think you want to see the logs when this error occurs, or am I wrong?
Vuoi che seguo comunque le tue istruzioni?
Thanks
2011/11/29 Paul Hethmon <paul.hethmon at clareitysecurity.com<mailto:paul.hethmon at clareitysecurity.com>>
You need to follow these steps if you want any meaningful help:
1. Shut down the idp
2. Clear all logs
3. Turn on the idp
4. Wait until the idp fully starts, check the process.log
5. Do one login
6. Shut down the idp
7. Post the process.log file starting with the very first authentication request
You can look at the process.log file at step 4 and note the last line in it. Post everything past that point.
Paul
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-- To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
--
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-- To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net<mailto:users-unsubscribe at shibboleth.net>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20111129/d6919edb/attachment.html
More information about the users
mailing list