null principal in attribute resolver

Daniele Russo ruda76 at gmail.com
Wed Nov 30 14:07:44 GMT 2011 

Hi Paul, sorry for my last message, google is my friend too, but sometimes
I wrong to cut and paste.

There are 2 nodes in the infrastructure for the problem with the load.
There are
two applications, a php and java. The choice to authenticate on a single node
is to avoid problems with cookies idp. To overcome this problem and use both
nodes for authentication on the balancer I had to use the session
continued, but
it is a correct choice.

thanks

2011/11/29 Paul Hethmon <paul.hethmon at clareitysecurity.com>

>   Ok, as pointed out to me, Google is my friend:
>
>  The environment is composed of 2 nodes of which only one is responsible
> for authenticating. In front there is a balancer F5 bigip. There is no
> cluster.
> I think the problem is related to the load, because in this period where
> the load is very low, the problem occurs rarely and in any case have never
>  been able to replicatedespite the development and production environments
>  are equal.
> I can only send part of the log where I'm sure that has occurred.
>
>  What is the purpose of 2 nodes if only one is doing authentication? How
> is only one doing authentication? Do you have enough load to require 2
> nodes or is that strictly for redundancy? If not for load, can you turn off
> one node and does the problem persist? What type of load do you see and
> what type of machines?
>
>  --
>
>   Paul Hethmon
> Chief Software Architect
> Clareity Security, LLC
> o) 865.824.1350
> c) 865.250.3517
> e) paul.hethmon at clareitysecurity.com
>
>
>   From: Daniele Russo <ruda76 at gmail.com>
> Reply-To: Shibboleth Users <users at shibboleth.net>
> Date: Tue, 29 Nov 2011 15:04:52 +0100
>
> To: Shibboleth Users <users at shibboleth.net>
> Subject: Re: null principal in attribute resolver
>
>  L'ambiente è composto da 2 nodi di cui solo uno è preposto
> all'autenticazione. Davanti c'è un bilanciatore F5 bigip. Non c'è cluster.
> Penso che il problema è legato al carico, perchè in questo periodo dove il
> carico è molto basso il problema si verifica raramente e in ogni caso non
> sono mai riuscito a replicarlo nonostante gli ambienti di sviluppo e
> produzione siano uguali.
> Posso solo inviare parte del log dove sono sicuro che si è verificato.
>
> Thanks
>
> 2011/11/29 Paul Hethmon <paul.hethmon at clareitysecurity.com>
>
>>   Yes, we need to see the error. You'll need to approximate the same
>> steps in production. We have to see the complete log info for that request
>> that does not work. It has to show the initial authentication request, the
>> login itself, the attribute resolution, and the final saml response to the
>> client. You might also provide some set up information about your
>> production site. Whether you have multiple servers, load balancer,
>> clustering in place, etc. All of those things matter.
>>
>>   --
>>
>>   Paul Hethmon
>> Chief Software Architect
>> Clareity Security, LLC
>> o) 865.824.1350
>> c) 865.250.3517
>> e) paul.hethmon at clareitysecurity.com
>>
>>
>>   From: Daniele Russo <ruda76 at gmail.com>
>> Reply-To: Shibboleth Users <users at shibboleth.net>
>>  Date: Tue, 29 Nov 2011 14:53:03 +0100
>>
>> To: Shibboleth Users <users at shibboleth.net>
>> Subject: Re: null principal in attribute resolver
>>
>>  Hello Paul, this error does not occur to any request to login and aboveonly
>> in production environment.
>>
>> I think you want to see the logs when this error occurs, or am I wrong?
>> Vuoi che seguo comunque le tue istruzioni?
>>
>> Thanks
>>
>> 2011/11/29 Paul Hethmon <paul.hethmon at clareitysecurity.com>
>>
>>>   You need to follow these steps if you want any meaningful help:
>>>
>>>  1. Shut down the idp
>>> 2. Clear all logs
>>> 3. Turn on the idp
>>> 4. Wait until the idp fully starts, check the process.log
>>> 5. Do one login
>>> 6. Shut down the idp
>>> 7. Post the process.log file starting with the very first authentication
>>> request
>>>
>>>  You can look at the process.log file at step 4 and note the last line
>>> in it. Post everything past that point.
>>>
>>>  Paul
>>>
>>>
>>>
>>> --
>>> To unsubscribe from this list send an email to
>>> users-unsubscribe at shibboleth.net
>>>
>>
>> -- To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>> --
>> To unsubscribe from this list send an email to
>> users-unsubscribe at shibboleth.net
>>
>
> -- To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
> --
> To unsubscribe from this list send an email to
> users-unsubscribe at shibboleth.net
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20111130/6b753d88/attachment.html

More information about the users mailing list