shib attributes missing & htaccess redirect issue in shib 2.6 system

Cantor, Scott cantor.2 at osu.edu
Mon Jun 12 09:21:15 EDT 2017


> We did the following steps for SHIB 2.6 upgrade:
> 
>    1.   Compiled SHIBD with all the needed       dependencies and also checked
> the       configuration by running SHIBD –t It displays “Overall configuration is
> loadable”.
> 
> 2.	Then, We replaced the existing SHIBD 2.4 file with SHIBD 2.6 file(not
> sure this step is correct??)& added dependent libraries(like libsaml.so.,etc.).

If you want to do a source build, then you need to use a standard make install target with all of the dependencies. You cannot manually move anything around or copy things.

> 6.	Not receiving shib attributes from shibd to our app(interface b/w
> client to shibd & IDP). From IDP to shibd we are getting attributes.

shibd is an implementation detail. The Apache module is what controls content policy and exports data into the Apache request. Upgrading does not alter its behavior and the original configuration settings do the same thing after an upgrade.

> 7.	On comparing the apache logs of SHIB2.4 & SHIB2.6 I found the below
> two entries are missing in SHIB 2.6 system: [debug] mod_apache.cpp(724):

The the module isn't being applied to the requests, that's all up to the Apache configuration and AuthType/require rules you apply.

> HTACCESS redirect and shib_auth_checker process is not happening. Can you
> guys please help us in finding what is causing this issue. Your
> suggestion/advice will help us a lot …

You have to have changed the configuration, but in any case you need to try the Status and/or Session handlers to verify the module's working and seeing requests. I would have to have much more detail about what it's doing and what the logs say to guess at anything else. Offhand I would guess there was some set of options configured in a file you were oblivious to and that you threw away, not realizing that it contained the actual settings protecting the content.

If the request to the resource just passes through with no login redirect, then the module's not enabled or protecting that content.

-- Scott




More information about the users mailing list