[openstack-dev] Need help in configuring keystone
Akshik DBK
akshik at outlook.com
Wed Mar 4 09:45:47 UTC 2015
Hi Steve,
here are the log details
==> /var/log/shibboleth/shibd.log <==2015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.12015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.32015-03-04 14:36:05 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.202015-03-04 14:36:05 INFO Shibboleth.SessionCache [2]: new session created: ID (_ee18a916d4e7e7adbc34f55c010695a4) IdP (https://idp.testshib.org/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (121.243.33.212)
==> /var/log/keystone/keystone-apache-error.log <==[Wed Mar 04 14:36:05 2015] [info] Subsequent (No.8) HTTPS request received for child 7 (server 10.1.193.250:5000)[Wed Mar 04 14:36:09 2015] [info] Subsequent (No.9) HTTPS request received for child 7 (server 10.1.193.250:5000)
==> /var/log/shibboleth/shibd.log <==2015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:0.9.2342.19200300.100.1.12015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.42015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.32015-03-04 14:36:09 INFO Shibboleth.AttributeExtractor.XML [2]: skipping unmapped SAML 2.0 Attribute with Name: urn:oid:2.5.4.202015-03-04 14:36:09 INFO Shibboleth.SessionCache [2]: new session created: ID (_10d6c414a9f198b6601b5d4f36a9057a) IdP (https://idp.testshib.org/idp/shibboleth) Protocol(urn:oasis:names:tc:SAML:2.0:protocol) Address (121.243.33.212)
==> /var/log/keystone/keystone-apache-error.log <==[Wed Mar 04 14:36:09 2015] [info] Subsequent (No.10) HTTPS request received for child 7 (server 10.1.193.250:5000)[Wed Mar 04 14:36:14 2015] [info] [client 121.243.33.212] (70007)The timeout specified has expired: SSL input filter read failed.[Wed Mar 04 14:36:14 2015] [info] [client 121.243.33.212] Connection closed to child 7 with standard shutdown (server 10.1.193.250:5000)
To: openstack-dev at lists.openstack.org
From: stevemar at ca.ibm.com
Date: Wed, 4 Mar 2015 03:04:52 -0500
Subject: Re: [openstack-dev] Need help in configuring keystone
What do the keystone logs indicate?
Steve
Akshik DBK <akshik at outlook.com> wrote on 03/04/2015
02:18:47 AM:
> From: Akshik DBK <akshik at outlook.com>
> To: OpenStack Development Mailing List not for
usage questions
> <openstack-dev at lists.openstack.org>
> Date: 03/04/2015 02:25 AM
> Subject: Re: [openstack-dev] Need help in configuring
keystone
>
> Hi Marek,
>
> I tried with the auto-generated shibboleth2.xml, just added the
> application override attribute, now im stuck with looping issue,
>
> when i access v3/OS-FEDERATION/identity_providers/idp_2/protocols/
> saml2/auth for the first time it is prompting for username and
> password once provided it goes on loop.
>
> i could see session generated https://115.112.68.53:5000/
> Shibboleth.sso/Session
> Miscellaneous
> Client Address: 121.243.33.212
> Identity Provider: https://idp.testshib.org/idp/shibboleth
> SSO Protocol: urn:oasis:names:tc:SAML:2.0:protocol
> Authentication Time: 2015-03-04T06:44:41.625Z
> Authentication Context Class: urn:oasis:names:tc:SAML:2.
> 0:ac:classes:PasswordProtectedTransport
> Authentication Context Decl: (none)
> Session Expiration (barring inactivity): 479 minute(s)
>
> Attributes
> affiliation: Member at testshib.org;Staff at testshib.org
> entitlement: urn:mace:dir:entitlement:common-lib-terms
> eppn: myself at testshib.org
> persistent-id: https://idp.testshib.org/idp/shibboleth!https://115.
> 112.68.53/shibboleth!4Q6X4dS2MRhgTZOPTuL9ubMAcIM=
> unscoped-affiliation: Member;Staff
> here are my config files,
> <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config"
> xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" clockSkew="1800">
> <ApplicationDefaults entityID="https://115.112.68.53/shibboleth"
> REMOTE_USER="eppn">
> <Sessions lifetime="28800"
timeout="3600"
> checkAddress="false" relayState="ss:mem" handlerSSL="true"
> handlerSSL="true" cookieProps="; path=/; secure">
>
> <SSO entityID="https://idp.testshib.org/idp/shibboleth">
>
SAML2 SAML1
> </SSO>
>
> <Logout>SAML2 Local</Logout>
>
> <Handler type="MetadataGenerator"
Location="/Metadata"
> signing="false"/>
> <Handler
type="Status" Location="/Status"/>
> <Handler
type="Session" Location="/Session"
> showAttributeValues="true"/>
> <Handler
type="DiscoveryFeed" Location="/DiscoFeed"/>
> </Sessions>
>
> <Errors supportContact="root at localhost"
logoLocation="/
> shibboleth-sp/logo.jpg" styleSheet="/shibboleth-sp/main.css"/>
> <MetadataProvider
type="XML" uri="https://www.testshib.org/
> metadata/testshib-providers.xml"
> backingFilePath="/tmp/testshib-two-idp-metadata.xml"
> reloadInterval="180000"
/>
> <AttributeExtractor
type="XML" validate="true"
> path="attribute-map.xml"/>
> <AttributeResolver
type="Query" subjectMatch="true"/>
> <AttributeFilter
type="XML" validate="true" path="attribute-
> policy.xml"/>
> <CredentialResolver
type="File" key="sp-key.pem"
> certificate="sp-cert.pem"/>
> <ApplicationOverride
id="idp_2" entityID="https://115.112.
> 68.53/shibboleth">
> <!--Sessions
lifetime="28800" timeout="3600" checkAddress="false"
> relayState="ss:mem"
handlerSSL="false"-->
> <Sessions
lifetime="28800" timeout="3600" checkAddress="false"
> relayState="ss:mem"
handlerSSL="true" cookieProps=";
> path=/; secure">
>
> <!-- Triggers a login
request directly to the TestShib IdP. -->
> <SSO
entityID="https://idp.testshib.org/idp/shibboleth"
> ECP="true">
>
SAML2 SAML1
> </SSO>
> <Logout>SAML2
Local</Logout>
> </Sessions>
> <MetadataProvider
type="XML" uri="https://
> www.testshib.org/metadata/testshib-providers.xml"
> backingFilePath="/tmp/testshib-two-idp-metadata.xml"
> reloadInterval="180000"
/>
> </ApplicationOverride>
> </ApplicationDefaults>
> <SecurityPolicyProvider type="XML"
validate="true"
> path="security-policy.xml"/>
> <ProtocolProvider type="XML"
validate="true"
> reloadChanges="false" path="protocols.xml"/>
> </SPConfig>
>
> keystone-httpd
> WSGIDaemonProcess keystone user=keystone group=nogroup
processes=3 threads=10
> #WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/
> protocols/.*?/auth)$ /var/www/keystone/main/$1
> WSGIScriptAliasMatch ^(/v3/OS-FEDERATION/identity_providers/.*?/
> protocols/.*?/auth)$ /var/www/cgi-bin/keystone/main/$1
>
> <VirtualHost *:5000>
> LogLevel info
> ErrorLog /var/log/keystone/keystone-apache-error.log
> CustomLog /var/log/keystone/ssl_access.log
combined
> Options +FollowSymLinks
>
> SSLEngine on
> #SSLCertificateFile
/etc/ssl/certs/mycert.pem
> #SSLCertificateKeyFile
/etc/ssl/private/mycert.key
> SSLCertificateFile
/etc/apache2/ssl/server.crt
> SSLCertificateKeyFile
/etc/apache2/ssl/server.key
> SSLVerifyClient optional
> SSLVerifyDepth 10
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLOptions +StdEnvVars
+ExportCertData
>
> WSGIScriptAlias / /var/www/cgi-bin/keystone/main
> WSGIProcessGroup keystone
> </VirtualHost>
>
> <VirtualHost *:35357>
> LogLevel info
> ErrorLog /var/log/keystone/keystone-apache-error.log
> CustomLog /var/log/keystone/ssl_access.log
combined
> Options +FollowSymLinks
>
> SSLEngine on
>
> SSLEngine on
> #SSLCertificateFile
/etc/ssl/certs/mycert.pem
> #SSLCertificateKeyFile
/etc/ssl/private/mycert.key
> SSLCertificateFile
/etc/apache2/ssl/server.crt
> SSLCertificateKeyFile
/etc/apache2/ssl/server.key
> SSLVerifyClient optional
> SSLVerifyDepth 10
> SSLProtocol all -SSLv2
> SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
> SSLOptions +StdEnvVars
+ExportCertData
>
> WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
> WSGIProcessGroup keystone
> </VirtualHost>
>
> wsgi-keystone
> WSGIScriptAlias /keystone/main /var/www/cgi-bin/keystone/main
> WSGIScriptAlias /keystone/admin /var/www/cgi-bin/keystone/admin
>
> <Location "/keystone">
> # NSSRequireSSL
> SSLRequireSSL
> Authtype none
> </Location>
>
> <Location /Shibboleth.sso>
> # SetHandler shib
> Require all granted
> </Location>
>
> <Location /v3/OS-FEDERATION/identity_providers/idp_1/protocols/saml2/auth>
> ShibRequestSetting requireSession
1
> ShibRequestSetting applicationId
idp_1
> AuthType shibboleth
> ShibRequireAll On
> ShibRequireSession On
> ShibExportAssertion Off
> Require valid-user
> </Location>
>
> <Location /v3/OS-FEDERATION/identity_providers/idp_2/protocols/saml2/auth>
> ShibRequestSetting requireSession
1
> ShibRequestSetting applicationId
idp_2
> AuthType shibboleth
> ShibRequireAll On
> ShibRequireSession On
> ShibExportAssertion Off
> Require valid-user
> </Location>
>
> Regards,
> Akshik
>
> > Date: Mon, 2 Mar 2015 12:03:18 +0100
> > From: marek.denis at cern.ch
> > To: openstack-dev at lists.openstack.org
> > Subject: Re: [openstack-dev] Need help in configuring keystone
> >
> > Akshik,
> >
> > When you are beginning an adventure with saml, shibboleth and
so on,
> > it's helpful to start with fetching auto-generated shibboleth2.xml
file
> > from testshib.org . This should cover most of your use-cases,
at least
> > in the testing environment.
> >
> > Marek
> >
> >
> >
> > __________________________________________________________________________
> > OpenStack Development Mailing List (not for usage questions)
> > Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150304/094dc580/attachment.html>
More information about the OpenStack-dev
mailing list