shibboleth-dev - Re: continuing oddities in origin installation

Subject: Shibboleth Developers

List archive

Re: continuing oddities in origin installation

From: Ryan Muldoon <>
To:
Subject: Re: continuing oddities in origin installation
Date: 19 Jun 2003 11:53:43 -0500

Steven Carmody pointed out my problem - in resolver.xml, the scoped
attributes are commented out. I didn't notice that the comments
extended across the attributes. I'm going to file a bugzilla bug to
suggest that it be made clearer...even with just an inline message
noting that you need to uncomment things. Thanks everyone for all the
help. I'll try and get a target going today as well, and report on that
once I have something.

--Ryan

On Thu, 2003-06-19 at 11:16, Ryan Muldoon wrote:
> I did a clean installation of the 1.0 origin, downloading the new
> distributions this morning. However, I have the same problem as
> yesterday - I'm not releasing any attributes whatsoever. Here are the
> exact steps that I took to install:
>
> 1. I moved *all* old shibboleth directories to my home directory, so
> there was no code or configuration anywhere near tomcat. (everything in
> the webapps directory, as well as the normal shibboleth distribution
> stuff that is unpacked in /usr/local)
>
> 2. I killall -9'ed java, to stop tomcat.
> 3. I unpacked the shib origin distribution in /usr/local
> 4. I copied shibboleth.war to tomcat's webapps directory.
> 5. I restarted tomcat.
> 6. The war file unpacked to a directory, so to be sure that config stuff
> matched, I deleted the war file, to solely use the directory.
> 7. I updated resolver.xml to set the scope to "wisc.edu"
> 8. I configured origin.properties in a way that was consistent with what
> I had last week on a pre-1.0 build (which worked).
>
> Upon testing, I can get to the sample target, but it doesn't have any
> attributes for me.
>
> For completeness, here are the relevant files that could be affecting my
> release of attributes. Let me know if one of them is indicative of a
> misconfiguration. Thanks!
>
> resolver.xml:
> ------------
> <AttributeResolver xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns="urn:mace:shibboleth:resolver:1.0"
> xsi:schemaLocation="urn:mace:shibboleth:resolver:1.0
> shibboleth-resolver-1.0.xsd">
>
> <SimpleAttributeDefinition
> id="urn:mace:dir:attribute-def:eduPersonEntitlement">
> <DataConnectorDependency requires="echo"/>
> </SimpleAttributeDefinition>
>
> <SimpleAttributeDefinition
> id="urn:mace:dir:attribute-def:eduPersonAffiliation">
> <DataConnectorDependency requires="echo"/>
> </SimpleAttributeDefinition>
>
> 
>
> <CustomDataConnector id="echo"
>
> class="edu.internet2.middleware.shibboleth.aa.attrresolv.provider.SampleConnector"
> />
>
> </AttributeResolver>
>
> ------------------
> origin.properties:
> ------------------
> ###################################################################################
> #
> # Handle Service Configuration
> #
> ###################################################################################
>
> ##### General Configuration #####
>
> # [Required] Name of this Handle Service (usually a dns name)
> edu.internet2.middleware.shibboleth.hs.HandleServlet.issuer =
> gari.doit.wisc.edu
>
> # [Required] The name of this origin site (a URI)
> edu.internet2.middleware.shibboleth.hs.HandleServlet.siteName =
> urn:mace:inqueue:wisc.edu
>
> # [Required] URL at which the corresponding Attribute Authority can be
> reached
> edu.internet2.middleware.shibboleth.hs.HandleServlet.AAUrl =
> https://gari.doit.wisc.edu/shibboleth/AA
>
> # [Optional] HTTP Request Header to get principal name from (defaults
> to REMOTE_USER)
> #edu.internet2.middleware.shibboleth.hs.HandleServlet.username =
> REMOTE_USER
>
> # [Optional] URI identifying the authentication mechanism that is used
> by the HS
> #edu.internet2.middleware.shibboleth.hs.HandleServlet.authMethod =
> urn:oasis:names:tc:SAML:1.0:am:password
>
> ##### Assertion Signing #####
>
> # [Required] Location of a Java keystore containing an X509 certificate
> # and matching key. Used to sign assertions made by this HS
> edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePath =
> /conf/keystore.jks
>
> # [Required] Password for the keystore
> edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStorePassword =
> mypassword
>
> # [Required] Keystore alias for the private key
> edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyAlias =
> hs
>
> # [Required] Password for the private key
>
> edu.internet2.middleware.shibboleth.hs.HandleServlet.keyStoreKeyPassword
> = mypassword
>
> # [Optional] Keystore alias for the X509 certificate (Defaults to the
> private key alias)
> edu.internet2.middleware.shibboleth.hs.HandleServlet.certAlias = hs
>
>
> ###################################################################################
> #
> # Attribute Authority Configuration
> #
> ###################################################################################
>
> ##### General Configuration #####
>
> # [Required] Name of this Attribute Authority (usually a dns name)
> edu.internet2.middleware.shibboleth.aa.AAServlet.authorityName =
> gari.doit.wisc.edu
>
> # [Optional] Set to true if the Attribute Authority should pass
> internal error messages to
> # the SHAR (for debugging purposes) (defaults to false)
> #edu.internet2.middleware.shibboleth.aa.AAServlet.passThruErrors =
> false
>
> ##### Attribute Resolution #####
>
> # [Optional] Attribute Resolver configuration (Defaults to
> /conf/resolver.xml)
>
> edu.internet2.middleware.shibboleth.aa.attrresolv.AttributeResolver.ResolverConfig
> = /conf/resolver.xml
>
> ##### Attribute Release Policies #####
>
> # [Required] Arp Repository Implementation
> edu.internet2.middleware.shibboleth.aa.arp.ArpRepository.implementation
> =
> edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository
>
> ### Parameters for
> edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository
> ###
>
> # [Required if active] Path from which Policies can be loaded
>
> edu.internet2.middleware.shibboleth.aa.arp.provider.FileSystemArpRepository.Path
> = /conf/arps/
>
> # [Optional] Time in seconds for which Release Policies should be
> cached
> # (Defaults to 0 or "no caching")
> edu.internet2.middleware.shibboleth.aa.arp.BaseArpRepository.ArpTTL =
> 300
>
>
> ###################################################################################
> #
> # Shared Configuration
> #
> ###################################################################################
>
> ##### Attribute Query Handle Repository #####
>
> # [Optional] Specifes an implementation to be used for the HS and AA to
> share AQHs (Defaults to Memory provider)
> edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation
> = edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository
> #edu.internet2.middleware.shibboleth.hs.HandleRepository.implementation
> = edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository
>
> ### Parameters for
> edu.internet2.middleware.shibboleth.hs.provider.MemoryHandleRepository
> ###
>
> # [Optional] Time in seconds for which issued AQHs are valid
> (Defaults to 1800 or 30 minutes)
>
> #edu.internet2.middleware.shibboleth.hs.BaseHandleRepository.handleTTL =
> 1000
> ### Parameters for
> edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository
> ###
>
> # [Required if active] Location of a Java keystore containing a
> Triple DES secret key.
> # Used to encrypt the principal's identifiers
>
> #edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStorePath
> = /conf/handle.jks
>
> # [Required if active] Password for the keystore
>
> #edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStorePassword
> = shibhs
>
> # [Required if active] Keystore alias for the secret key
>
> #edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStoreKeyAlias
> = handleKey
>
> # [Required if active] Password for the private key
>
> #edu.internet2.middleware.shibboleth.hs.provider.CryptoHandleRepository.keyStoreKeyPassword
> = shibhs
>
> # [Optional] Time in seconds for which issued AQHs are valid
> (Defaults to 1800 or 30 minutes)
>
> #edu.internet2.middleware.shibboleth.hs.BaseHandleRepository.handleTTL =
> 1000
> ##### Federation Configuration #####
>
> #[Optional] URI corresponding to the federation this origin operates
> under (defaults to the InQueue policy)
> edu.internet2.middleware.shibboleth.audiences = urn:mace:inqueue
>
>
> ----------
> arp.site.xml:
> ----------
>
> <?xml version="1.0" encoding="UTF-8"?>
> <AttributeReleasePolicy
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
> xmlns="urn:mace:shibboleth:arp:1.0"
> xsi:schemaLocation="urn:mace:shibboleth:arp:1.0 shibboleth-arp-1.0.xsd"
> >
> <Description>Simplest possible ARP.</Description>
> <Rule>
> <Target>
> <AnyTarget/>
> </Target>
> <Attribute
> name="urn:mace:dir:attribute-def:eduPersonScopedAffiliation">
> <AnyValue release="permit"/>
> </Attribute>
> </Rule>
> </AttributeReleasePolicy>
>
> -------------
>
> sites.xml in webapps/shibboleth/ doesn't have wisconsin in there, but I
> don't think that it matters. Any ideas?
>
> --Ryan
>
>

------------------------------------------------------mace-shib-design-+
For list utilities, archives, subscribe, unsubscribe, etc. please visit the
ListProc web interface at

http://archives.internet2.edu/

------------------------------------------------------mace-shib-design--

continuing oddities in origin installation, Ryan Muldoon, 06/19/2003
- Re: continuing oddities in origin installation, Ryan Muldoon, 06/19/2003
  - Re: continuing oddities in origin installation, Walter Hoehn, 06/19/2003

List archive

Re: continuing oddities in origin installation