search

nginx-shib / nginx-http-shibboleth

Shibboleth auth request module for nginx
https://github.com/nginx-shib/nginx-http-shibboleth/wiki
Other
209 stars 27 forks source link

Unable to find shibauthorizer and shibresponder #36

Closed jkmuthusamy closed 4 years ago

jkmuthusamy commented 5 years ago

Could any please tell me why i'm unable to see shibauthorizer and shibresponder in /usr/lib64/shibboleth/ ?

I'm trying to establish SAML connectivity with NGINX-plus by using shibboleth .

I have installed shibboleth 3.0.4 and supervisord 4.0.4.

Initially, before changing configuration in shibboleth2.xml, we are able to start shibboleth and supervisord without any errors.

Now i'm unable to find /usr/lib64/shibboleth/shibauthorizer and /usr/lib64/shibboleth/shibresponder

Below are the related conf files shibboleth2.xml

<SPConfig xmlns="urn:mace:shibboleth:3.0:native:sp:config" xmlns:conf="urn:mace:shibboleth:3.0:native:sp:config" clockSkew="180">

<OutOfProcess tranLogFormat="%u|%s|%IDP|%i|%ac|%t|%attr|%n|%b|%E|%S|%SS|%L|%UA|%a" />
<RequestMapper type="XML">
<RequestMap>
    <Host name="https://d1l00313g.dc01.its.hpecorp.net"
          authType="shibboleth"
          requireSession="true"
          redirectToSSL="443">
        <Path name="/secure" />
        <Path name="/secure2/shibboleth" />

    </Host>

</RequestMap>

<!-- The ApplicationDefaults element is where most of Shibboleth's SAML bits are defined. -->
<ApplicationDefaults entityID="https://d1l00313g.dc01.its.hpecorp.net/shibboleth"
    REMOTE_USER="eppn subject-id pairwise-id persistent-id"
    cipherSuites="DEFAULT:!EXP:!LOW:!aNULL:!eNULL:!DES:!IDEA:!SEED:!RC4:!3DES:!kRSA:!SSLv2:!SSLv3:!TLSv1:!TLSv1.1">

    <!--
    Controls session lifetimes, address checks, cookie handling, and the protocol handlers.
    Each Application has an effectively unique handlerURL, which defaults to "/Shibboleth.sso"
    and should be a relative path, with the SP computing the full value based on the virtual
    host. Using handlerSSL="true" will force the protocol to be https. You should also set
    cookieProps to "https" for SSL-only sites. Note that while we default checkAddress to
    "false", this makes an assertion stolen in transit easier for attackers to misuse.
    -->
    <Sessions lifetime="28800" timeout="3600" relayState="ss:mem"
              checkAddress="false" handlerSSL="false" cookieProps="http">

        <!--
        Configures SSO for a default IdP. To properly allow for >1 IdP, remove
        entityID property and adjust discoveryURL to point to discovery service.
        You can also override entityID on /Login query string, or in RequestMap/htaccess.
        -->
        <SSO entityID="https://login-itg.ext.hpe.com/shibboleth"
             discoveryProtocol="SAMLDS" discoveryURL="https://ds.example.org/DS/WAYF">
          SAML2
        </SSO>

        <!-- SAML and local-only logout. -->
        <Logout>SAML2 Local</Logout>

        <!-- Administrative logout. -->
        <LogoutInitiator type="Admin" Location="/Logout/Admin" acl="127.0.0.1 ::1" />

        <!-- Extension service that generates "approximate" metadata based on SP configuration. -->
        <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>

        <!-- Status reporting service. -->
        <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/>

        <!-- Session diagnostic service. -->
        <Handler type="Session" Location="/Session" showAttributeValues="false"/>

        <!-- JSON feed of discovery information. -->
        <Handler type="DiscoveryFeed" Location="/DiscoFeed"/>
    </Sessions>

    <!--
    Allows overriding of error template information/filenames. You can
    also add your own attributes with values that can be plugged into the
    templates, e.g., helpLocation below.
    -->
    <Errors supportContact="root@localhost"
        helpLocation="/about.html"
        styleSheet="/shibboleth-sp/main.css"/>

    <!-- Example of locally maintained metadata. -->

    <MetadataProvider type="XML" validate="true" file="itg_sp_nginx_metadata_uid.xml"/>

    <!-- Example of remotely supplied batch of signed metadata. -->
    <!--
    <MetadataProvider type="XML" validate="true"
                url="http://federation.org/federation-metadata.xml"
          backingFilePath="federation-metadata.xml" maxRefreshDelay="7200">
        <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
        <MetadataFilter type="Signature" certificate="fedsigner.pem" verifyBackup="false"/>
        <DiscoveryFilter type="Blacklist" matcher="EntityAttributes" trimTags="true"
          attributeName="http://macedir.org/entity-category"
          attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"
          attributeValue="http://refeds.org/category/hide-from-discovery" />
    </MetadataProvider>
    -->

    <!-- Example of remotely supplied "on-demand" signed metadata. -->
    <!--
    <MetadataProvider type="MDQ" validate="true" cacheDirectory="mdq"
                baseUrl="http://mdq.federation.org" ignoreTransport="true">
        <MetadataFilter type="RequireValidUntil" maxValidityInterval="2419200"/>
        <MetadataFilter type="Signature" certificate="mdqsigner.pem" />
    </MetadataProvider>
    -->

    <!-- Map to extract attributes from SAML assertions. -->
    <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/>

    <!-- Default filtering policy for recognized attributes, lets other data pass. -->
    <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/>

    <!-- Simple file-based resolvers for separate signing/encryption keys. -->
    <CredentialResolver type="File"
        key="/opt/serviceproxy/conf/ssl/svcproxy-dev_key.pem" certificate="/opt/serviceproxy/conf/ssl/svcproxy-dev.pem"/>

</ApplicationDefaults>

<!-- Policies that determine how to process and authenticate runtime messages. -->
<SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/>

<!-- Low-level configuration about protocols and bindings available for use. -->
<ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/>

**Shibd is running fine.

But unable to run supervisord.Getting the below errors.**

Aug 15 12:56:22 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:22,407 INFO spawnerr: can't find comman Aug 15 12:56:22 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:22,407 INFO Closing socket unix:///opt/ Aug 15 12:56:23 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:23,408 INFO Creating socket unix:///opt Aug 15 12:56:23 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:23,409 INFO spawnerr: can't find comman Aug 15 12:56:23 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:23,409 INFO Closing socket unix:///opt/ Aug 15 12:56:23 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:23,409 INFO Creating socket unix:///opt Aug 15 12:56:23 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:23,410 INFO spawnerr: can't find comman Aug 15 12:56:23 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:23,410 INFO Closing socket unix:///opt/ Aug 15 12:56:25 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:25,413 INFO Creating socket unix:///opt Aug 15 12:56:25 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:25,413 INFO spawnerr: can't find comman Aug 15 12:56:25 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:25,413 INFO Closing socket unix:///opt/ Aug 15 12:56:25 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:25,414 INFO Creating socket unix:///opt Aug 15 12:56:25 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:25,414 INFO spawnerr: can't find comman Aug 15 12:56:25 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:25,414 INFO Closing socket unix:///opt/ Aug 15 12:56:28 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:28,418 INFO Creating socket unix:///opt Aug 15 12:56:28 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:28,419 INFO spawnerr: can't find comman Aug 15 12:56:28 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:28,419 INFO Closing socket unix:///opt/ Aug 15 12:56:28 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:28,420 INFO gave up: shibauthorizer ent Aug 15 12:56:28 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:28,420 INFO Creating socket unix:///opt Aug 15 12:56:28 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:28,421 INFO spawnerr: can't find comman Aug 15 12:56:28 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:28,421 INFO Closing socket unix:///opt/ Aug 15 12:56:28 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:56:28,421 INFO gave up: shibresponder ente Aug 15 12:57:51 d1l00313g.dc01.its.hpecorp.net systemd[1]: supervisord.service start operation timed out. Terminating. Aug 15 12:57:51 d1l00313g.dc01.its.hpecorp.net supervisord[23807]: 2019-08-15 12:57:51,572 WARN received SIGTERM indicating Aug 15 12:57:51 d1l00313g.dc01.its.hpecorp.net systemd[1]: Failed to start Supervisor process control system for UNIX. -- Subject: Unit supervisord.service has failed -- Defined-By: systemd -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel

-- Unit supervisord.service has failed.

-- The result is failed. Aug 15 12:57:51 d1l00313g.dc01.its.hpecorp.net systemd[1]: Unit supervisord.service entered failed state. Aug 15 12:57:51 d1l00313g.dc01.its.hpecorp.net systemd[1]: supervisord.service failed. Aug 15 12:57:51 d1l00313g.dc01.its.hpecorp.net polkitd[6720]: Unregistered Authentication Agent for unix-process:23778:4301

Config files of Supervisord

supervisord.conf

; supervisor config file [unix_http_server] file=/var/run/supervisord/supervisor.sock user=svcprx

[supervisord] http_port=/var/run/supervisord/supervisor.sock; logfile=/var/log/supervisor/supervisord.log ; (main log file;default $CWD/supervisord.log) pidfile=/var/run/supervisord.pid ; (supervisord pidfile;default supervisord.pid) childlogdir=/var/log/supervisor ; ('AUTO' child log dir, default $TEMP) user=root

[rpcinterface:supervisor] supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface

[supervisorctl] serverurl=unix:///var/run/supervisor.sock ; use a unix:// URL for a unix socket

;[fcgi-program:shibauthorizer] ;command=/usr/lib64/shibboleth/shibauthorizer ;socket=unix:///opt/shibboleth/shibauthorizer.sock ;socket_owner=root:root ;socket_mode=0770 ;user=root ;stdout_logfile=/var/log/supervisor/shibauthorizer.log ;stderr_logfile=/var/log/supervisor/shibauthorizer.error.log

[fcgi-program:shibresponder] command=/usr/lib64/shibboleth/shibresponder socket=unix:///opt/shibboleth/shibresponder.sock socket_owner=root:root socket_mode=0770 user=root stdout_logfile=/var/log/supervisor/shibresponder.log stderr_logfile=/var/log/supervisor/shibresponder.error.log

[include] files = /etc/supervisor/conf.d/*.conf

/etc/shibboleth/conf.d/shibd.conf

[fcgi-program:shibauthorizer] command=/usr/lib64/shibboleth/shibauthorizer socket=unix:///opt/shibboleth/shibauthorizer.sock socket_owner=root:root socket_mode=0770 user=root stdout_logfile=/var/log/supervisor/shibauthorizer.log stderr_logfile=/var/log/supervisor/shibauthorizer.error.log

[fcgi-program:shibresponder] command=/usr/lib64/shibboleth/shibresponder socket=unix:///opt/shibboleth/shibresponder.sock socket_owner=root:root socket_mode=0770 user=root stdout_logfile=/var/log/supervisor/shibresponder.log stderr_logfile=/var/log/supervisor/shibresponder.error.log

davidjb commented 5 years ago

Start by trying to execute the two FastCGI applications directly (eg as the same user configured in your supervisor config) and see if you get console output; it should indicate the request loop is starting and then exit when run directly. Beyond that, check permissions, SELinux and so on.

Also, running these applications as root isn't advisable; best to run them as a limited access user like shibd (see https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/CONFIG.rst#running-the-fastcgi-authorizer-and-responder). You might also want to check your socket permissions to.

jkmuthusamy commented 5 years ago

Thanks david. But im unable to view both the executables shibauthorizer and shibresponder itself, after the installation and even after rebuilding the shibboleth rpm . What could be the cause for not able to view those executable's? Could anyone able to help on this? I'm using CentOS 7 in my server and nginx-plus is running!!!

davidjb commented 5 years ago

So when you say "unable to view", do you mean that the files don't exist on your filesystem or something else? What gets displayed if you run ls -la /usr/lib64/shibboleth/?

jkmuthusamy commented 5 years ago

Yes David.. I'm "getting no such file or directory found" for the above command which you have mentioned

davidjb commented 5 years ago

So in that case, since your installation of the Shibboleth SP doesn't have these applications present, it doesn't appear as though it wasn't built with FastCGI support. Check that out and refer to https://github.com/nginx-shib/shibboleth-fastcgi if you want a reference for how to rebuild the RPMs.

There's always the slight possibility the file paths inside the RPM or build process might have changed so if you spot anything like that which affects the build process, feel free to help create an issue over at https://github.com/nginx-shib/shibboleth-fastcgi/issues

renukeswarchinta commented 5 years ago

This is with reference to previous comments given by Muthuswamy
We are getting below output for command ls -la /usr/lib64/shibboleth/

total 960 _drwxr-xr-x. 2 root root 150 Jul 31 06:31 . dr-xr-xr-x. 47 root root 36864 Aug 5 18:34 .. -rwxr-xr-x. 1 root root 107048 Mar 26 02:35 adfs-lite.so -rwxr-xr-x. 1 root root 161480 Mar 26 02:35 adfs.so -rwxr-xr-x. 1 root root 57736 Mar 26 02:35 memcache-store.so -rwxr-xr-x. 1 root root 137152 Mar 26 02:35 mod_shib_24.so -rwxr-xr-x. 1 root root 90800 Mar 26 02:35 odbc-store.so -rwxr-xr-x. 1 root root 110736 Mar 26 02:35 plugins-lite.so -rwxr-xr-x. 1 root root 243272 Mar 26 02:35 plugins.so

We are missing only those 2 binaries(shibauthorizer and shibresponder). We are did re-installation but no luck , still we are missing those binaries. We are not able to find how these files are missed while we installed shibboleth installer. Is thier any work around or way to solve this.

Thanks

davidjb commented 5 years ago

@renukeswarchinta Same advice as what I gave to @jkmuthusamy - check the package that you're installing, and ensure it was built with FastCGI support. It's important to note that FastCGI support is not a default build option for any downloads from shibboleth.net so you must be using your own custom built packages. In short, if you're just relying on the official Shibboleth repos to install packages, this is the issue.

As I mentioned before, you can take a look at https://github.com/nginx-shib/shibboleth-fastcgi for details on how to rebuild your own packages.

renukeswarchinta commented 5 years ago

@davidjb after resinstallation we are able to see responder and authorizer files . but when we try to start the services with command 'supervisorctl restart shibauthorizer shibresponder' We are getting below error

#

Aug 22 02:00:55 d1l00313g supervisord: 2019-08-22 02:00:55,924 INFO supervisord started with pid 19271
Aug 22 02:00:56 d1l00313g supervisord: 2019-08-22 02:00:56,926 INFO Creating socket unix:///opt/shibboleth/shibauthorizer.sock
Aug 22 02:00:56 d1l00313g supervisord: 2019-08-22 02:00:56,929 INFO spawned: 'shibauthorizer' with pid 19275
Aug 22 02:00:56 d1l00313g supervisord: 2019-08-22 02:00:56,930 INFO Creating socket unix:///opt/shibboleth/shibresponder.sock
Aug 22 02:00:56 d1l00313g supervisord: 2019-08-22 02:00:56,933 INFO spawned: 'shibresponder' with pid 19276
Aug 22 02:00:56 d1l00313g shibboleth: WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage
Aug 22 02:00:56 d1l00313g shibboleth: WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
Aug 22 02:00:56 d1l00313g shibboleth: WARN Shibboleth.Application : insecure cookieProps setting, set to "https" for SSL/TLS-only usage
Aug 22 02:00:56 d1l00313g shibboleth: WARN Shibboleth.Application : handlerSSL should be enabled for SSL/TLS-enabled web sites
Aug 22 02:00:57 d1l00313g supervisord: 2019-08-22 02:00:57,996 INFO success: shibauthorizer entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Aug 22 02:00:57 d1l00313g supervisord: 2019-08-22 02:00:57,996 INFO success: shibresponder entered RUNNING state, process has stayed up for > than 1 seconds (startsecs)
Aug 22 02:01:01 d1l00313g systemd: Created slice User Slice of root.
Aug 22 02:01:01 d1l00313g systemd: Started Session 3011 of user root.
Aug 22 02:01:01 d1l00313g systemd: Removed slice User Slice of root.
Aug 22 02:02:00 d1l00313g systemd-logind: Removed session 3009.
Aug 22 02:02:26 d1l00313g systemd: supervisord.service start operation timed out. Terminating.
Aug 22 02:02:26 d1l00313g supervisord: 2019-08-22 02:02:26,074 WARN received SIGTERM indicating exit request
Aug 22 02:02:26 d1l00313g supervisord: 2019-08-22 02:02:26,076 INFO waiting for shibauthorizer, shibresponder to die
Aug 22 02:02:26 d1l00313g supervisord: 2019-08-22 02:02:26,079 INFO stopped: shibresponder (terminated by SIGTERM)
Aug 22 02:02:26 d1l00313g supervisord: 2019-08-22 02:02:26,079 INFO Closing socket unix:///opt/shibboleth/shibresponder.sock
Aug 22 02:02:26 d1l00313g supervisord: 2019-08-22 02:02:26,082 INFO stopped: shibauthorizer (terminated by SIGTERM)
Aug 22 02:02:26 d1l00313g supervisord: 2019-08-22 02:02:26,082 INFO Closing socket unix:///opt/shibboleth/shibauthorizer.sock
Aug 22 02:02:26 d1l00313g systemd: Failed to start Supervisor process control system for UNIX.
Aug 22 02:02:26 d1l00313g systemd: Unit supervisord.service entered failed state.
Aug 22 02:02:26 d1l00313g systemd: supervisord.service failed.

As per logs initially it says supervisord started and in the last it went to stop state again.

Aug 22 02:01:01 d1l00313g systemd: Created slice User Slice of root.
Aug 22 02:01:01 d1l00313g systemd: Started Session 3011 of user root.
Aug 22 02:01:01 d1l00313g systemd: Removed slice User Slice of root.
Aug 22 02:02:00 d1l00313g systemd-logind: Removed session 3009.

After these statements services are going down .

Any help on this @davidjb

davidjb commented 5 years ago

Try running the FastCGI applications directly to see if you get some more logging output, and try increasing the verbosity of the logging so you can see why the applications aren't remaining alive.

As mentioned before, running these applications as root isn't advisable; it's possibly required to run them as a limited access user shibd, which might be why they're failing. The config at https://github.com/nginx-shib/nginx-http-shibboleth/blob/master/CONFIG.rst#running-the-fastcgi-authorizer-and-responder is the config I'm running so try that as well.

In any case, since this isn't an issue with this nginx module, support requests should be directed to the Shibboleth Users mailing list (https://www.shibboleth.net/community/lists/) -- they can assist you with specific config or application issues.

davidjb commented 4 years ago

Closing this off as it's a general configuration and setup question, rather than a bug in the nginx module.