error message on login
13 views
Skip to first unread message
Nick Owen
Mar 19, 2008, 4:50:42 PM3/19/08
to GHeimdall
Greetings:
I am trying to configure GHeimdall. My end goal is to combine
GHeimdall with two-factor authentication from my company - just so
you know that I am not much of a developer :). I have tried both
the yum install method (nice!) and building from source. both times I
get this error:
2008-03-19 16:48:32,000 gheimdall.controllers ERROR CherryPy 500 error
(500 - Internal Server Error) for request 'GET /gheimdall/login/'
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/cherrypy/_cphttptools.py",
line 121, in _run
self.main()
File "/usr/lib/python2.4/site-packages/cherrypy/_cphttptools.py",
line 264, in main
body = page_handler(*virtual_path, **self.params)
File "<string>", line 3, in newfunc
File "/usr/lib/python2.4/site-packages/turbogears/controllers.py",
line 342, in expose
output = database.run_with_transaction(
File "<string>", line 5, in run_with_transaction
File "/usr/lib/python2.4/site-packages/turbogears/database.py", line
312, in so_rwt
retval = func(*args, **kw)
File "<string>", line 5, in _expose
File "/usr/lib/python2.4/site-packages/turbogears/controllers.py",
line 359, in <lambda>
mapping, fragment, args, kw)))
File "/usr/lib/python2.4/site-packages/turbogears/controllers.py",
line 386, in _execute_func
output = errorhandling.try_call(func, *args, **kw)
File "/usr/lib/python2.4/site-packages/turbogears/errorhandling.py",
line 72, in try_call
return func(self, *args, **kw)
File "/usr/lib/python2.4/site-packages/gheimdall/controllers.py",
line 73, in newfunc
return func(*args, **kwargs)
TypeError: login() takes at least 2 arguments (1 given)
Additionally, the yum installed version gets an error on css:
2008-03-19 16:48:33,884 gheimdall.controllers ERROR CherryPy 404 error
(404 - Not Found) for request 'GET /gheimdall/static/css/style.css/'
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/cherrypy/_cphttptools.py",
line 121, in _run
self.main()
File "/usr/lib/python2.4/site-packages/cherrypy/_cphttptools.py",
line 256, in main
page_handler, object_path, virtual_path =
self.mapPathToObject(path)
File "/usr/lib/python2.4/site-packages/cherrypy/_cphttptools.py",
line 326, in mapPathToObject
raise cherrypy.NotFound(objectpath)
NotFound: 404
I've checked the permissions and it seems fine...
Any thoughts on what I have missed? Let me know if you want my
app.cfg
I am trying to configure GHeimdall. My end goal is to combine
GHeimdall with two-factor authentication from my company - just so
you know that I am not much of a developer :). I have tried both
the yum install method (nice!) and building from source. both times I
get this error:
2008-03-19 16:48:32,000 gheimdall.controllers ERROR CherryPy 500 error
(500 - Internal Server Error) for request 'GET /gheimdall/login/'
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/cherrypy/_cphttptools.py",
line 121, in _run
self.main()
File "/usr/lib/python2.4/site-packages/cherrypy/_cphttptools.py",
line 264, in main
body = page_handler(*virtual_path, **self.params)
File "<string>", line 3, in newfunc
File "/usr/lib/python2.4/site-packages/turbogears/controllers.py",
line 342, in expose
output = database.run_with_transaction(
File "<string>", line 5, in run_with_transaction
File "/usr/lib/python2.4/site-packages/turbogears/database.py", line
312, in so_rwt
retval = func(*args, **kw)
File "<string>", line 5, in _expose
File "/usr/lib/python2.4/site-packages/turbogears/controllers.py",
line 359, in <lambda>
mapping, fragment, args, kw)))
File "/usr/lib/python2.4/site-packages/turbogears/controllers.py",
line 386, in _execute_func
output = errorhandling.try_call(func, *args, **kw)
File "/usr/lib/python2.4/site-packages/turbogears/errorhandling.py",
line 72, in try_call
return func(self, *args, **kw)
File "/usr/lib/python2.4/site-packages/gheimdall/controllers.py",
line 73, in newfunc
return func(*args, **kwargs)
TypeError: login() takes at least 2 arguments (1 given)
Additionally, the yum installed version gets an error on css:
2008-03-19 16:48:33,884 gheimdall.controllers ERROR CherryPy 404 error
(404 - Not Found) for request 'GET /gheimdall/static/css/style.css/'
Traceback (most recent call last):
File "/usr/lib/python2.4/site-packages/cherrypy/_cphttptools.py",
line 121, in _run
self.main()
File "/usr/lib/python2.4/site-packages/cherrypy/_cphttptools.py",
line 256, in main
page_handler, object_path, virtual_path =
self.mapPathToObject(path)
File "/usr/lib/python2.4/site-packages/cherrypy/_cphttptools.py",
line 326, in mapPathToObject
raise cherrypy.NotFound(objectpath)
NotFound: 404
I've checked the permissions and it seems fine...
Any thoughts on what I have missed? Let me know if you want my
app.cfg
Takashi Matsuo
Mar 19, 2008, 5:50:59 PM3/19/08
to ghei...@googlegroups.com
Hello Owen san,
Thanks for your e-mail :-)
For opener, let's start with 404 error.
Maybe the reason of this error is a bug in cherrypy. Could you tell me
what version of cherrypy you are using?
# rpm -qa|grep cherrypy
If you use python-cherrypy-2.3.0-3.el5.noarch.rpm or similar version,
you can probably use the attached patch for the fix.
# cd /usr/lib/python2.4/site-packages/cherrypy/filters
# patch < /somewhere/cherrypy-staticfilter-fix.patch
Additionally, when it comes to two-factor authentication on 1 server,
you may need another tips. I'm going to write the article about
multi-instance installation of GHeimdal on the wiki. So could you
please hold on a day or two about it?
On top of that, it seems that the 500 error you reported is the result
of lacking the SAMLRequest parameter for login URL. Could you tell me
the exact URL when the error occurred?
Regards,
-- Takashi
Nick Owen
Mar 20, 2008, 1:24:27 PM3/20/08
to GHeimdall
On Mar 19, 5:50 pm, "Takashi Matsuo" <matsuo.taka...@gmail.com> wrote:
> Hello Owen san,
>
> Thanks for your e-mail :-)
>
> For opener, let's start with 404 error.
>
> Maybe the reason of this error is a bug in cherrypy. Could you tell me
> what version of cherrypy you are using?
>
> # rpm -qa|grep cherrypy
>
> If you use python-cherrypy-2.3.0-3.el5.noarch.rpm or similar version,
> you can probably use the attached patch for the fix.
>
> # cd /usr/lib/python2.4/site-packages/cherrypy/filters
> # patch < /somewhere/cherrypy-staticfilter-fix.patch
[root@host139 filters]# strace patch cherrypy-staticfilter-fix.patch
execve("/usr/bin/patch", ["patch", "cherrypy-staticfilter-
fix.patch"...], [/* 25 vars */]) = 0
brk(0) = 0x8970000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or
directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=16913, ...}) = 0
mmap2(NULL, 16913, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fec000
close(3) = 0
open("/lib/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF
\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0000/\'\0004\0\0\0"..., 512) =
512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1589908, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7feb000
mmap2(0x25d000, 1308068, PROT_READ|PROT_EXEC, MAP_PRIVATE|
MAP_DENYWRITE, 3, 0) = 0x25d000
mmap2(0x397000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_DENYWRITE, 3, 0x13a) = 0x397000
mmap2(0x39a000, 9636, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|
MAP_ANONYMOUS, -1, 0) = 0x39a000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7fea000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7fea6c0, limit:
1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1,
seg_not_present:0, useable:1}) = 0
mprotect(0x397000, 8192, PROT_READ) = 0
mprotect(0x259000, 4096, PROT_READ) = 0
munmap(0xb7fec000, 16913) = 0
time(NULL) = 1206032096
brk(0) = 0x8970000
brk(0x8993000) = 0x8993000
gettimeofday({1206032096, 863806}, NULL) = 0
getpid() = 29090
lstat64("/tmp/poMlMbNJ", 0xbfc9d08c) = -1 ENOENT (No such file or
directory)
lstat64("/tmp/piwl1pxi", 0xbfc9d08c) = -1 ENOENT (No such file or
directory)
lstat64("/tmp/prATHFhR", 0xbfc9d08c) = -1 ENOENT (No such file or
directory)
lstat64("/tmp/pp4EyW1p", 0xbfc9d08c) = -1 ENOENT (No such file or
directory)
rt_sigaction(SIGCHLD, {SIG_DFL}, {SIG_DFL}, 8) = 0
rt_sigaction(SIGHUP, NULL, {SIG_DFL}, 8) = 0
rt_sigaction(SIGHUP, {0x804c9e0, [], 0}, NULL, 8) = 0
rt_sigaction(SIGPIPE, NULL, {SIG_DFL}, 8) = 0
rt_sigaction(SIGPIPE, {0x804c9e0, [], 0}, NULL, 8) = 0
rt_sigaction(SIGTERM, NULL, {SIG_DFL}, 8) = 0
rt_sigaction(SIGTERM, {0x804c9e0, [], 0}, NULL, 8) = 0
rt_sigaction(SIGXCPU, NULL, {SIG_DFL}, 8) = 0
rt_sigaction(SIGXCPU, {0x804c9e0, [], 0}, NULL, 8) = 0
rt_sigaction(SIGXFSZ, NULL, {SIG_DFL}, 8) = 0
rt_sigaction(SIGXFSZ, {0x804c9e0, [], 0}, NULL, 8) = 0
rt_sigaction(SIGINT, NULL, {SIG_DFL}, 8) = 0
rt_sigaction(SIGINT, {0x804c9e0, [], 0}, NULL, 8) = 0
fstat64(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
open("/tmp/pp4EyW1p", O_RDWR|O_CREAT|O_EXCL|O_TRUNC|O_LARGEFILE, 0600)
= 3
fcntl64(3, F_GETFL) = 0x8002 (flags O_RDWR|
O_LARGEFILE)
fstat64(3, {st_mode=S_IFREG|0600, st_size=0, ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7ff0000
_llseek(3, 0, [0], SEEK_CUR) = 0
fstat64(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1,
0) = 0xb7fef000
read(0, <unfinished ...>
>
> Additionally, when it comes to two-factor authentication on 1 server,
> you may need another tips. I'm going to write the article about
> multi-instance installation of GHeimdal on the wiki. So could you
> please hold on a day or two about it?
>
> On top of that, it seems that the 500 error you reported is the result
> of lacking the SAMLRequest parameter for login URL. Could you tell me
> the exact URL when the error occurred?
The url is http://test67.wikidsystems.com/gheimdall/login
and
http://test75.wikidsystems.com/gheimdall/login (the css works on this
one, which is fc7).
Nick
>
> Regards,
>
> -- Takashi
> 1KDownload
Takashi Matsuo
Mar 20, 2008, 8:45:04 PM3/20/08
to ghei...@googlegroups.com
Hi Nick,
On Fri, Mar 21, 2008 at 2:24 AM, Nick Owen <owen...@gmail.com> wrote:
> > If you use python-cherrypy-2.3.0-3.el5.noarch.rpm or similar version,
> > you can probably use the attached patch for the fix.
> >
> > # cd /usr/lib/python2.4/site-packages/cherrypy/filters
> > # patch < /somewhere/cherrypy-staticfilter-fix.patch
>
> The patch just hangs, here's strace (if that helps...)
>
> [root@host139 filters]# strace patch cherrypy-staticfilter-fix.patch
Please try following command line.
# patch < cherrypy-staticfilter-fix.patch
Please don't forget '<' after patch command :-)
> > Additionally, when it comes to two-factor authentication on 1 server,
> > you may need another tips. I'm going to write the article about
> > multi-instance installation of GHeimdal on the wiki. So could you
> > please hold on a day or two about it?
>
> I look forward to seeing that!
>
>
> >
> > On top of that, it seems that the 500 error you reported is the result
> > of lacking the SAMLRequest parameter for login URL. Could you tell me
> > the exact URL when the error occurred?
>
> This could be a config issue on my end. I'm not saml savy :).
>
> The url is http://test67.wikidsystems.com/gheimdall/login
> and
> http://test75.wikidsystems.com/gheimdall/login (the css works on this
> one, which is fc7).
The 'login' endpoint needs SAMLRequest parameter. So that is a correct
behavior.
Once you set the login URL on Google Apps Control Panel, you can see
the browser will be redirected to the URL like following when you
access to the Google Apps Service.
http://test75.wikidsystems.com/gheimdall/login?SAMLRequest=.............
(with long long value)
-- Takashi
Nick Owen
Mar 21, 2008, 11:38:45 AM3/21/08
to GHeimdall
> On Fri, Mar 21, 2008 at 2:24 AM, Nick Owen <owen.n...@gmail.com> wrote:
> > > If you use python-cherrypy-2.3.0-3.el5.noarch.rpm or similar version,
> > > you can probably use the attached patch for the fix.
>
> > > # cd /usr/lib/python2.4/site-packages/cherrypy/filters
> > > # patch < /somewhere/cherrypy-staticfilter-fix.patch
>
> > The patch just hangs, here's strace (if that helps...)
>
> > [root@host139 filters]# strace patch cherrypy-staticfilter-fix.patch
>
> Please try following command line.
> # patch < cherrypy-staticfilter-fix.patch
>
> Please don't forget '<' after patch command :-)
Yes, that helps quite a bit :-)
> > > If you use python-cherrypy-2.3.0-3.el5.noarch.rpm or similar version,
> > > you can probably use the attached patch for the fix.
>
> > > # cd /usr/lib/python2.4/site-packages/cherrypy/filters
> > > # patch < /somewhere/cherrypy-staticfilter-fix.patch
>
> > The patch just hangs, here's strace (if that helps...)
>
> > [root@host139 filters]# strace patch cherrypy-staticfilter-fix.patch
>
> Please try following command line.
> # patch < cherrypy-staticfilter-fix.patch
>
> Please don't forget '<' after patch command :-)
> > > Additionally, when it comes to two-factor authentication on 1 server,
> > > you may need another tips. I'm going to write the article about
> > > multi-instance installation of GHeimdal on the wiki. So could you
> > > please hold on a day or two about it?
>
> > I look forward to seeing that!
>
> > > On top of that, it seems that the 500 error you reported is the result
> > > of lacking the SAMLRequest parameter for login URL. Could you tell me
> > > the exact URL when the error occurred?
>
> > This could be a config issue on my end. I'm not saml savy :).
>
> > The url ishttp://test67.wikidsystems.com/gheimdall/login
> > and
> > one, which is fc7).
>
> The 'login' endpoint needs SAMLRequest parameter. So that is a correct
> behavior.
>
> Once you set the login URL on Google Apps Control Panel, you can see
> the browser will be redirected to the URL like following when you
> access to the Google Apps Service.
>
> http://test75.wikidsystems.com/gheimdall/login?SAMLRequest=.............
> (with long long value)
Ok, I'm slowly catching on :). Thanks for your patience. I am much
>
> The 'login' endpoint needs SAMLRequest parameter. So that is a correct
> behavior.
>
> Once you set the login URL on Google Apps Control Panel, you can see
> the browser will be redirected to the URL like following when you
> access to the Google Apps Service.
>
> http://test75.wikidsystems.com/gheimdall/login?SAMLRequest=.............
> (with long long value)
closer, I think. I am now getting the SAML request properly:
2008-03-21 11:26:53,337 - - "POST /gheimdall/login.do/ HTTP/1.1" 500
848 "http://test67.wikidsystems.com/gheimdall/login?SAMLRequest=
fVLLTsMwELwj8Q%2BW73mVhyqrCSqtKioViNrAgZvjbFq3sR28TgN
%2FT5pSUQ5wnZ3dmdnd0d2HqsgeLEqjYxr5ISWghSmkXsf0JZt5Q3qXXF6MkKuqZuPGbfQS3htAR7pOja
wvxLSxmhmOEpnmCpA5wVbjxwUb%2BCGrrXFGmIqS
%2BTSmwPMtqG0NuSorkBu5A1nnu51YbwtVqNKYulAqLyh5PdkaHGzNERuYa3Rcuw4Kw6EXXnmDKItu2OCWXUdvlKTfSvdS
HxP8Zys%2FkpA9ZFnqpc%2BrrB
%2BwlwXYp44d07Ux6wp8YRQlY0SwrrMzMRobBXYFdi8FvCwXMd04VyMLgrZt%2FZ
%2BmgAcllx0LWmt4cYQEHqKkHFHuOwlnG6BJv17WJ7Rn
e%2F3fPz85osmP5ig4G5V8n%2B2QZj5NTSXFJxlXlWknFrg7yZOZsYq7v9UiP
%2BoRWXhlT2WNxhqELCV0dwqSo%2Brv%2F%2Bi%2B5gs%3D&RelayState=https%3A%2F
%2F
www.google.com%2Fa%2Ffairviewroad.com%2FServiceLogin%3Fcontinue%3Dhttp%253A%252F%252Fpartnerpage.google.com%252Ffairviewroad.com%252Fd
efault%252Fpostlogin%253Fpid%253Dfairviewroad.com%2526url%253Dhttp%253A
%252F%252Fpartnerpage.google.com%252Ffairviewroad.com%26followu
p%3Dhttp%253A%252F%252Fpartnerpage.google.com%252Ffairviewroad.com
%252Fdefault%252Fpostlogin%253Fpid%253Dfairviewroad.com%2526url%253D
http%253A%252F%252Fpartnerpage.google.com%252Ffairviewroad.com
%26service%3Dig%26passive%3Dtrue%26cd%3DUS%26hl%3Den%26nui%3D1%26ltmpl
%3
Ddefault%26go%3Dtrue%26passive_sso%3Dtrue" "Mozilla/5.0 (X11; U; Linux
i686; en-US; rv:1.8.1.12) Gecko/20080208 Fedora/2.0.0.12-1.fc7
Firefox/2.0.0.12"
But, I am getting a new 500 error:
2008-03-21 11:26:53,283 gheimdall.controllers ERROR CherryPy 500 error
(500 - Internal Server Error) for request 'POST /gheimdall/login.do/'
return errorhandling.run_with_errors(errors, func, *args, **kw)
File "/usr/lib/python2.4/site-packages/turbogears/errorhandling.py",
line 115, in run_with_errors
return func(self, *args, **kw)
File "/usr/lib/python2.4/site-packages/gheimdall/controllers.py",
line 73, in newfunc
return func(*args, **kwargs)
File "/usr/lib/python2.4/site-packages/gheimdall/controllers.py",
File "/usr/lib/python2.4/site-packages/gheimdall/controllers.py",
line 73, in newfunc
return func(*args, **kwargs)
line 467, in login_do
auth_engine.authenticate(user_name, password)
File "/usr/lib/python2.4/site-packages/gheimdall/auth/__init__.py",
line 44, in authenticate
ret = self._authenticate(user_name, password)
File "/usr/lib/python2.4/site-packages/gheimdall/auth/pam.py", line
63, in _authenticate
pam.close_session()
error: Not authenticated
Obviously, I am using pam. I have tried this with two different
users. I have PyPAM-0.5.0-3 on the system. Any thoughts on this?
thanks in advance!
nick
Takashi Matsuo
Mar 22, 2008, 1:53:57 AM3/22/08
to ghei...@googlegroups.com
Hi Nick,
Could you send your pam configuration file? The default filename is
/etc/pam.d/gheimdall.
Also could you tell me what authentication mechanism do you use?
Unix passwd? or LDAP, or ActiveDirectory?
Regards,
Nick Owen
Mar 24, 2008, 5:18:40 PM3/24/08
to GHeimdall
ok - sorry for that - I was rushing a bit to get out of town for the
weekend. I should have thought of this first: I have copied the
working pam.d/sshd to gheimdall:
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.
While this works for users via ssh, it doesn't work for gheimdall:
# tail /var/log/secure
Mar 24 17:08:34 localhost httpd: pam_unix(gheimdall:auth):
authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=
user=****
Mar 24 17:08:37 localhost httpd: pam_unix(gheimdall:session): session
closed for user ****
and from gheimdall/error.log:
2008-03-24 17:08:40,386 gheimdall.controllers ERROR Authentication
failure
what do you think?
nick
weekend. I should have thought of this first: I have copied the
working pam.d/sshd to gheimdall:
#%PAM-1.0
auth include system-auth
account required pam_nologin.so
account include system-auth
password include system-auth
session optional pam_keyinit.so force revoke
session include system-auth
session required pam_loginuid.
While this works for users via ssh, it doesn't work for gheimdall:
# tail /var/log/secure
Mar 24 17:08:34 localhost httpd: pam_unix(gheimdall:auth):
authentication failure; logname= uid=48 euid=48 tty= ruser= rhost=
user=****
Mar 24 17:08:37 localhost httpd: pam_unix(gheimdall:session): session
closed for user ****
and from gheimdall/error.log:
2008-03-24 17:08:40,386 gheimdall.controllers ERROR Authentication
failure
what do you think?
nick
> Could you send your pam configuration file? The default filename is
> /etc/pam.d/gheimdall.
> Also could you tell me what authentication mechanism do you use?
>
> Unix passwd? or LDAP, or ActiveDirectory?
>
> Regards,
>
> /etc/pam.d/gheimdall.
> Also could you tell me what authentication mechanism do you use?
>
> Unix passwd? or LDAP, or ActiveDirectory?
>
> Regards,
>
> On Sat, Mar 22, 2008 at 12:38 AM, Nick Owen <owen.n...@gmail.com> wrote:
>
> > On Mar 20, 8:45 pm, "Takashi Matsuo" <matsuo.taka...@gmail.com> wrote:
> > > Hi Nick,
>
> > > On Fri, Mar 21, 2008 at 2:24 AM, Nick Owen <owen.n...@gmail.com> wrote:
> > > > > If you use python-cherrypy-2.3.0-3.el5.noarch.rpm or similar version,
> > > > > you can probably use the attached patch for the fix.
>
> > > > > # cd /usr/lib/python2.4/site-packages/cherrypy/filters
> > > > > # patch < /somewhere/cherrypy-staticfilter-fix.patch
>
> > > > The patch just hangs, here's strace (if that helps...)
>
> > > > [root@host139 filters]# strace patch cherrypy-staticfilter-fix.patch
>
> > > Please try following command line.
> > > # patch < cherrypy-staticfilter-fix.patch
>
> > > Please don't forget '<' after patch command :-)
>
> > Yes, that helps quite a bit :-)
>
> > > > > Additionally, when it comes to two-factor authenticationon 1 server,
>
> > On Mar 20, 8:45 pm, "Takashi Matsuo" <matsuo.taka...@gmail.com> wrote:
> > > Hi Nick,
>
> > > On Fri, Mar 21, 2008 at 2:24 AM, Nick Owen <owen.n...@gmail.com> wrote:
> > > > > If you use python-cherrypy-2.3.0-3.el5.noarch.rpm or similar version,
> > > > > you can probably use the attached patch for the fix.
>
> > > > > # cd /usr/lib/python2.4/site-packages/cherrypy/filters
> > > > > # patch < /somewhere/cherrypy-staticfilter-fix.patch
>
> > > > The patch just hangs, here's strace (if that helps...)
>
> > > > [root@host139 filters]# strace patch cherrypy-staticfilter-fix.patch
>
> > > Please try following command line.
> > > # patch < cherrypy-staticfilter-fix.patch
>
> > > Please don't forget '<' after patch command :-)
>
> > Yes, that helps quite a bit :-)
>
> > > > > you may need another tips. I'm going to write the article about
> > > > > multi-instance installation of GHeimdal on the wiki. So could you
> > > > > please hold on a day or two about it?
>
> > > > I look forward to seeing that!
>
> > > > > On top of that, it seems that the 500 error you reported is the result
> > > > > of lacking the SAMLRequest parameter for login URL. Could you tell me
> > > > > the exact URL when the error occurred?
>
> > > > This could be a config issue on my end. I'm not saml savy :).
>
> > > > The url ishttp://test67.wikidsystems.com/gheimdall/login
>
> > > > and
> > > > http://test75.wikidsystems.com/gheimdall/login(thecss works on this
> > > > > multi-instance installation of GHeimdal on the wiki. So could you
> > > > > please hold on a day or two about it?
>
> > > > I look forward to seeing that!
>
> > > > > On top of that, it seems that the 500 error you reported is the result
> > > > > of lacking the SAMLRequest parameter for login URL. Could you tell me
> > > > > the exact URL when the error occurred?
>
> > > > This could be a config issue on my end. I'm not saml savy :).
>
> > > > The url ishttp://test67.wikidsystems.com/gheimdall/login
>
> > > > and
> > > > one, which is fc7).
>
> > > The 'login' endpoint needs SAMLRequest parameter. So that is a correct
> > > behavior.
>
> > > Once you set the login URL on Google Apps Control Panel, you can see
> > > the browser will be redirected to the URL like following when you
> > > access to the Google Apps Service.
>
> > >http://test75.wikidsystems.com/gheimdall/login?SAMLRequest=.............
> > > (with long long value)
>
> > Ok, I'm slowly catching on :). Thanks for your patience. I am much
> > closer, I think. I am now getting the SAML request properly:
>
> > 2008-03-21 11:26:53,337 - - "POST /gheimdall/login.do/ HTTP/1.1" 500
> > 848 "http://test67.wikidsystems.com/gheimdall/login?SAMLRequest=
> > fVLLTsMwELwj8Q%2BW73mVhyqrCSqtKioViNrAgZvjbFq3sR28TgN
> > %2FT5pSUQ5wnZ3dmdnd0d2HqsgeLEqjYxr5ISWghSmkXsf0JZt5Q3qXXF6MkKuqZuPGbfQS3htAR7pOja
> > wvxLSxmhmOEpnmCpA5wVbjxwUb%2BCGrrXFGmIqS
> > %2BTSmwPMtqG0NuSorkBu5A1nnu51YbwtVqNKYulAqLyh5PdkaHGzNERuYa3Rcuw4Kw6EXXnmDKItu2OCWXUdvlKTfSvdS
> > HxP8Zys%2FkpA9ZFnqpc%2BrrB
> > %2BwlwXYp44d07Ux6wp8YRQlY0SwrrMzMRobBXYFdi8FvCwXMd04VyMLgrZt%2FZ
> > %2BmgAcllx0LWmt4cYQEHqKkHFHuOwlnG6BJv17WJ7Rn
> > e%2F3fPz85osmP5ig4G5V8n%2B2QZj5NTSXFJxlXlWknFrg7yZOZsYq7v9UiP
> > %2BoRWXhlT2WNxhqELCV0dwqSo%2Brv%2F%2Bi%2B5gs%3D&RelayState=https%3A%2F
> > %2F
> > www.google.com%2Fa%2Ffairviewroad.com%2FServiceLogin%3Fcontinue%3Dhtt...
>
> > > The 'login' endpoint needs SAMLRequest parameter. So that is a correct
> > > behavior.
>
> > > Once you set the login URL on Google Apps Control Panel, you can see
> > > the browser will be redirected to the URL like following when you
> > > access to the Google Apps Service.
>
> > >http://test75.wikidsystems.com/gheimdall/login?SAMLRequest=.............
> > > (with long long value)
>
> > Ok, I'm slowly catching on :). Thanks for your patience. I am much
> > closer, I think. I am now getting the SAML request properly:
>
> > 2008-03-21 11:26:53,337 - - "POST /gheimdall/login.do/ HTTP/1.1" 500
> > 848 "http://test67.wikidsystems.com/gheimdall/login?SAMLRequest=
> > fVLLTsMwELwj8Q%2BW73mVhyqrCSqtKioViNrAgZvjbFq3sR28TgN
> > %2FT5pSUQ5wnZ3dmdnd0d2HqsgeLEqjYxr5ISWghSmkXsf0JZt5Q3qXXF6MkKuqZuPGbfQS3htAR7pOja
> > wvxLSxmhmOEpnmCpA5wVbjxwUb%2BCGrrXFGmIqS
> > %2BTSmwPMtqG0NuSorkBu5A1nnu51YbwtVqNKYulAqLyh5PdkaHGzNERuYa3Rcuw4Kw6EXXnmDKItu2OCWXUdvlKTfSvdS
> > HxP8Zys%2FkpA9ZFnqpc%2BrrB
> > %2BwlwXYp44d07Ux6wp8YRQlY0SwrrMzMRobBXYFdi8FvCwXMd04VyMLgrZt%2FZ
> > %2BmgAcllx0LWmt4cYQEHqKkHFHuOwlnG6BJv17WJ7Rn
> > e%2F3fPz85osmP5ig4G5V8n%2B2QZj5NTSXFJxlXlWknFrg7yZOZsYq7v9UiP
> > %2BoRWXhlT2WNxhqELCV0dwqSo%2Brv%2F%2Bi%2B5gs%3D&RelayState=https%3A%2F
> > %2F
Takashi Matsuo
Mar 25, 2008, 2:20:50 AM3/25/08
to ghei...@googlegroups.com
Hi Nick,
Presumably, you are going to use /etc/shadow as your back-end
database. Unfortunately it is not supported yet.
Usually, /etc/shadow has a permission like following.
-rw-r----- 1 root shadow 1431 2008-03-14 14:35 /etc/shadow
It means that the normal user land processes like apache can not
access /etc/shadow.
To achieve this use-case, we need another strategy using external
authenticator like mod_authnz_external [1].
If, as I said, you are going to use /etc/shadow as your authenticating
back-end could you wait for me to implement external auth module? I
have submitted a issue about this on the URL bellow.
http://code.google.com/p/gheimdall/issues/detail?id=9
Thank you for your patience.
Regards,
-- Takashi
[1] http://unixpapa.com/mod_auth_external.html
Nick Owen
Mar 25, 2008, 6:01:38 PM3/25/08
to GHeimdall
Actually, the end goal is to develop a WiKID plugin in python - but I
was thinking that testing via pam would be a good idea. Let me play
with that for a bit and see what I come up with. Thanks!
> > > > > > http://test75.wikidsystems.com/gheimdall/login(thecssworks on this
was thinking that testing via pam would be a good idea. Let me play
with that for a bit and see what I come up with. Thanks!
> Presumably, you are going to use /etc/shadow as your back-end
> database. Unfortunately it is not supported yet.
>
> Usually, /etc/shadow has a permission like following.
>
> -rw-r----- 1 root shadow 1431 2008-03-14 14:35 /etc/shadow
>
> It means that the normal user land processes like apache can not
> access /etc/shadow.
>
> To achieve this use-case, we need another strategy using external
> authenticator like mod_authnz_external [1].
>
> If, as I said, you are going to use /etc/shadow as your authenticating
> back-end could you wait for me to implement external auth module? I
> have submitted a issue about this on the URL bellow.
>
> http://code.google.com/p/gheimdall/issues/detail?id=9
>
> Thank you for your patience.
>
> Regards,
>
> -- Takashi
>
> [1]http://unixpapa.com/mod_auth_external.html
>
> database. Unfortunately it is not supported yet.
>
> Usually, /etc/shadow has a permission like following.
>
> -rw-r----- 1 root shadow 1431 2008-03-14 14:35 /etc/shadow
>
> It means that the normal user land processes like apache can not
> access /etc/shadow.
>
> To achieve this use-case, we need another strategy using external
> authenticator like mod_authnz_external [1].
>
> If, as I said, you are going to use /etc/shadow as your authenticating
> back-end could you wait for me to implement external auth module? I
> have submitted a issue about this on the URL bellow.
>
> http://code.google.com/p/gheimdall/issues/detail?id=9
>
> Thank you for your patience.
>
> Regards,
>
> -- Takashi
>
> [1]http://unixpapa.com/mod_auth_external.html
>
Takashi Matsuo
Mar 25, 2008, 8:38:13 PM3/25/08
to ghei...@googlegroups.com
Hi Nick,
Oh, I've been completely misunderstanding what
Two-Factor-Authentication is. Thank you for your information. I'll
look into WiKID if there's a chance.
BTW, just for testing, probably you can change the permissoin of
/etc/shadow to 0666. So, GHeimdall will work with /etc/shadow. If
your /etc/shadow does not contain any important credential, please
consider giving it a try.
Please don't do that on production environment.
Regards,
Nick Owen
Mar 26, 2008, 2:05:14 PM3/26/08
to GHeimdall
:-). Yes, I think there will be a lot of interest in the google apps
community for two-factor authentication, especially in an open source
package. Too often people access their webmail from unsafe locations
where key-loggers can grab credentials.
I will test the /etc/shadow permissions and let you know. In the
meantime I have made some progress with a WiKID module for Gheimdall
(I'll email you the code or post it online, just let me know). I am
able to login! However, I tried logging out and got this error.
2008-03-26 11:19:56,869 gheimdall.controllers ERROR CherryPy 500 error
(500 - Internal Server Error) for request 'GET /gheimdall/logout/'
for key, issuer in cherrypy.session['issuers'].iteritems():
KeyError: 'issuers'
perhaps I have mis-configured my issuer name as IDP? I wasn't really
sure what to do there.
thanks!
nick
> > > > > > > > http://test75.wikidsystems.com/gheimdall/login(thecssworkson this
> ...
>
> read more »
community for two-factor authentication, especially in an open source
package. Too often people access their webmail from unsafe locations
where key-loggers can grab credentials.
I will test the /etc/shadow permissions and let you know. In the
meantime I have made some progress with a WiKID module for Gheimdall
(I'll email you the code or post it online, just let me know). I am
able to login! However, I tried logging out and got this error.
2008-03-26 11:19:56,869 gheimdall.controllers ERROR CherryPy 500 error
(500 - Internal Server Error) for request 'GET /gheimdall/logout/'
File "/usr/lib/python2.4/site-packages/gheimdall/controllers.py",
line 73, in newfunc
return func(*args, **kwargs)
File "/usr/lib/python2.4/site-packages/gheimdall/controllers.py",
line 329, in logout
line 73, in newfunc
return func(*args, **kwargs)
File "/usr/lib/python2.4/site-packages/gheimdall/controllers.py",
for key, issuer in cherrypy.session['issuers'].iteritems():
KeyError: 'issuers'
perhaps I have mis-configured my issuer name as IDP? I wasn't really
sure what to do there.
thanks!
nick
> Oh, I've been completely misunderstanding what
> Two-Factor-Authentication is. Thank you for your information. I'll
> look into WiKID if there's a chance.
>
> BTW, just for testing, probably you can change the permissoin of
> /etc/shadow to 0666. So, GHeimdall will work with /etc/shadow. If
> your /etc/shadow does not contain any important credential, please
> consider giving it a try.
>
> Please don't do that on production environment.
>
> Regards,
>
> Two-Factor-Authentication is. Thank you for your information. I'll
> look into WiKID if there's a chance.
>
> BTW, just for testing, probably you can change the permissoin of
> /etc/shadow to 0666. So, GHeimdall will work with /etc/shadow. If
> your /etc/shadow does not contain any important credential, please
> consider giving it a try.
>
> Please don't do that on production environment.
>
> Regards,
>
>
> read more »
Nick Owen
Mar 26, 2008, 3:39:44 PM3/26/08
to GHeimdall
Hmm. That error seems to have gone away. I've been doing so much
testing across a couple of browsers, perhaps I forgot where I was.
I'm going to re-install and do some documentation on it.
Great product. Thanks a lot for this.
nick
> ...
>
> read more »
testing across a couple of browsers, perhaps I forgot where I was.
I'm going to re-install and do some documentation on it.
Great product. Thanks a lot for this.
nick
>
> read more »
Takashi Matsuo
Mar 26, 2008, 9:28:21 PM3/26/08
to ghei...@googlegroups.com
Hi Nick,
I am glad to hear that you have done :-)
Could you e-mail me your code? I'm just interested in it.
Regards,
-- Takashi
Nick Owen
Mar 28, 2008, 2:33:49 PM3/28/08
to GHeimdall
Takashi:
I have emailed you the code - let me know if you don't get it. I'm
working on a short how-to now. I failed to mention a 3rd option for
testing: I can create a WiKID network client on one of our servers
for your Gheimdall server (as long it the two servers can talk over
the internet on port 8388). This way you don't have to set up a
WiKID server. To do this, I just need an IP address for your
Gheimdall server.
Nick
> ...
>
> read more »
I have emailed you the code - let me know if you don't get it. I'm
working on a short how-to now. I failed to mention a 3rd option for
testing: I can create a WiKID network client on one of our servers
for your Gheimdall server (as long it the two servers can talk over
the internet on port 8388). This way you don't have to set up a
WiKID server. To do this, I just need an IP address for your
Gheimdall server.
Nick
> I am glad to hear that you have done :-)
> Could you e-mail me your code? I'm just interested in it.
>
> Regards,
>
> -- Takashi
>
> Could you e-mail me your code? I'm just interested in it.
>
> Regards,
>
> -- Takashi
>
>
> read more »
Takashi Matsuo
Mar 28, 2008, 6:52:59 PM3/28/08
to ghei...@googlegroups.com
Hi Nick,
Thank you very much for sending me your codes. That's really cool!
I'll look into it.
Regards,
-- Takashi
Reply all
Reply to author
Forward
0 new messages