SSO Permission Denied
Hi,
I get permission denied when trying to login via sso.php. I am running the Debian 7 - piler 0.1.24 ova and have updated php-ldap and can log in fine using login.php
The only thing I wasn't able to do in the instructions is the "uid=33(www-data) gid=33(www-data) groups=33(www-data),125(winbindd_priv)" step. Not sure if this is a command, it has a syntax error?
Nothing shows up in the /etc/log/mail.log.
The following shows up in piler.mydomain.com-access.log:
[29/Apr/2014:08:47:53 +0200] "GET /sso.php HTTP/1.1" 200 48 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36" [29/Apr/2014:08:47:53 +0200] "GET /favicon.ico HTTP/1.1" 404 198 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.131 Safari/537.36"
The following in piler.mydomain.com-error.log:
2014/04/29 08:47:55 [error] 2490#0: *30 open() "/var/www/hgarchive.hickory.com.au/favicon.ico" failed (2: No such file or directory), client: 10.1.1.10, server: piler.mydomain.com, request: "GET /favicon.ico HTTP/1.1", host: "piler.mydomain.com"
Comments (12)
-
repo owner -
repo owner -
assigned issue to
-
assigned issue to
-
so the command is "usermod -G winbindd_priv www-data". I ran that without any error.
which log file would be logging these access denied errors? Where would you suggest I look for issues?
-
repo owner Thanks for the command :-) Please set the apache ErrorLevel to "debug", and try to login again. Also make sure that you have a helper account in AD that piler needs:
$config['LDAP_HELPER_DN'] = 'cn=...'; $config['LDAP_HELPER_PASSWORD'] = 'xxxxxxx';
-
Thanks, I believe the HELPER config details are correct because LDAP lookups are successful when logging in with login.php, I am only getting access denied on sso.php.
I have the line LogLevel debug in /etc/apache2/apache2.conf already.
-
Just thought I would add the only other thing I have done outside of the instructions is added another hard drive and mounted it to /var. I formatted the new volume to a ext4 logical volume and did a mv /var to the new location then remounted it as /var. Not sure if that would have any implications (specific to single sign on)?
-
repo owner The /var remake should NOT cause any sso problem. Please try an sso login, then show me the apache debug logs to see what's going on.
-
Which one is the apache debug log?
-
repo owner Sorry to confuse you. Debug is the name of the loglevel. So in a nutshell, check the error log for clues what happens.
-
Does the LogLevel debug line have to be in /etc/apache2/apache2.conf ??
Nothing shows up in the piler.mydomain.com-error.log (apart from the missing fav.ico).
-
repo owner Yes, it's fine to have it in /etc/apache2/apache2.conf. I assume you have restarted apache, and logged in to the windows network, so please check other error log files (if there are any). If you just can't make it, then I may help via a teamviewer session. If you are interested in, then find me on skype (janos.suto).
-
repo owner - changed status to wontfix
No news is good news.
- Log in to comment
"uid=33(www-data) gid=33(www-data) groups=33(www-data),125(winbindd_priv)" is not a command, rather the result. Use the usermod command to put www-data user to the winbindd_priv group.
The missing favicon.ico (in the error log) is rather a cosmetic issue.