问题描述
我正在寻求您的帮助,了解如何使用 mod-auth-mellon sso 解决我的工头 katello 沙箱访问身份验证问题。我尝试了很多 Mellon 变量,但似乎令牌/标头不足以验证我访问工头 katello 的凭据。 sso 登录正在显示,但是当我尝试登录而不是访问 katello 仪表板的主页时,它将返回到原始的 katello 登录页面。请帮我解决这个问题。
这是我的配置:
foreman-ssl.conf
<VirtualHost *:443>
ServerName vmdfiefmand01.sandbox.lan
## Vhost docroot
DocumentRoot "/usr/share/foreman/public"
## Directories,there should at least be a declaration for /usr/share/foreman/public
<Directory "/usr/share/foreman/public">
Options SymLinksIfOwnerMatch
AllowOverride None
Require all granted
</Directory>
## Load additional static includes
IncludeOptional "/etc/httpd/conf.d/05-foreman-ssl.d/*.conf"
## Logging
ErrorLog "/var/log/httpd/foreman-ssl_error_ssl.log"
ServerSignature Off
CustomLog "/var/log/httpd/foreman-ssl_access_ssl.log" combined
## Request header rules
## as per http://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader
RequestHeader set X_FORWARDED_PROTO "https"
RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader unset REMOTE_USER
RequestHeader unset REMOTE_USER_EMAIL
RequestHeader unset REMOTE_USER_FIRSTNAME
RequestHeader unset REMOTE_USER_LASTNAME
RequestHeader unset REMOTE_USER_GROUPS
# SSL Proxy directives
SSLProxyEngine On
## Proxy rules
ProxyRequests Off
ProxyPreserveHost On
ProxyAddHeaders On
ProxyPass /pulp !
ProxyPass /pulp2 !
ProxyPass /streamer !
ProxyPass /pub !
ProxyPass /icons !
ProxyPass / http://127.0.0.1:3000/ retry=0
ProxyPassReverse / http://127.0.0.1:3000/
## Rewrite rules
RewriteEngine On
#Upgrade Websocket connections
RewriteCond %{HTTP:Upgrade} =websocket [NC]
RewriteRule /(.*) ws://127.0.0.1:3000/$1 [P,L]
## Server aliases
ServerAlias foreman
## SSL directives
SSLEngine on
SSLCertificateFile "/etc/pki/katello/certs/katello-apache.crt"
SSLCertificateKeyFile "/etc/pki/katello/private/katello-apache.key"
SSLCertificateChainFile "/etc/pki/katello/certs/katello-server-ca.crt"
SSLVerifyClient optional
SSLCACertificateFile "/etc/pki/katello/certs/katello-default-ca.crt"
SSLVerifyDepth 3
SSLOptions +StdEnvVars +ExportCertData
## Custom fragment
# Return compressed assets if they are precompiled
<IfModule mod_rewrite.c>
RewriteEngine on
# Make sure the browser supports gzip encoding and file with .gz added
# does exist on disc before we rewrite with the extension
RewriteCond %{HTTP:Accept-Encoding} \b(x-)?gzip\b
RewriteCond %{REQUEST_FILENAME} \.(css|js|svg)$
RewriteCond %{REQUEST_FILENAME}.gz -s
RewriteRule ^(.+) $1.gz [L]
# Set headers for all possible assets which are compressed
<FilesMatch \.css\.gz$>
ForceType text/css
Header set Content-Encoding gzip
SetEnv no-gzip
</FilesMatch>
<FilesMatch \.js\.gz$>
ForceType text/javascript
Header set Content-Encoding gzip
SetEnv no-gzip
</FilesMatch>
<FilesMatch \.svg\.gz$>
ForceType image/svg+xml
Header set Content-Encoding gzip
SetEnv no-gzip
</FilesMatch>
</IfModule>
<LocationMatch "^/(assets|webpack)">
Options SymLinksIfOwnerMatch
AllowOverride None
Require all granted
# Use standard http expire header for assets instead of ETag
<IfModule mod_expires.c>
Header unset ETag
FileETag None
ExpiresActive On
ExpiresDefault "access plus 1 year"
</IfModule>
</LocationMatch>
AddDefaultCharset UTF-8
</VirtualHost>
梅隆.conf
<Location />
MellonEndpointPath /saml2/
MellonSPMetadataFile /etc/httpd/saml2/10.0.102.34.mellon.xml
MellonSPPrivateKeyFile /etc/httpd/saml2/mellon.key
MellonSPCertFile /etc/httpd/saml2/mellon.cert
MellonIdPMetadataFile /etc/httpd/saml2/idp_metadata.xml
MellonIdP IDP
MellonEnvVarsSetCount On
MellonEnvVarsIndexStart 1
MellonSetEnvNoPrefix "REMOTE_USER" username
MellonSetEnvNoPrefix "REMOTE_USER_EMAIL" email
MellonSetEnvNoPrefix "REMOTE_USER_FIRSTNAME" givenname
MellonSetEnvNoPrefix "REMOTE_USER_LASTNAME" surname
MellonSetEnvNoPrefix "REMOTE_USER_GROUP" groups
</Location>
<Location /saml2>
MellonEnable info
</Location>
<Location /users/extlogin>
AuthType Mellon
MellonEnable auth
Require valid-user
</Location>
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)