Logout redirect in ood_portal.yml not updating ood-portal.conf #3883
Comments
|
I'll have to look into it. It sounds like a bug. I take it that you're not using OIDC? |
|
Correct. We have historically been using LDAP but just switched to Shibboleth this morning. |
|
I'll take a look. My guess is it's meant to be an OIDC thing so it takes some liberties. How can you logout with Shibboleth? I mean did you have to create a |
|
When we install Shibboleth, it creates the necessary Apache Locations. So when it comes to OnDemand, I just have to specify /logout to redirect to /Shibboleth.sso/Logout |
|
OK - if you already have the route - I wonder if you need the |
|
I think that would be fine, but I don't know how to configure that. The logout button on the dashboard currently points to /logout. If I could change that to /Shibboleth.sso/Logout, then yes, I wouldn't need to worry about the redirect. |
|
🤦♂️ yes you appear to be right. It looks to be hard coded. Here's what you can do in the interim that will survive upgrades (i.e., you're not modifying the source code that'll get overwritten when you update, you're supplying a config that won't be touched when you upgrade). Take this file that I've linked (or copy the file you have on your system) and follow this documentation here. The documentation's example is about supplying a new footer, but the message is the same - you want to supply a new partial for this navigation bar entry and change the https://osc.github.io/ood-documentation/latest/customizations.html#overriding-pages |
|
OK, so the URL is hard coded which makes that option more difficult. The other option is to get Thanks, |
It's hard coded in the partial we ship. You can override the partial we ship to correct it. I think this is your best route because it's upgrade safe. You've likely found a bug which means any updates you make are going to get wiped out when you upgrade, or worse create new bugs. |
|
Got it. I was able to override the partial and set the login button to the correct URL. |
johrstrom
added
component/ood_portal_generator
bug
|
Somehow we've hit a spot where it believes dex is enabled and is reconfiguring it as such. Can you provide your |
|
Sure. We do still have the ondemand-dex RPM installed, but are no longer using it because we have moved to Shibboleth auth. Should I get rid of the dex: section in ood_portal.yml now that we are using Shibboleth? # cat /etc/ood/config/ood_portal.yml | grep -v '#'
---
servername: ondemand.bioinf.unc.edu
ssl:
- 'SSLCertificateFile "/path/to/cert/file"'
- 'SSLCertificateKeyFile "/path/to/key/file"'
- 'SSLCertificateChainFile "/path/to/interm/file"'
auth:
- "AuthType shibboleth"
- "ShibRequestSetting requireSession 1"
- "RequestHeader edit* Cookie \"(^_shibsession_[^;]*(;\\s*)?|;\\s*_shibsession_[^;]*)\" \"\""
- "RequestHeader unset Cookie \"expr=-z %{req:Cookie}\""
- 'Require shib-user '
user_map_cmd: "/opt/ood/ood_auth_map/bin/ood_auth_map.regex --regex='^(\\w+)@unc.edu'"
dex:
frontend:
issuer: "LBG OnDemand (DEV)"
extra:
loginTitle: "Log in with your ONYEN and password"
loginButtonText: "Log in to LBG Cluster OnDemand (DEV)"
usernamePlaceholder: "ONYEN"
passwordPlaceholder: "ONYEN password"
connectors:
- type: ldap
id: ldap
name: LDAP
config:
host: ldap.unc.edu
insecureSkipVerify: false
bindDN: cn=unc:app:med:ccc:lbg,ou=Applications,dc=unc,dc=edu
bindPW: HvMgWElDg1Wz%dg@YQIF&w
userSearch:
baseDN: ou=people,dc=unc,dc=edu
filter: "(objectClass=posixAccount)"
username: uid
idAttr: uid
emailAttr: mail
nameAttr: cn
preferredUsernameAttr: uid
groupSearch:
baseDN: ou=group,dc=unc,dc=edu
filter: "(objectClass=posixGroup)"
userMatchers:
- userAttr: DN
groupAttr: member
nameAttr: cn
expiry:
signingKeys: "12h"
idTokens: "24h"
host_regex: '[\w.-]+\.local'
node_uri: '/node'
rnode_uri: '/rnode'
[root@ondemand9 btsherid]#
|
Yes and remove the RPM. I think with those two actions you can successfully use |
|
I'm going to close this as I think we solved it. You do infact have |
Hi,
I'm having an issue where the update_ood_portal script is not updating the logout_redirect directive in the Apache configuration.
This is how I expect things to work:
/etc/ood/config/ood_portal.yml/opt/ood/ood-portal-generator/sbin/update_ood_portalruns without errorsRedirect "/logout"line in/etc/httpd/conf.d/ood-portal.confshould update to match what is configured for logout_redirect in/etc/httpd/conf.d/ood-portal.confWhat I'm actually seeing:
/etc/ood/config/ood_portal.yml/opt/ood/ood-portal-generator/sbin/update_ood_portalruns without errorsRedirect "/logout"line in/etc/httpd/conf.d/ood-portal.confis alwaysRedirect "/logout" "/oidc?logout=https%3A%2F%2F<<server FQDN>>"The end result is that the logout button does not work until I manually edit the
Redirect "/logout"line in/etc/httpd/conf.d/ood-portal.confand restart httpd. So my logout button is currently working using the manual edit workaround, but I know that is not the recommended way to update this.I do not seem to have this issue with any other directive in
/etc/ood/config/ood_portal.ymlThe text was updated successfully, but these errors were encountered: