It seems that the script specified by user_map_cmd is not being invoked. It creates syslog entries and none are present

We see error message like
Error – failed to map user (edsills@ncsu.edu)

Even though when running script from command line this string does map correctly:

/opt/ood/ood_auth_map/bin/user_map_cmd.pl edsills@ncsu.edu

edsills

We are using Shib for authentication, that seems to be okay as entry in
/var/log/httpd24/servood.hpc.ncsu.edu_access_ssl.log indicates successful login…

10.136.192.62 - - [24/Feb/2023:12:18:59 -0500] “POST /Shibboleth.sso/SAML2/POST HTTP/1.1” 302 230 “https://shib.ncsu.edu/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36”
10.136.192.62 - edsills@ncsu.edu [24/Feb/2023:12:18:59 -0500] “GET /pun/sys/dashboard HTTP/1.1” 404 46 “https://shib.ncsu.edu/” “Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36”

Do you see anything that may indicate an issue in the error log? /var/log/httpd24/servood.hpc.ncsu.edu_error_ssl.log.

I can’t tell from your example if you’re reading that from stdin or not, it could just be formatting, but it looks like you’re giving edsills@ncsu.edu to standard in.

If that’s the case, he script gets invoked with the REMOTE_USER as the first argument $1.

I also can’t tell if there’s extra whitespace there. Be careful here with whitespace and/or newlines in the output.

All that said - if it’s regular expression to just drop the @ncsu.edu for all of your users, you should just use user_map_match instead. The example here is similar to this use case (the use case being that <username>@<domain> always maps to <username> and there’s only ever 1 domain).

https://osc.github.io/ood-documentation/latest/reference/files/ood-portal-yml.html#ood-portal-generator-user-map-match

Unfortunately our situation is more complicated than just dropping ncsu.edu (that worked fine ) We have users from UNCW and UNCG and need to map their university identity to their HPC identity.

There are no errors in
servood.hpc.ncsu.edu_error_ssl.log

To be clear, user_map_match worked, but doesn’t provide the flexibility we require

Got it.

Two things I’d like to confirm are

• you’re reading from $1 (the first argument to the program) and not standard in
• you have no extra newlines in the output.

I pulled this shell script from another user_map_cmd topic. Yours should behave in the same way. I’ll lookup if we deal with newlines correctly.

image695×123 2.27 KB

I guess to add to that, I’d be sure you don’t require extra setup/libraries. Running this in a terminal is one thing, but this is executed by apache in a very small environment. I.e., you may not have direct access to perl and/or other libraries if you have perl installed in a nonstandard location (or at all on the webnode).

Also - you can set lua_log_level to debug and you may see something new.

"Mapped 'soandso@ncsu.edu' => ('') [ 10 ms]"

Though I can’t tell how helpful that’ll be if it still empty.

https://osc.github.io/ood-documentation/latest/reference/files/ood-portal-yml.html#ood-portal-generator-lua-log-level

There’s something simple we’re missing here, like the file isn’t executable or something obvious.

One last thing I’d like to verify is that you bounced httpd-httpd24 (or httpd as the case may be).

I want to be sure that the configuration is being updated. When you grep the /opt/rh/httpd24/root/etc/httpd/conf.d/ood-portal.conf (or /etc/httpd/conf.d/ood-portal.conf or /etc/apache2/sites-enabled/ood-portal.conf as the case may be) we’re actually using the file that you’ve supplied.

Yes, I’ve restarted httpd24-httpd a few times

Yes script is using ARGV[0] as the input

Are you able to share your perl script? You should be able to upload it here if you add a .txt extension.

Pasting inline…

#! /usr/bin/perl

map REMOTE_USER to local HPC login name

use Sys::Syslog;

openlog(“user_map_cmd”,“nofatal”,“local0”);

%uncg = do ‘uncg.pl’;
%uncw = do ‘uncw.pl’;

$remote = lc($ARGV[0]);

$remote =~ s/ +//g;

if ($remote =~ /@ncsu.edu$/ || $remote =~ /@ncsu$/) {
@part = split(/@/,$remote);
syslog(“info”,“mapped $remote to $part[0]”);
print “$part[0]”;
exit 0;
} elsif ($remote =~ /@uncg.edu$/ || $remote =~ /@uncg$/) {
@part = split(/@/,$remote);
if ($uncg{$part[0]}) {
syslog(“info”,“mapped $remote to $uncg{$part[0]}”);
print “$uncg{$part[0]}\n”;
exit 0;
} else {
exit 1;
}
} elsif ($remote =~ /@uncw.edu$/ || $remote =~ /@uncw$/) {
@part = split(/@/,$remote);
if ($uncw{$part[0]}) {
syslog(“info”,“mapped $remote to $uncw{$part[0]}”);
print “$uncw{$part[0]}\n”;
exit 0;
} else {
syslog(“info”,“could not map $remote”);
exit 1;
}
} else {
exit 1;
}
closelog();

Can you reformat with backticks `

3 back ticks formats a section

#! /usr/bin/perl
#
# map REMOTE_USER to local HPC login name
#
use Sys::Syslog;

openlog("user_map_cmd","nofatal","local0");

%uncg = do 'uncg.pl';
%uncw = do 'uncw.pl';

$remote = lc($ARGV[0]);

$remote =~ s/ +//g;

if ($remote =~ /\@ncsu\.edu$/ || $remote =~ /\@ncsu$/) {
    @part = split(/\@/,$remote);
    syslog("info","mapped $remote to $part[0]");
    print "$part[0]";
    exit 0;
} elsif ($remote =~ /\@uncg\.edu$/ || $remote =~ /\@uncg$/) {
    @part = split(/\@/,$remote);
    if ($uncg{$part[0]}) {
	syslog("info","mapped $remote to $uncg{$part[0]}");
	print "$uncg{$part[0]}\n";
	exit 0;
    } else {
	exit 1;
    }
} elsif ($remote =~ /\@uncw\.edu$/ || $remote =~ /\@uncw$/) {
    @part = split(/\@/,$remote);
    if ($uncw{$part[0]}) {
	syslog("info","mapped $remote to $uncw{$part[0]}");
	print "$uncw{$part[0]}\n";
	exit 0;
    } else {
	syslog("info","could not map $remote");
	exit 1;
    }
} else {
    exit 1;
}
closelog();
``

OK - check the error_log in the log directory (/var/log/httpd24-httpd/error_log).

When I took your script to replicate I found this error -

/var/log/httpd/error_log:Can't locate Sys/Syslog.pm in @INC (you may need to install the Sys::Syslog module) (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5) at /etc/ood/config/misc/ood_auth_map.pl line 5.

Only error are like this after each httpd restart…

[Fri Feb 24 14:47:24.625151 2023] [http2:warn] [pid 12522] AH10034: The mpm module (prefork.c) is not supported by mod_http2. The mpm determines how things are processed in your server. HTTP/2 has more demands in this regard and the currently selected mpm will just not do. This is an advisory warning. Your server will continue to work, but the HTTP/2 protocol will be inactive.

I also copied the bash shell example from the documentation - to just remove ncsu.edu. But it has same result. It seems the command is not being executed?

Is that from the error_log (no hostname in the file name, just error_log)?

/var/log/httpd-httpd24/error_log

In /opt/ood/mod_ood_proxy/lib/ood/user_map.lua, if I change
r.escape(remote_user) to just (remote_user) then script works.

I’m not sure how r.escape is treating the @ that is in remote_user?

well that’s it. It’s URL escaping it.

so jeff@localhost is mapped to jeff%40localhost.