[Fri Mar 07 16:36:43.859088 2025] [auth_openidc:warn] [pid 1232592:tid 129257594394304] [client 129.79.197.143:50596] oidc_get_remote_user: JSON object did not contain a "preferred_username" string, referer: https://rc-156-208.rci.uits.iu.edu/dex/auth/local/login?back=&state=o6rnlr6bnyz5gkjosqjvas362
[Fri Mar 07 16:36:43.859147 2025] [auth_openidc:error] [pid 1232592:tid 129257594394304] [client 129.79.197.143:50596] oidc_set_request_user: OIDCRemoteUserClaim is set to "preferred_username", but could not set the remote user based on the requested claim "preferred_username" and the available claims for the user, referer: https://rc-156-208.rci.uits.iu.edu/dex/auth/local/login?back=&state=o6rnlr6bnyz5gkjosqjvas362
[Fri Mar 07 16:36:43.859154 2025] [auth_openidc:error] [pid 1232592:tid 129257594394304] [client 129.79.197.143:50596] oidc_handle_authorization_response: remote user could not be set, referer: https://rc-156-208.rci.uits.iu.edu/dex/auth/local/login?back=&state=o6rnlr6bnyz5gkjosqjvas362
Seems like the test user credentials might be wrong? Could you confirm what UserID is in the example you sent and if it’s random or calculated in some way?
This is the result when I navigate to the page and attempt to log in.
==> /var/log/apache2/rc-156-208.rci.uits.iu.edu_error.log <==
[Fri Mar 07 18:11:01.810875 2025] [auth_openidc:warn] [pid 1238597:tid 140341135009472] [client 129.79.197.143:51129] oidc_get_remote_user: JSON object did not contain a "preferred_username" string, referer: https://rc-156-208.rci.uits.iu.edu/dex/auth/local/login?back=&state=dnudygouzkztiy6dt6s3jqcbr
[Fri Mar 07 18:11:01.810936 2025] [auth_openidc:error] [pid 1238597:tid 140341135009472] [client 129.79.197.143:51129] oidc_set_request_user: OIDCRemoteUserClaim is set to "preferred_username", but could not set the remote user based on the requested claim "preferred_username" and the available claims for the user, referer: https://rc-156-208.rci.uits.iu.edu/dex/auth/local/login?back=&state=dnudygouzkztiy6dt6s3jqcbr
[Fri Mar 07 18:11:01.810943 2025] [auth_openidc:error] [pid 1238597:tid 140341135009472] [client 129.79.197.143:51129] oidc_handle_authorization_response: remote user could not be set, referer: https://rc-156-208.rci.uits.iu.edu/dex/auth/local/login?back=&state=dnudygouzkztiy6dt6s3jqcbr
==> /var/log/apache2/rc-156-208.rci.uits.iu.edu_access.log <==
129.79.197.143 - - [07/Mar/2025:18:11:01 +0000] "GET /oidc?code=okszkbqqz2kanhsueikmjw7vz&state=lEtSuKVFO18dE57nP2_DaPcOrDs HTTP/1.1" 400 745 "https://rc-156-208.rci.uits.iu.edu/dex/auth/local/login?back=&state=dnudygouzkztiy6dt6s3jqcbr" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0"
129.79.197.143 - - [07/Mar/2025:18:11:01 +0000] "GET /favicon.ico HTTP/1.1" 404 3179 "https://rc-156-208.rci.uits.iu.edu/oidc?code=okszkbqqz2kanhsueikmjw7vz&state=lEtSuKVFO18dE57nP2_DaPcOrDs" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0"
Stepped away from this for a bit but have now returned. I cleaned out the logs to look at a fresh set of output. The error log contains the following:
[Mon Mar 24 13:05:57.205233 2025] [auth_openidc:warn] [pid 2517461:tid 123925123655552] oidc_check_config_openid_openidc: the URL scheme (http) of the configured OIDCProviderMetadataURL SHOULD be "https" for security reasons!
[Mon Mar 24 13:06:41.417817 2025] [auth_openidc:warn] [pid 2517478:tid 123924494935744] [client 129.79.197.143:49808] oidc_get_remote_user: JSON object did not contain a "preferred_username" string, referer: https://rc-156-208.rci.uits.iu.edu/dex/auth/local/login?back=&state=lrdtwggzcydbn2wj4r56pzeaj
[Mon Mar 24 13:06:41.417837 2025] [auth_openidc:error] [pid 2517478:tid 123924494935744] [client 129.79.197.143:49808] oidc_set_request_user: OIDCRemoteUserClaim is set to "preferred_username", but could not set the remote user based on the requested claim "preferred_username" and the available claims for the user, referer: https://rc-156-208.rci.uits.iu.edu/dex/auth/local/login?back=&state=lrdtwggzcydbn2wj4r56pzeaj
[Mon Mar 24 13:06:41.417842 2025] [auth_openidc:error] [pid 2517478:tid 123924494935744] [client 129.79.197.143:49808] oidc_handle_authorization_response: remote user could not be set, referer: https://rc-156-208.rci.uits.iu.edu/dex/auth/local/login?back=&state=lrdtwggzcydbn2wj4r56pzeaj
Here is the ood_portal.yml as well
servername: #exists but omitted here
#port: 8080
#listen_addr_port: 8080
oidc_remote_user_claim: email
dex:
static_passwords:
- email: jessie@localhost
password: owens
username: jessie
userID: 7e3146ab-83fb-4642-ad0d-3120a76bfd9a
public: true
client_redirect_uris: ["servername/oidc"] #servername matching what it would in the first line of the file
For our server setup, I’ve noticed I cannot make the port 8080 but can make it just 80. The listen address port can be 8080 however. Any ideas?
is that it keeps complaining about preferred_username being the remote user claim, but clearly you have it set to email in the configuration. I’d ask you confirm that this configuratino in ood_portal.yml is making it’s way to /etc/apache2/enabled/ood-portal.conf (I pulled that path from memory, I’m sure enabled isn’t the right directory, but it’s close). When you bounce apache2 you should see the logs from the program that translates the configs in ood_portal.yml to ood-portal.conf - remember you need to hack the systemd unit file to even allow static_passwords configurations.
As you’ve defined it there, you need a user jessie on the system. I don’t think you’ve made it that far yet, but once you are able to login then the system will attempt to start the server as this user jessie should this user actually exist. Note that it’s a known shared password so whoever jessie is, it shouldn’t be a real user that has actual files/privileges becuase you and your collegues will be able to login and interact with your systems & files as this user.
Searching for preferred_username returns no results in that file. I checked a similar path ending at conf-enabled and wasn’t able to find any files there that seemed related.
I see, that makes sense. If that UserID won’t matter, then I will likely change mentions of jessie and the password to something else after we get things working.
returns that httpd is already running, and if I stop apache 2 via systemctl stop apache2 and run the command, I instead get no output. Maybe I don’t understand how to use that command properly.
UPDATE: I also went ahead and ran the following. Unsure if this is the correct config file we expect the server config file to point to:
I’m not 100% what you could find & issue - I just found that command on stack overflow.
I guess the gist of what I’m saying is that you need to confirm that the configurations in ood-portal.conf are actually being loaded correctly. And/or if any other.conf files are conflicting.
When you bounce apache2 you also bounce ondemand-dex correct?
Yes, I am using this command when I want to “restart everything” and view the site: sudo systemctl restart apache2 && sudo systemctl restart ondemand-dex. I’ll do a check to see if there are lingering yaml or config files anywhere.
Hmm, it seems like there are quite a few files named ood-portal.conf.yyyymmddhhMMss in the /etc/apache2/sites-available, but those shouldn’t have nay impact. In sites-enabled, I just see ood-portal.conf and ood-portal-le-ssl.conf. conf-enabled and mods-enabled have files, but none immediately jumped out to me as being irregular (though I don’t really know what to look out for). On the other side of things (/etc/ood/, it appears config.yaml files are being saved into dex directory in a similar config.yaml.yyyymmddhhMMss way. There is a dex.db and ondemand.secret file in that directory as well. Lastly, i could find no other yaml files in the /etc/ood/config directory. Happy to further inspect files closer if you have ideas.
What is this? apache will recognize anything that ends in .conf as a configuration file. So yes the previous backups won’t be recognized, but this file is being loaded.
