"ShibRequestSetting requireSession 1" cause httpd24-httpd service can't startup

Hello, I follow auth guideline to configure “/etc/ood/config/ood_portal.yml”, and when “ShibRequestSetting requireSession 1” is appened, httpd24-httpd service can’t startup. It reports: " httpd-scl-wrapper[7714]: Invalid command ‘ShibRequestSetting’, perhaps misspelled or defined by a module no…uration". So what should I set about “ShibRequestSetting”.

1.4. Sanitize Session Information

You will need to sanitize any session-specific request headers that may be passed to the backend web servers that a user is proxied to. For most Apache authentication modules there are module-specific directives that can be enabled to wipe session information from being passed as headers (e.g., OIDCStripCookies ...). In other cases you may have to use regular expressions to search for the session cookies and remove them manually.

auth:

  • ‘AuthType shibboleth’
  • ‘ShibRequestSetting requireSession 1’
  • ‘RequestHeader edit* Cookie “(^shibsession[^;](;\s)?|;\s*shibsession[^;]*)” “”’
  • ‘RequestHeader unset Cookie “expr=-z %{req:Cookie}”’
  • ‘Require valid-user’

It looks like the ShibRequestSetting directive is not recognized by Apache because the mod_shib module is not loaded or enabled.

Check to see with:

httpd24 -M | grep shib

And if it’s missing you’ll need to to install it and see if this works.


It’s possible right of your suspesion. But how to enable shib inside httpd24, which is deployed by Open OnDemand.

OOD does not come packaged with that module because it’s for Apache. By running OOD you will need to know some things about apache in order for this to work. In this case, because you are setting up authentication, ood is not in control for what you need at your specific site. So you’ll need to look into how to add modules to apache to do this as it’s outside the scope of ood.

You can use a package manager to grab mod_shib then make sure to enable it, then go back to using the portal generator to set things up.

This topic was automatically closed 180 days after the last reply. New replies are no longer allowed.