Testing OnDemand with SAML and mod_auth_mellon

Hello all!

We are starting testing OnDemand and I’m running into issue.

When I launch the dashboard after a fresh install with

  • ‘AuthType Mellon’
  • ‘Require valid-user’

in my ood_portal.yml

After pass SAML auth I see the following error:

Error – invalid user name syntax: DOMAIN\username
Run ‘nginx_stage --help’ to see a full list of available command line options.

In my http log file I see the following:

[Tue Jun 14 15:48:07.310730 2022] [lua:info] [pid 16499] [client] req_protocol=“HTTP/1.1” req_handler="" req_method=“GET” req_accept=“text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9” req_user_agent=“Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/ Safari/537.36” res_content_length=“134” req_content_type="" res_content_encoding="" req_status=“404” req_origin="" time_user_map=“0.004” local_user=“DOMAIN\username” req_referer="" res_content_language="" req_port=“443” log_time=“2022-06-14T22:48:07.309772Z” req_server_name=“ht-hpc-ondemand” log_hook=“ood” req_accept_charset="" req_hostname=“ondemand” res_content_location="" res_content_disp="" req_is_websocket=“false” remote_user=“DOMAIN\username” res_location="" req_user_ip=“XX.XX.XXX.XXX” req_is_https=“true” req_filename="/opt/rh/httpd24/root/var/www/html/pun" req_uri="/pun/sys/dashboard" time_proxy=“0” res_content_type="" req_accept_language=“en-us,en;q=0.9” req_cache_control="" req_accept_encoding=“gzip, deflate, br”

Any word of advise?


Hi and welcome! Sorry we didn’t respond on the mailing list yet.

You need to setup user mapping. That is given DOMAIN\username you need to map it to username.


Thank you, it worked! Only 1 thing I noticed. I have to upgrade my apache conf manually

Placing changes into /etc/ood/config/ood_portal.yml and run /opt/ood/ood-portal-generator/sbin/update_ood_portal doesn’t update apache conf file.

Is that expected?

Very good. That is not expected. I don’t know if you manually edited it before - but once you start to manually edit we’ll notice those manual edits and stop overwriting it.

You can try the force option -f/--force then from that point forward it should start to work.

Hi Jeff,

Thank you for letting me know. I tried with --force flag and it indeed overridden the http conf file, but with the wrong options.

In my ood_portal.yml I have:

  • ‘AuthType Mellon’
  • ‘Require valid-user’

( I used to have openid-connect)

But my http conf file gets created with

<Location “/pun”>
AuthType openid-connect
Require valid-user

<Location “/nginx”>
AuthType openid-connect
Require valid-user

And my user march line gets ignored as well.

Can you please advise?


Do you have ondemand-dex installed? We have logic to recognize it and auto-populate OIDC fields. Remove that rpm if so.

I used to have it installed, but I installed it a while ago. Is it possible if some config files or libs still there?

Before we think there’s a bug with this - can you upload and/or show your ood_portal.yml. OIDC is the default even without dex installed so we should also check to see if that is properly formatted YAML or if there’s something else that we’re just overlooking in the config.

If it is finding ondemand-dex with or without it installed, it’s looking for the config directory /etc/ood/dex and the file /usr/sbin/ondemand-dex. Note that it’s an AND operation - so that would seem odd if the RPM did not remove /usr/sbin/ondemand-dex.

I don’t have /usr/sbin/ondemand-dex, but I do have /etc/ood/dex. I renamed it ( didn’t remove) and re-run /opt/ood/ood-portal-generator/sbin/update_ood_portal --force but it didn’t help.

Is it safe to remove and try again?

Can you upload or format your ood_portal.yml?

I finally found it. I didn’t comment one line in my ood_portal.yml I commented it and we are good now.

Thank you so much for all your help

1 Like