Ok, I suspect this is the issue:

It looks like if there's not any groups set up in the user.txt, everything goes into default even despite the fact listing people into groups and then doing a

If(NoGroups()) ;
Deny unauthorized.html

Seems a perfectly reasonable approach.

Going to explore groups a bit more.

Jon G.
---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

Jon,
Yes, we've got it working;

Group OTHERGROUP
If Any (auth:urn:mace:usc.edu:gds:attribute-def:uscAffiliation, "student"); Group +THIS+THAT -Default
If Any (auth:urn:mace:usc.edu:gds:attribute-def:uscAffiliation, "staff"); Group ++THIS+THAT -Default
If Any (auth:urn:mace:usc.edu:gds:attribute-def:uscAffiliation, "faculty"); Group +THIS+THAT -Default
If Any (auth:urn:mace:usc.edu:gds:attribute-def:uscAffiliation, "affiliate"); Group +THIS+THAT -Default

I've got others preceding this where specifically, I'll remove some group and issue a "stop" so that no further read/processing of the shibuser.txt file takes place.

Brian A. Helstien, SISD, MLS,
Director, Special Technologies Initiatives,
Library IT, University Libraries,                       x06913
University of Southern California,              (213) 740-6913
Los Angeles, California, 90089                ***@usc.edu
           Information is independent of media or format

-----Original Message-----
From: Gorman, Jon [mailto:***@illinois.edu]
Sent: Tuesday, October 21, 2014 3:19 PM
To: EZProxy discussion list
Subject: [ezproxy] Shibboleth & shibuser.txt (verify working)



Hello all,

I was wondering if anyone has group / permission mappings in their shibuser.txt file and verified that it works.

My predecessor set up this server and I'm starting work to verify that we're keeping people out (especially since the amount of people who we want to serve is only roughly 60,000 but soon we'll have hundreds of thousands of folks who can access our Shibboelth). Some additional folks/groups have already been creeping in.

However, it's looking like despite some configuration that follows the pattern

If Any(auth:eduPersonPrimaryAffiliation, "staff");
Group +Employee

I've also tried this in the form auth:urn:oid:1.3.6.1.4.1.5923.1.1.1.5


The group is always the group Default. Or at least it appears so when I've turned on group logging via %{ezproxy-group}i.

Advice? Pointers?




Jon Gorman
Library IT
University of Illinois
217 244-4688


---
You are currently subscribed to ezproxy as: ***@usc.edu.
To unsubscribe, send request to ***@itec.suny.edu


---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

Thanks for the rapid response.

Do you then have groups in the config.txt? I'm suspecting our lack of groups there is causing everyone to come in Default, regardless of what's in the shibuser.txt file.

Currently getting around one of our more pressing issues by blocking folks who don't have a certain attribute returned in the Shibboleth information. That is,

If(Count(auth:uiucEduType) eq 0 ) ;
Deny unaffiliated


I'll probably experiment with adding in the config.txt all the listings from user config, as well as removing folks using that handy dandy -Default flag you have below and see how that works.


Thanks again!

Jon Gorman
University of Illinois


---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu

Yes, as I recall, you have to define groups in config.txt for them to have
any effect once you set them in shibuser.txt.

I've got it working on our setup, so if you end up needing another data
point, I'm happy to contribute.
--
Christopher Manly
Coordinator, Library Systems
Cornell University Library Information Technologies
***@cornell.edu
607-255-3344
---
You are currently subscribed to ezproxy as: gee-***@m.gmane.org.
To unsubscribe, send request to ***@itec.suny.edu