I have run into a problem using Shibboleth authentication on Aegir-generated sites. I'm using Ubuntu 14.04LTS (latest versions of apache, php, etc) and the aegir3* packages (7.x-3.10, though I saw the same behavior on 7.x-3.2+3-dev last year). I'm using shib_auth (https://www.drupal.org/project/shib_auth - version 7.x-4.3) for Shibboleth authentication.

Standard Drupal site installed outside of aegir works as expected so I'm confident Shibboleth is working. Aegir-generated sites give an "Access denied" message after a successful Shibboleth authentication. I tracked it down to two lines in platform.d/platform_hostmaster.conf (or in platform_*.conf files). If I comment out 

Satisfy any
Require all granted

everything works as expected.

Comments

wsafley created an issue.

wsafley’s picture

wsafley CreditAttribution: wsafley commented

Just commenting out these two lines could be a workaround for the short term, but is it a secure thing to do? I'm not sure what the intent of those two lines is from an aegir perspective. From what I'm reading, it sounds like the "Require all granted" basically opens the directory up to the world anyway. If it's commented out and working correctly, any harm done?