How to make SAML identity provider redundant?

Another question

Are IdP sessions shared between both servers?
Is Session management implemented in UCS?
simplesamlphp.org/docs/stable/s … #section_2

Yes the sessions are replicated between both servers using the memcached session management from simplesamlphp.

Some more technical detail is available at: univention.com/2015/11/sing … r-ucs-4-1/

I think that we have some issues with memcache. The following is from the error log of Apache2.

root@p-ucs-slave:/var/log/apache2# tail -f error.log
[Sat Feb 06 11:43:01 2016] [error] [client 173.245.53.97] PHP Notice: MemcachePool::get(): Server unix:///var/run/univention-saml/p-ucs-master.xxx.lcl.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) in /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php on line 41, referer: univention.xxx.nl/simplesamlphp … 534950345c
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Notice: Undefined index: p-ucs-slave.xxx.lcl/univention- … l/metadata in /etc/simplesamlphp/metadata.d/https:__p-ucs-slave.xxx.lcl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Warning: array_merge(): Argument #1 is not an array in /etc/simplesamlphp/metadata.d/https:__p-ucs-slave.xxx.lcl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Notice: Undefined index: p-ucs-master.xxx.lcl/univention … l/metadata in /etc/simplesamlphp/metadata.d/https:__p-ucs-master.xxx.lcl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Warning: array_merge(): Argument #1 is not an array in /etc/simplesamlphp/metadata.d/https:__p-ucs-master.xxx.lcl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Notice: Undefined index: univention.xxx.nl/univention-ma … l/metadata in /etc/simplesamlphp/metadata.d/https:__univention.xxx.nl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Warning: array_merge(): Argument #1 is not an array in /etc/simplesamlphp/metadata.d/https:__univention.xxx.nl_univention-management-console_saml_metadata.php on line 12
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Notice: MemcachePool::set(): Server unix:///var/run/univention-saml/p-ucs-master.xxx.lcl.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) in /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php on line 134
[Sat Feb 06 11:42:49 2016] [error] [client 173.245.53.97] PHP Notice: MemcachePool::get(): Server unix:///var/run/univention-saml/p-ucs-master.xxx.lcl.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0) in /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php on line 41

Can you tell me what the output of the following command is:

ps aufx | grep -e stunnel -e memcache
iptables -L
ls -l /var/run/univention-saml/

Maybe invoke-rc.d univention-saml restart helps!

root@p-ucs-master:/tmp# ps aufx | grep -e stunnel -e memcache
root 8182 0.0 0.0 9272 1900 pts/0 S+ 12:50 0:00 _ grep -e stunnel -e memcache
samlcgi 4486 0.0 0.6 70160 13236 ? Sl 11:13 0:00 /usr/bin/memcached -m 64 -s /var/run/univention-saml/memcached.socket -u samlcgi
samlcgi 4543 0.0 0.1 96072 4008 ? Ss 11:13 0:00 /usr/bin/stunnel4 /etc/stunnel/univention_saml.conf

root@p-ucs-master:/tmp# iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere state RELATED,ESTABLISHED
ACCEPT icmp – anywhere anywhere
ACCEPT tcp – anywhere anywhere tcp dpt:customs
ACCEPT tcp – anywhere anywhere tcp dpt:7636
ACCEPT tcp – anywhere anywhere tcp dpt:sunrpc
ACCEPT tcp – anywhere anywhere tcp dpts:32765:32769
ACCEPT tcp – anywhere anywhere tcp dpt:kshell
ACCEPT udp – anywhere anywhere udp dpt:4660
ACCEPT tcp – anywhere anywhere tcp dpt:kerberos
ACCEPT tcp – anywhere anywhere tcp dpt:7389
ACCEPT tcp – anywhere anywhere tcp dpt:time
ACCEPT tcp – anywhere anywhere tcp dpt:kpasswd
ACCEPT udp – anywhere anywhere udp dpt:kerberos
ACCEPT udp – anywhere anywhere udp dpt:nfs
ACCEPT tcp – anywhere anywhere tcp dpt:4660
ACCEPT udp – anywhere anywhere udp dpts:32765:32769
ACCEPT tcp – anywhere anywhere tcp dpt:domain
ACCEPT udp – anywhere anywhere udp dpt:ntp
ACCEPT udp – anywhere anywhere udp dpt:kpasswd
ACCEPT tcp – anywhere anywhere tcp dpt:http
ACCEPT tcp – anywhere anywhere tcp dpt:https
ACCEPT tcp – anywhere anywhere tcp dpt:9990
ACCEPT udp – anywhere anywhere udp dpt:domain
ACCEPT tcp – anywhere anywhere tcp dpt:nfs
ACCEPT tcp – anywhere anywhere tcp dpt:nrpe
ACCEPT tcp – anywhere anywhere tcp dpt:ldaps
ACCEPT tcp – anywhere anywhere tcp dpt:6670
ACCEPT tcp – anywhere anywhere tcp dpt:ssh
ACCEPT udp – anywhere anywhere udp dpt:tftp
ACCEPT tcp – anywhere anywhere tcp dpt:ldap
ACCEPT tcp – anywhere anywhere tcp dpt:7777
ACCEPT udp – anywhere anywhere udp dpt:7777
ACCEPT tcp – anywhere anywhere tcp dpt:6669
ACCEPT tcp – anywhere anywhere tcp dpt:3128
ACCEPT tcp – anywhere anywhere tcp dpt:kerberos-adm
ACCEPT udp – anywhere anywhere udp dpt:sunrpc
ACCEPT tcp – anywhere anywhere tcp dpt:9999
ACCEPT tcp – anywhere anywhere tcp dpt:11212
ACCEPT tcp – anywhere anywhere tcp dpts:8100:8200
ACCEPT udp – anywhere anywhere udp dpt:customs
REJECT all – anywhere anywhere reject-with icmp-port-unreachable

Chain FORWARD (policy ACCEPT)
target prot opt source destination
DOCKER all – anywhere anywhere
ACCEPT all – anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all – anywhere anywhere
ACCEPT all – anywhere anywhere

Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all – anywhere anywhere

Chain DOCKER (1 references)
target prot opt source destination

root@p-ucs-master:/tmp# ls -l /var/run/univention-saml/
totaal 4
srw------- 1 samlcgi root 0 feb 6 11:13 memcached.socket
srw------- 1 samlcgi root 0 feb 6 11:13 p-ucs-slave.xxx.lcl.socket
-rw-r–r-- 1 samlcgi root 5 feb 6 11:13 stunnel4.pid

I executed the restart on both servers. It did not solve the issue.

root@p-ucs-master:/tmp# invoke-rc.d univention-saml restart
[info] Restarting univention-saml.
[info] Stopping univention-saml.
Stopping memcached: memcached_univention_saml.
Stopping SSL tunnels: /etc/stunnel/univention_saml.conf: stopped
done.
[info] Starting univention-saml.
Starting memcached: memcached_univention_saml.
Starting SSL tunnels: /etc/stunnel/univention_saml.conf: started
done.
done.

Can you please attach the file: /etc/simplesamlphp/metadata.d/https:__p-ucs-master.xxx.lcl_univention-management-console_saml_metadata.php.

Did you change the entity-ID of the service provider?

Hi Florian,

I sent the requested file(s) by mail.

I changed the external FQDN using the following instruction
sdb.univention.de/1352

but reverted the IdP certificate to the one used by UCS 4.0

( saml/idp/certificate/privatekey="/etc/simplesamlphp/p-ucs-master.xxx.lcl-idp-certificate.key"
saml/idp/certificate/certificate="/etc/simplesamlphp/p-ucs-master.xxx.lcl-idp-certificate.crt" )

Oh, we currently don’t really support to use univention-saml on a DC Slave for security reasons (mentioned in univention.com/2015/11/sing … r-ucs-4-1/).
The slave.php file at least looks corrupt. Which steps did you do to install the SAML IDP on the Slave? Maybe there are missing packages? I assume the DC Slave is the reason. Do you have a DC Backup? The DC Backup servers shouldn’t have problems with it - if thats an option for you.

At the moment we don’t have a DC Backup, but if I understand it right it is the best (and only) option for running a shadow IdP.

My idea is to replace the DC Slave by a DC Backup. The DC Slave is not intensively used.

Do I need to “unjoin” the DC Slave or remove the SAML package to stop the memcache errors?

Yes, please remove univention-saml, univention-saml-schema and simplesamlphp from the DC Slave.

Hi Florian,

This morning I installed a DC Backup, which was quite a challenge because on the DC Master univention-ldap-overlay-memberof was installed. Because of this, the installation (domain join) failed. But finaly it was installed.

I also removed univention-saml from the DC Slave

Current status (error.log Apache2)

[Mon Feb 08 13:18:54 2016] [error] [client 141.101.104.206] PHP Notice: MemcachePool::get(): Server unix:///var/run/univention-saml/p-ucs-backup.xxx.lcl.socket (tcp 0, udp 0) failed with: No such file or directory (2) in /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php on line 41

The socket file is not available

root@p-ucs-master:/var/run/univention-saml# ls -al
totaal 4
drwxrwx— 2 samlcgi root 80 feb 8 12:39 .
drwxr-xr-x 25 root root 1180 feb 8 12:39 …
srw------- 1 samlcgi root 0 feb 8 12:39 memcached.socket
-rw-r–r-- 1 samlcgi root 6 feb 8 12:11 stunnel4.pid

Is the server listed in ucr search --brief ucs/server/saml-idp-server/ ?
If yes, invoke-rc.d univention-saml restart should help.
Otherwise something in the join scripts failed. univention-check-join-status, The logfile /var/log/univention/join.log might provide more information.

Hi Florian,

Both servers are listed
invoke-rc.d univention-saml restart did not solve the issue

I sent you the log file by email

Is the DC-Master server also mentioned in /etc/stunnel/univention_saml.conf of the DC Backup?
Maybe after ucr commit /etc/stunnel/univention_saml.conf && invoke-rc.d univention-saml restart

yes it is

root@p-ucs-backup:~# cat /etc/stunnel/univention_saml.conf
; Warning: This file is auto-generated and might be overwritten by
; univention-config-registry.
; Please edit the following file(s) instead:
; Warnung: Diese Datei wurde automatisch generiert und kann durch
; univention-config-registry überschrieben werden.
; Bitte bearbeiten Sie an Stelle dessen die folgende(n) Datei(en):
;
; /etc/univention/templates/files/etc/stunnel/univention_saml.conf
;

pid = /var/run/univention-saml/stunnel4.pid
cert = /etc/simplesamlphp/p-ucs-master.xxx.lcl-idp-certificate.crt
key = /etc/simplesamlphp/p-ucs-master.xxx.lcl-idp-certificate.key
setuid = samlcgi
CAfile = /etc/univention/ssl/ucsCA/CAcert.pem
options = NO_SSLv2
service = univention-saml-stunnel
debug = 4

[memcached]
accept = 11212
connect = /var/run/univention-saml/memcached.socket
verify = 2
checkHost = univention.xxx.nl

[p-ucs-master.finalist.lcl]
client = yes
accept = /var/run/univention-saml/p-ucs-master.xxx.lcl.socket
connect = p-ucs-master.xxx.lcl:11212
verify = 2
checkHost = univention.xxx.nl

I can’t explain then why the file /var/run/univention-saml/p-ucs-master.xxx.lcl.socket doesn’t exists.

Are there any error messages when you do:

invoke-rc.d stunnel4 restart
cat /var/log/stunnel4/stunnel.log
ls -l /var/run/univention-saml/p-ucs-master.xxx.lcl.socket
ps aufx | grep stunnel

I made some progress.

invoke-rc.d stunnel4 restart
chown samlcgi:root /var/run/univention-saml/p-ucs-backup.xxx.lcl.socket

I have 2 sockets now.

But the connection with the other server is dropped (socket was unexpectedly closed) because of an SSL isssue

Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[main]: Service [p-ucs-backup.xxx.lcl] accepted (FD=3) from unnamed socket
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: Service [p-ucs-backup.xxx.lcl] started
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: Option TCP_NODELAY not supported on local socket
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG5[2]: Service [p-ucs-backup.xxx.lcl] accepted connection from unnamed socket
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG6[2]: failover: round-robin
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG6[2]: s_connect: connecting 10.120.10.9:11212
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: s_connect: s_poll_wait 10.120.10.9:11212: waiting 10 seconds
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG5[2]: s_connect: connected 10.120.10.9:11212
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG5[2]: Service [p-ucs-backup.xxx.lcl] connected remote server from 192.168.0.154:48491
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: Remote socket (FD=9) initialized
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG6[2]: SNI: sending servername: p-ucs-backup.xxx.lcl
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: SSL state (connect): before/connect initialization
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: SSL state (connect): SSLv2/v3 write client hello A
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: SSL state (connect): unknown state
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: Verification started at depth=0: C=US, ST=Unknown, L=Unknown, O=Unknown, CN=p-ucs-master.xxx.lcl
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG4[2]: CERT: Pre-verification error: self signed certificate
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG4[2]: Rejected by CERT at depth=0: C=US, ST=Unknown, L=Unknown, O=Unknown, CN=p-ucs-master.xxx.lcl
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: SSL alert (write): fatal: unknown CA
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG3[2]: SSL_connect: 14090086: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG5[2]: Connection reset: 0 byte(s) sent to SSL, 0 byte(s) sent to socket
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: Deallocating application specific data for addr index
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: Remote socket (FD=9) closed
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: Local socket (FD=3) closed
Feb  9 12:16:51 p-ucs-master univention-saml-stunnel: LOG7[2]: Service [p-ucs-backup.xxx.lcl] finished (0 left)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] SimpleSAML_Error_Exception: Error 8 - MemcachePool::get(): Server unix:///var/run/univention-saml/p-ucs-backup.xxx.lcl.socket (tcp 0, udp 0) failed with: Read failed (socket was unexpectedly closed) (0)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] Backtrace:
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 12 /usr/share/simplesamlphp/www/_include.php:70 (SimpleSAML_error_handler)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 11 [builtin] (MemcachePool::get)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 10 /usr/share/simplesamlphp/lib/SimpleSAML/Memcache.php:41 (SimpleSAML_Memcache::get)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 9 /usr/share/simplesamlphp/lib/SimpleSAML/Store/Memcache.php:28 (SimpleSAML_Store_Memcache::get)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 8 /usr/share/simplesamlphp/lib/SimpleSAML/SessionHandlerStore.php:38 (SimpleSAML_SessionHandlerStore::loadSession)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 7 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:1104 (SimpleSAML_Session::getSession)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 6 /usr/share/simplesamlphp/lib/SimpleSAML/Session.php:221 (SimpleSAML_Session::getSessionFromRequest)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 5 /usr/share/simplesamlphp/lib/SimpleSAML/Logger.php:306 (SimpleSAML_Logger::getTrackId)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 4 /usr/share/simplesamlphp/lib/SimpleSAML/Logger.php:272 (SimpleSAML_Logger::log)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 3 /usr/share/simplesamlphp/lib/SimpleSAML/Logger.php:162 (SimpleSAML_Logger::debug)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 2 /usr/share/simplesamlphp/lib/SimpleSAML/Auth/State.php:211 (SimpleSAML_Auth_State::loadState)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 1 /usr/share/simplesamlphp/modules/core/www/loginuserpass.php:24 (require)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 3 [NA] 0 /usr/share/simplesamlphp/www/module.php:134 (N/A)
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 7 [0a75c86954] Loading state: '_3b65c48cdd87bf918afe99098f53fdfd20f723bc38:https://univention.xxx.nl/simplesamlphp/saml2/idp/SSOService.php?spentityid=https.xxx.nl&cookieTime=1455013969&RelayState=ss'
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 7 [0a75c86954] Template: Reading [/usr/share/simplesamlphp/modules/univentiontheme/dictionaries/univention]
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 7 [0a75c86954] Template: Reading [/usr/share/simplesamlphp/dictionaries/login]
Feb  9 12:16:51 p-ucs-master simplesamlphp[26510]: 7 [0a75c86954] Template: Reading [/usr/share/simplesamlphp/modules/univentiontheme/dictionaries/login]

Please compare the files /etc/simplesamlphp/p-ucs-master.xxx.lcl-idp-certificate.crt (and the private key) on all servers. They must be the same.
The same goes for /etc/univention/ssl/ucs-sso.$domainname/cert.pem.
The /etc/simplesamlphp/p-ucs-master.xxx.lcl-idp-certificate.crt must be readable by the “samlcgi” user.
Does the memcached socket exists? →/var/run/univention-saml/memcached.socket
Is it owned and writeable by “samlcgi” user?
Does the memcached process run?

Because of issue New SAML metadata after upgrading to UCS 4.1 I replaced the new IdP crt/key files by the ones used in UCS 4.0
This way I prevented that I needed to change the metadata on all service providers.

I compared the two IdP crt-files. The new one contains much more information. I guess that is the problem for Stunnel.
The other issue with re-using the UCS 4.0 files is that SSO for UMC doesn’t work.

So I think that the best is to use the new crt-file and update all service providers with the new metadata.