Installing the Apache authentication module under MacOS X

From RavenWiki
Revision as of 15:19, 19 October 2007 by jw35 (talk | contribs) (Add warning about Mac OS X Leopard)
Jump to navigationJump to search

IMPORTANT 1: see section 'Mac OS X Server' (below) if installing on Mac OS X Server version 10.4.6 or later.

IMPORTANT 2: this module has not yet (as of 2007-10-19) been successfully tested on Mac OS X Leopard - it would not be advisable to upgrade Mac web servers to Leopard if they rely on mod_ucam_webauth.


1. Log in as administrator (aka admin) and install the Xcode tools if you haven't already got them installed on your system. This will give you all the stuff you need for writing code on your Mac.

You can pick the Xcode tools up from http://developer.apple.com/tools/download/ or install it from your distribution CD.

To install Xcode tools from the CD:

  • Insert the CD labelled "Mac OS X Xcode Tools" and double-click on the XcodeTools.mpkg icon.
  • Enter your administrator password.
  • Follow the instructions in the installer.

To install the Xcode tools from the the package (i.e.. XcodeTools1.5_CD.dmg) that you downloaded from the developer.apple.com site:

  • Double-click on the XcodeTools1.5_CD.dmg.
  • Enter your administrator password.
  • Follow the instructions in the installer.

2. Download a copy of mod_ucam_webauth from https://raven.cam.ac.uk/project/apache/files/ (and if necessary double click on mod_ucam_webauth-1.3.0.tar). (By default this will be downloaded into a folder called mod_ucam_webauth-1.06 on your desktop)

  • Start the Terminal application.
  • Type the command "cd Desktop/mod_ucam_webauth-1.3.0".
  • To build ucam_webauth type the command "make".

You should see something along the following lines:

admin$ make
/usr/sbin/apxs -c -lcrypto \
mod_ucam_webauth.c
gcc -DDARWIN -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -g -Os -pipe -DHARD_SERVER_LIMIT=2048
-DEAPI -DSHARED_MODULE -I/usr/include/httpd -c mod_ucam_webauth.c
cc -bundle -undefined suppress -flat_namespace -Wl,-bind_at_load -o mod_ucam_webauth.so
mod_ucam_webauth.o -lcrypo
  • Then copy the module into the /usr/libexec/httpd/ directory by typing "sudo make install"

You should see something along the following lines:

sudo make install
Password:
/usr/sbin/apxs -c -lcrypto \
mod_ucam_webauth.c
gcc -DDARWIN -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -g -Os -pipe -DHARD_SERVER_LIMIT=2048
-DEAPI -DSHARED_MODULE -I/usr/include/httpd -c mod_ucam_webauth.c
cc -bundle -undefined suppress -flat_namespace -Wl,-bind_at_load -o mod_ucam_webauth.so
mod_ucam_webauth.o -lcrypto
/usr/sbin/apxs -i mod_ucam_webauth.so
cp mod_ucam_webauth.so /usr/libexec/httpd/mod_ucam_webauth.so
chmod 755 /usr/libexec/httpd/mod_ucam_webauth.so

3. Download the necessary RSA public keys from https://raven.cam.ac.uk/project/keys/ and place them in /usr/conf/webauth_keys/.

The Apache module only needs the "PEM formated PKCS#1 RSA public key" which is stored in a file named pubkey<n> (currently pubkey2). The names of the key files should not be changed - beware that they have no filename suffix but that some browsers may add .txt or similar when downloading them.

4. Add the following to /etc/httpd/httpd.conf, after the line that reads "ClearModuleList":

LoadModule ucam_webauth_module libexec/httpd/mod_ucam_webauth.so
AddModule mod_ucam_webauth.c

AACookieKey "some random string"
<Directory "path to protected directory">
  AuthType Ucam-WebAuth
  Require valid-user
</Directory>

This is the minimum configuration required to restrict access to resources in a particular directory to users with a Ucam-WebAuth login. See https://raven.cam.ac.uk/project/apache/README.Config for further customisation options.

Mac OS X Server

By default Apache on Mac OS X Server uses Apple's own authentication module, mod_auth_apple, in place of the standard Apache module, mod_auth. In Mac OS X Server version 10.4.6 (and probably in future versions) mod_auth_apple won't inter-work with mod_ucam_webauth.

To work around this, disable use of mod_auth_Apple and re-enable mod_auth (which Apple continue to supply). To do so, edit /etc/httpd/httdp.conf and replace

  LoadModule apple_auth_module     libexec/httpd/mod_auth_apple.so

with

 LoadModule auth_module            libexec/httpd/mod_auth.so

and

 AddModule mod_auth_apple.c

with

 AddModule mod_auth.c

It may also be possible to make this change using the Apache management GUI - see Apple documentation for details.

Background to the problem

The standard Apache mod_auth supports authentication using user names and passwords stored in files maintained by the htpassword utility. Apple's mod_auth_apple appears to extend this to allow users to authenticate either via credentials stored in htpassword files or via the system's login user name/password database.

While mod_ucam_webauth replaces the password validation functions of mod_auth and mod_auth_apple, it still relies on other functions that they provide. Even though mod_auth_apple largely replicates mod_auth's functionality it unfortunately does so in a way that is incompatible with mod_ucam_webauth's needs.

As far as we know the only thing you loose by replacing mod_auth_apple with mod_auth is the integration with the system's login user name/password database. Obviously that's a problem if you need it, or if you are running any web applications that rely on it. Otherwise this loss probably doesn't matter.