Installing the Apache authentication module under MacOS X: Difference between revisions
(→Installing mod_ucam_webauth: Link to new 2.0.2 release) |
No edit summary |
||
Line 5: | Line 5: | ||
Ucam WebAuth v2.0 supports v3 of the protocol. This allows distinction between current users and all users. For more information please see this page https://wiki.cam.ac.uk/raven/Current_and_non-Current_users. It is recommended that mod_ucam_webauth v2.x is used for all new installs. | Ucam WebAuth v2.0 supports v3 of the protocol. This allows distinction between current users and all users. For more information please see this page https://wiki.cam.ac.uk/raven/Current_and_non-Current_users. It is recommended that mod_ucam_webauth v2.x is used for all new installs. | ||
==Installing & configuring Raven for 10. | ==Installing & configuring Raven for 10.6 and later== | ||
For those users running 10. | For those users running 10.6 and later there is a prebuilt installer package to deploy the Raven module without the need for compilation. Users of previous versions of OS X should look at [[Legacy Raven info for 10.4 etc]] | ||
===Installing mod_ucam_webauth=== | ===Installing mod_ucam_webauth=== | ||
# | #Install the installer package for your version of OS X: | ||
*[http://raven.cam.ac.uk/project/apache/files/MacOS/mod_ucam_webauth_2.0.2_10.6-10.9.dmg] 10.6 (Snow Leopard) to 10.9 (Mavericks)] | |||
*[http://raven.cam.ac.uk/project/apache/files/MacOS/mod_ucam_webauth_2.0.2_10.10.dmg 10.10 (Yosemite) | |||
This will deploy mod_ucam_webauth built for 32 & 64 bit Intel hardware into /usr/libexec/apache2/ | |||
#Download the necessary RSA public keys from https://raven.cam.ac.uk/project/keys/ and place them in into /etc/apache2/webauth_keys/. The easiest way to do this is to simply execute the following commands in Terminal: | #Download the necessary RSA public keys from https://raven.cam.ac.uk/project/keys/ and place them in into /etc/apache2/webauth_keys/. The easiest way to do this is to simply execute the following commands in Terminal: | ||
Line 22: | Line 26: | ||
It is recommended that you do not edit the primary httpd.conf file but configure apache through VirtualHost files. They are found in the following locations: | It is recommended that you do not edit the primary httpd.conf file but configure apache through VirtualHost files. They are found in the following locations: | ||
<tt>/etc/apache2/sites/</tt> - 10.7 | <tt>/etc/apache2/sites/</tt> - all client version of OS X and 10.7 Server | ||
<tt>/Library/Server/Web/Config/apache2/sites/</tt> - 10.8 and later | <tt>/Library/Server/Web/Config/apache2/sites/</tt> - 10.8 Server and later | ||
It is highly recommended that you do not use Server Admin or Server to manage the web service post Raven configuration. These tools have a nasty habit of destroying configuration the GUI tools do not understand. | It is highly recommended that you do not use Server Admin or Server to manage the web service post Raven configuration. These tools have a nasty habit of destroying configuration the GUI tools do not understand. | ||
Line 70: | Line 74: | ||
<tt>sudo ln -s /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.8.xctoolchain</tt> | <tt>sudo ln -s /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.8.xctoolchain</tt> | ||
Replace OSX10.8.xctoolchain with OSX10.9.xctoolchain | Replace OSX10.8.xctoolchain with OSX10.9.xctoolchain etc as appropriate. | ||
Apple forgot to include a symlink causing apxs to fail to find the compiler. | Apple forgot to include a symlink causing apxs to fail to find the compiler. | ||
[[Legacy Raven info for 10.4 etc]] | [[Legacy Raven info for 10.4 etc]] |
Revision as of 11:37, 8 July 2015
Ucam WebAuth
Ucam WebAuth v2.0 supports v3 of the protocol. This allows distinction between current users and all users. For more information please see this page https://wiki.cam.ac.uk/raven/Current_and_non-Current_users. It is recommended that mod_ucam_webauth v2.x is used for all new installs.
Installing & configuring Raven for 10.6 and later
For those users running 10.6 and later there is a prebuilt installer package to deploy the Raven module without the need for compilation. Users of previous versions of OS X should look at Legacy Raven info for 10.4 etc
Installing mod_ucam_webauth
- Install the installer package for your version of OS X:
- [1] 10.6 (Snow Leopard) to 10.9 (Mavericks)]
- [http://raven.cam.ac.uk/project/apache/files/MacOS/mod_ucam_webauth_2.0.2_10.10.dmg 10.10 (Yosemite)
This will deploy mod_ucam_webauth built for 32 & 64 bit Intel hardware into /usr/libexec/apache2/
- Download the necessary RSA public keys from https://raven.cam.ac.uk/project/keys/ and place them in into /etc/apache2/webauth_keys/. The easiest way to do this is to simply execute the following commands in Terminal:
sudo mkdir /etc/apache2/webauth_keys cd /etc/apache2/webauth_keys sudo curl -O https://raven.cam.ac.uk/project/keys/pubkey2
Editing Apache Configuration
It is recommended that you do not edit the primary httpd.conf file but configure apache through VirtualHost files. They are found in the following locations:
/etc/apache2/sites/ - all client version of OS X and 10.7 Server
/Library/Server/Web/Config/apache2/sites/ - 10.8 Server and later
It is highly recommended that you do not use Server Admin or Server to manage the web service post Raven configuration. These tools have a nasty habit of destroying configuration the GUI tools do not understand.
For a basic configuration add the following to the apache config file:
LoadModule ucam_webauth_module libexec/apache2/mod_ucam_webauth.so AAKeyDir "/etc/apache2/webauth_keys" AACookieKey "some random string" <Directory "/path/to/protected/web/directory"> AuthType Ucam-WebAuth Require valid-user </Directory>
10.5, 10.6 & 10.7 specific edits
Add the following to the VirtualHosts file:
LoadModule authz_user_module libexec/apache2/mod_authz_user.so
10.8 or later specific edits
Add the following to the VirtualHosts file:
LoadModule authz_user_module libexec/apache2/mod_authz_user.so
LoadModule authz_groupfile_module libexec/apache2/mod_authz_groupfile.so
Testing
Start/restart the web server and test. Check /var/log/apache2/error.log if you are having problems.
This is the minimum configuration required to restrict access to resources in a particular directory to users with a Ucam-WebAuth login. See https://raven.cam.ac.uk/project/apache/README.Config for further customisation options.
Building from Source
Should you wish to build the module from source then do the following:
- Download and install Xcode AND the command line tools (sudo xcode-select --install is easiest) or install gcc & support files from another source
- Download mod_ucam_webauth from https://raven.cam.ac.uk/project/apache/files/MacOS/ and expand the tar archive
- cd into mod_ucam_webauth and type sudo apxs -c -i -lcrypto mod_ucam_webauth.c. This will build and install the Raven authentication module for the currently booted OS X system architecture.
- Install the RSA keys and edit apache as described above.
If Xcode 4 or later users get the error "env: /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.8.xctoolchain/usr/bin/cc: No such file or directory" then paste in the following command as one line:
sudo ln -s /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.8.xctoolchain
Replace OSX10.8.xctoolchain with OSX10.9.xctoolchain etc as appropriate.
Apple forgot to include a symlink causing apxs to fail to find the compiler.