Installing the Apache authentication module under MacOS X: Difference between revisions

From RavenWiki
Jump to navigationJump to search
(Assorted fixups)
m (Reverted edits by jmw11 (talk) to last revision by jw35)
Tag: Rollback
 
(76 intermediate revisions by 7 users not shown)
Line 1: Line 1:
1. Log in as administrator (aka admin) and install the Xcode tools if you haven't already got them installed on your system. This will give you all the stuff you need for writing code on your Mac.
'''WARNING:''' Apple removed the OpenSSL library from MacOS 10.11 (El Capitan) onward. Since the Apache authentication module depends on OpenSSL for some of its function this means that the '''module can't easily be used with the supplied copy of Apache from 10.11 onward'''.


You can pick the Xcode tools up from http://developer.apple.com/tools/download/ or install it from your distribution CD.
Options for anyone needing or currently using Raven authentication with Apache on MacOS include:
* Moving to Apache on a Linux platform
* Using Raven's Shibboleth service -- UIS have no experience of using this but the Shibboleth Consortium [https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMacInstall appear to support running the Shibboleth SP under MacOS], and both [https://www.macports.org/ Macports] and [https://brew.sh/ Homebrew] include shibboleth-sp packages that may be usable with the MacOS version of Apache
* Install a separate copy of Apache and its dependencies either by hand or using [https://www.macports.org/ Macports] or [https://brew.sh/ Homebrew], and build a copy of the Apache Ucam WebAuth module against that using [http://raven.cam.ac.uk/project/apache/INSTALL the generic build instructions]


To install Xcode tools from the CD:
All of these options will be fiddly, and none will be GUI-based. Sorry.
* Insert the CD labeled "Mac OS X Xcode Tools" and double-click on the XcodeTools.mpkg icon.
* Enter your administrator password.
* Follow the instructions in the installer.


To install the Xcode tools from the the package (ie. XcodeTools1.5_CD.dmg) that you downloaded from the developer.apple.com site:
==Ucam WebAuth==
* Double-click on the XcodeTools1.5_CD.dmg.
* Enter your administrator password.
* Follow the instructions in the installer.


2. Download a copy of mod_ucam_webauth from https://raven.cam.ac.uk/project/apache/files/ (By default this will be downloaded into a folder called mod_ucam_webauth-1.06 on your desktop)
Ucam WebAuth v2.0 supports v3 of the protocol. This allows distinction between current users and all users. For more information please see this page https://wiki.cam.ac.uk/raven/Current_and_non-Current_users. It is recommended that mod_ucam_webauth v2.x is used for all new installs.  
* Start the Terminal application.
* Type the command "cd Desktop/mod_ucam_webauth-1.0.6".
* To build ucam_webauth type the command "make".


You should see something along the following lines:
==Installing & configuring Raven for 10.6 and later==


admin$ make
For those users running 10.6 and later there is a prebuilt installer package to deploy the Raven module without the need for compilation. Users of previous versions of OS X should look at [[Legacy Raven info for 10.4 etc]]
/usr/sbin/apxs -c -lcrypto \
mod_ucam_webauth.c
gcc -DDARWIN -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -g -Os -pipe -DHARD_SERVER_LIMIT=2048
-DEAPI -DSHARED_MODULE -I/usr/include/httpd -c mod_ucam_webauth.c
cc -bundle -undefined suppress -flat_namespace -Wl,-bind_at_load -o mod_ucam_webauth.so
mod_ucam_webauth.o -lcrypo


* Then copy the module into the /usr/libexec/httpd/ directory by typing "sudo make install"
===Installing mod_ucam_webauth===


You should see something along the following lines:
Choose the correct the installer package for your version of OS X. The module will be installed into /usr/libexec/apache/
*[http://raven.cam.ac.uk/project/apache/files/MacOS/mod_ucam_webauth_2.0.2_10.6-10.9.dmg 10.6 (Snow Leopard) to 10.9 (Mavericks)]
*[http://raven.cam.ac.uk/project/apache/files/MacOS/mod_ucam_webauth_2.0.2_10.10.dmg 10.10 (Yosemite)]
Download the necessary RSA public keys from https://raven.cam.ac.uk/project/keys/ and place them in into /etc/apache2/webauth_keys/. The easiest way to do this is to simply execute the following commands in Terminal:
<tt>sudo mkdir /etc/apache2/webauth_keys
cd /etc/apache2/webauth_keys
sudo curl -O https://raven.cam.ac.uk/project/keys/pubkey2</tt>


sudo make install
===Editing Apache Configuration===
Password:
/usr/sbin/apxs -c -lcrypto \
mod_ucam_webauth.c
gcc -DDARWIN -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -g -Os -pipe -DHARD_SERVER_LIMIT=2048
-DEAPI -DSHARED_MODULE -I/usr/include/httpd -c mod_ucam_webauth.c
cc -bundle -undefined suppress -flat_namespace -Wl,-bind_at_load -o mod_ucam_webauth.so
mod_ucam_webauth.o -lcrypto
/usr/sbin/apxs -i mod_ucam_webauth.so
cp mod_ucam_webauth.so /usr/libexec/httpd/mod_ucam_webauth.so
chmod 755 /usr/libexec/httpd/mod_ucam_webauth.so


3. Download the necessary RSA public keys from https://raven.cam.ac.uk/project/keys/ and place them in /usr/conf/webauth_keys/.
It is recommended that you do not edit the primary httpd.conf file but configure apache through VirtualHost files. They are found in the following locations:


The Apache module only needs the "PEM formated PKCS#1 RSA public key" which is stored in a file named pubkey''<n>'' (currently pubkey2). The names of the key files should not be changed - beware that they have no filename suffix but that some browsers may add .txt or similar when downloading them.
<tt>/etc/apache2/sites/</tt> - all client version of OS X and 10.7 Server


4. Add the following to /etc/httpd/httdp.conf, after the line that reads "ClearModuleList":
<tt>/Library/Server/Web/Config/apache2/sites/</tt>  - 10.8 Server and later


  LoadModule ucam_webauth_module libexec/httpd/mod_ucam_webauth.so
It is highly recommended that you do not use Server Admin or Server to manage the web service post Raven configuration. These tools have a nasty habit of destroying configuration the GUI tools do not understand.
  AddModule mod_ucam_webauth.c
 
For a basic configuration add the following to the apache config file:
 
  <tt>LoadModule ucam_webauth_module libexec/apache2/mod_ucam_webauth.so
  AAKeyDir "/etc/apache2/webauth_keys"
  AACookieKey "some random string"
  AACookieKey "some random string"
  <Directory "path to protected directory">
  <Directory "/path/to/protected/web/directory">
   AuthType Ucam-WebAuth
   AuthType Ucam-WebAuth
   Require valid-user
   Require valid-user
  </Directory>
  </Directory></tt>
 
====10.5, 10.6 & 10.7 specific edits====
 
Add the following to the VirtualHosts file:
 
<tt>LoadModule authz_user_module libexec/apache2/mod_authz_user.so</tt>
 
====10.8 or later specific edits====
 
Add the following to the VirtualHosts file:
 
<tt>LoadModule authz_user_module libexec/apache2/mod_authz_user.so
 
LoadModule authz_groupfile_module libexec/apache2/mod_authz_groupfile.so</tt>
 
====Testing====
 
Start/restart the web server and test. Check /var/log/apache2/error.log if you are having problems.
 
This is the minimum configuration required to restrict access to resources in a particular directory to users with a Ucam-WebAuth login. See https://raven.cam.ac.uk/project/apache/README.Config for further customisation options.
 
====Building from Source====
 
Should you wish to build the module from source then do the following:
#Download and install Xcode AND the command line tools (<tt>sudo xcode-select --install</tt> is easiest) or install gcc & support files from another source
#Download mod_ucam_webauth from https://raven.cam.ac.uk/project/apache/files/MacOS/ and expand the tar archive
#cd into mod_ucam_webauth and type <tt>sudo apxs -c -i -lcrypto mod_ucam_webauth.c</tt>. This will build and install the Raven authentication module for the currently booted OS X system architecture.
#Install the RSA keys and edit apache as described above.
 
If Xcode 4 or later users get the error "<tt>env: /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.8.xctoolchain/usr/bin/cc: No such file or directory</tt>" then paste in the following command as one line:
 
<tt>sudo ln -s /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.8.xctoolchain</tt>
 
Replace OSX10.8.xctoolchain with OSX10.9.xctoolchain etc as appropriate.
 
Apple forgot to include a symlink causing apxs to fail to find the compiler.


This is the minimum configuration required to restrict access to resources in a particular directory to users with a Ucam-WebAuth login. See https://raven.cam.ac.uk/project/apache/README.Config for further customization options.
[[Legacy Raven info for 10.4 etc]]

Latest revision as of 13:57, 13 December 2019

WARNING: Apple removed the OpenSSL library from MacOS 10.11 (El Capitan) onward. Since the Apache authentication module depends on OpenSSL for some of its function this means that the module can't easily be used with the supplied copy of Apache from 10.11 onward.

Options for anyone needing or currently using Raven authentication with Apache on MacOS include:

All of these options will be fiddly, and none will be GUI-based. Sorry.

Ucam WebAuth

Ucam WebAuth v2.0 supports v3 of the protocol. This allows distinction between current users and all users. For more information please see this page https://wiki.cam.ac.uk/raven/Current_and_non-Current_users. It is recommended that mod_ucam_webauth v2.x is used for all new installs.

Installing & configuring Raven for 10.6 and later

For those users running 10.6 and later there is a prebuilt installer package to deploy the Raven module without the need for compilation. Users of previous versions of OS X should look at Legacy Raven info for 10.4 etc

Installing mod_ucam_webauth

Choose the correct the installer package for your version of OS X. The module will be installed into /usr/libexec/apache/

Download the necessary RSA public keys from https://raven.cam.ac.uk/project/keys/ and place them in into /etc/apache2/webauth_keys/. The easiest way to do this is to simply execute the following commands in Terminal: 

sudo mkdir /etc/apache2/webauth_keys
cd /etc/apache2/webauth_keys
sudo curl -O https://raven.cam.ac.uk/project/keys/pubkey2

Editing Apache Configuration

It is recommended that you do not edit the primary httpd.conf file but configure apache through VirtualHost files. They are found in the following locations:

/etc/apache2/sites/ - all client version of OS X and 10.7 Server

/Library/Server/Web/Config/apache2/sites/ - 10.8 Server and later

It is highly recommended that you do not use Server Admin or Server to manage the web service post Raven configuration. These tools have a nasty habit of destroying configuration the GUI tools do not understand.

For a basic configuration add the following to the apache config file: 

LoadModule ucam_webauth_module libexec/apache2/mod_ucam_webauth.so
AAKeyDir "/etc/apache2/webauth_keys"
AACookieKey "some random string"
<Directory "/path/to/protected/web/directory">
  AuthType Ucam-WebAuth
  Require valid-user
</Directory>

10.5, 10.6 & 10.7 specific edits

Add the following to the VirtualHosts file:

LoadModule authz_user_module libexec/apache2/mod_authz_user.so

10.8 or later specific edits

Add the following to the VirtualHosts file:

LoadModule authz_user_module libexec/apache2/mod_authz_user.so

LoadModule authz_groupfile_module libexec/apache2/mod_authz_groupfile.so

Testing

Start/restart the web server and test. Check /var/log/apache2/error.log if you are having problems.

This is the minimum configuration required to restrict access to resources in a particular directory to users with a Ucam-WebAuth login. See https://raven.cam.ac.uk/project/apache/README.Config for further customisation options.

Building from Source

Should you wish to build the module from source then do the following:

  1. Download and install Xcode AND the command line tools (sudo xcode-select --install is easiest) or install gcc & support files from another source
  2. Download mod_ucam_webauth from https://raven.cam.ac.uk/project/apache/files/MacOS/ and expand the tar archive
  3. cd into mod_ucam_webauth and type sudo apxs -c -i -lcrypto mod_ucam_webauth.c. This will build and install the Raven authentication module for the currently booted OS X system architecture.
  4. Install the RSA keys and edit apache as described above.

If Xcode 4 or later users get the error "env: /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.8.xctoolchain/usr/bin/cc: No such file or directory" then paste in the following command as one line:

sudo ln -s /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain /Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.8.xctoolchain

Replace OSX10.8.xctoolchain with OSX10.9.xctoolchain etc as appropriate.

Apple forgot to include a symlink causing apxs to fail to find the compiler.

Legacy Raven info for 10.4 etc

Retrieved from "https://wiki.cam.ac.uk/wiki/raven/index.php?title=Installing_the_Apache_authentication_module_under_MacOS_X&oldid=2894"