|
|
| Line 1: |
Line 1: |
| '''IMPORTANT 1''': see section [[#Mac OS X Server | 'Mac OS X Server']] (below) if installing on Mac OS X Tiger Server version 10.4.6 or later 10.4.x version.
| | ===Installing & configuring Raven for 10.5 and later=== |
|
| |
|
| '''IMPORTANT 2''': If upgrading to Leopard/SnowLeopard also note that Leopard installs Apache 2.2.6 whilst Tiger comes with Apache 1.something so your Apache configuration and custom modules will need modification/recompiling.
| | For those users running 10.5+ on Intel hardware there is a prebuilt installer package to deploy the Raven module without the need for compilation etc. |
|
| |
|
| ----
| | ====Installing mod_ucam_webauth==== |
|
| |
|
| 1. Log in as administrator (aka admin) and install the Xcode tools if you haven't already got them installed on your system. This will give you all the stuff you need for writing code on your Mac.
| | *Download the installer package from here and install. This will deploy mod_ucam_webauth built for 32 & 64 bit Intel hardware into /usr/libexec/apache2/ |
| | *Download the necessary RSA public keys from https://raven.cam.ac.uk/project/keys/ and place them in into /etc/apache2/webauth_keys/. The easiest way to do this is to simply execute the following commands on the Terminal: |
|
| |
|
| You can pick the Xcode tools up from http://developer.apple.com/tools/download/ or install it from your distribution CD.
| | <tt>sudo mkdir /etc/apache2/webauth_keys |
| | |
| To install Xcode tools from the CD/DVD:
| |
| * Insert the CD labelled "Mac OS X Xcode Tools" or the install DVD for Leopard and double-click on the XcodeTools.mpkg icon. For Leopard you need to double-click on "Optional Installs", then "Xcode Tools" to get to the XcodeTools.mpkg icon.
| |
| * Enter your administrator password.
| |
| * Follow the instructions in the installer.
| |
| | |
| To install the Xcode tools from the the package (i.e.. XcodeTools1.5_CD.dmg) that you downloaded from the developer.apple.com site:
| |
| * Double-click on the XcodeTools1.5_CD.dmg.
| |
| * Enter your administrator password.
| |
| * Follow the instructions in the installer.
| |
| | |
| 2. Download a copy of mod_ucam_webauth from https://raven.cam.ac.uk/project/apache/files/ (and if necessary double click on mod_ucam_webauth-1.4.2.tar). (By default this will be downloaded into a folder called mod_ucam_webauth-1.4.2 on your desktop or if using Leopard all downloaded items will go into your Downloads folder.)
| |
| * Start the Terminal application.
| |
| * Type the command "cd Desktop/mod_ucam_webauth-1.4.2" (or "cd Downloads/mod_ucam_webauth-1.4.2" on Leopard/SnowLeopard).
| |
| * To build ucam_webauth on Tiger and SnowLeopard type the command "make".
| |
| | |
| You should see something along the following lines:
| |
| | |
| admin$ make
| |
| /usr/sbin/apxs -c -lcrypto \
| |
| mod_ucam_webauth.c
| |
| gcc -DDARWIN -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -g -Os -pipe -DHARD_SERVER_LIMIT=2048
| |
| -DEAPI -DSHARED_MODULE -I/usr/include/httpd -c mod_ucam_webauth.c
| |
| cc -bundle -undefined suppress -flat_namespace -Wl,-bind_at_load -o mod_ucam_webauth.so
| |
| mod_ucam_webauth.o -lcrypo
| |
| | |
| * On Leopard you unfortunately cannot use APXS as it does not appear to understand about fat modules and just running "make" will result in a non-functional mod_ucam_webauth module. Thusly you need to type (best to cut and paste!) the following horror into your Terminal:
| |
| | |
| /usr/share/apr-1/build-1/libtool --silent --mode=compile gcc -DDARWIN -DSIGPROCMASK_SETS_THREAD_MASK -no-cpp-precomp -I/usr/include/apache2 -I/usr/include/apr-1 -I/usr/include/apr-1 -arch ppc -arch ppc64 -arch i386 -arch x86_64 -c -o mod_ucam_webauth.lo mod_ucam_webauth.c
| |
| | |
| /usr/share/apr-1/build-1/libtool --silent --mode=link gcc -o mod_ucam_webauth.la -lcrypto -rpath /usr/libexec/apache2 -module -avoid-version -arch ppc -arch ppc64 -arch i386 -arch x86_64 mod_ucam_webauth.lo
| |
| | |
| If the above two commands result in errors for you, what you need to do is to run "make clean" then run "make SUFFIX=la". This should work without errors and produce some output that will contain two lines similar to the above two commands. What you need to do is to then run "make clean" again and then copy and paste the first command then the second command as was displayed when you ran "make SUFFIX=la" BUT you have to add the options "-arch ppc -arch ppc64 -arch i386 -arch x86_64" to each of the commands to cause the module to be built 4-way-fat as is needed for Leopard's Apache installation.
| |
| | |
| * Then copy the module into the /usr/libexec/httpd/ directory by typing "sudo make install" on Tiger or "sudo make SUFFIX=la install" on Leopard and SnowLeopard.
| |
| | |
| You should see something along the following lines:
| |
| | |
| sudo make install
| |
| Password:
| |
| /usr/sbin/apxs -c -lcrypto \
| |
| mod_ucam_webauth.c
| |
| gcc -DDARWIN -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -g -Os -pipe -DHARD_SERVER_LIMIT=2048
| |
| -DEAPI -DSHARED_MODULE -I/usr/include/httpd -c mod_ucam_webauth.c
| |
| cc -bundle -undefined suppress -flat_namespace -Wl,-bind_at_load -o mod_ucam_webauth.so
| |
| mod_ucam_webauth.o -lcrypto
| |
| /usr/sbin/apxs -i mod_ucam_webauth.so
| |
| cp mod_ucam_webauth.so /usr/libexec/httpd/mod_ucam_webauth.so
| |
| chmod 755 /usr/libexec/httpd/mod_ucam_webauth.so
| |
| | |
| 3. Download the necessary RSA public keys from https://raven.cam.ac.uk/project/keys/ and place them in /usr/conf/webauth_keys/ on Tiger or /etc/apache2/webauth_keys/ on Leopard. For Leopard the easiest way to do this is to simply execute the following commands on the Terminal:
| |
| | |
| sudo mkdir /etc/apache2/webauth_keys | |
| cd /etc/apache2/webauth_keys | | cd /etc/apache2/webauth_keys |
| sudo curl -O https://raven.cam.ac.uk/project/keys/pubkey2 | | sudo curl -O https://raven.cam.ac.uk/project/keys/pubkey2</tt> |
| | |
| The Apache module only needs the "PEM formated PKCS#1 RSA public key" which is stored in a file named pubkey''<n>'' (currently pubkey2). The names of the key files should not be changed - beware that they have no filename suffix but that some browsers may add .txt or similar when downloading them.
| |
| | |
| 4. For Tiger, add the following to /etc/httpd/httpd.conf, after the line that reads "ClearModuleList":
| |
| | |
| LoadModule ucam_webauth_module libexec/httpd/mod_ucam_webauth.so
| |
| AddModule mod_ucam_webauth.c
| |
| | |
| AACookieKey "some random string"
| |
| <Directory "path to protected directory">
| |
| AuthType Ucam-WebAuth
| |
| Require valid-user
| |
| </Directory>
| |
|
| |
|
| For Leopard and SnowLeopard, add the following to /etc/apache2/httpd.conf, after the last line beginning with "LoadModule":
| | ====Editing httpd.conf==== |
|
| |
|
| LoadModule ucam_webauth_module libexec/apache2/mod_ucam_webauth.so
| | *Add the following to /etc/apache2/httpd.conf, after the last line beginning with "LoadModule": |
|
| |
|
| | <tt>LoadModule ucam_webauth_module libexec/apache2/mod_ucam_webauth.so |
| | <nowiki>#</nowiki>Raven config follows |
| AAKeyDir "/etc/apache2/webauth_keys" | | AAKeyDir "/etc/apache2/webauth_keys" |
| AACookieKey "some random string" | | AACookieKey "some random string" |
| <Directory "path to protected directory"> | | <Directory "path/to/protected/directory"> |
| AuthType Ucam-WebAuth | | AuthType Ucam-WebAuth |
| Require valid-user | | Require valid-user |
| </Directory> | | </Directory></tt> |
| | | <nowiki>#</nowiki>End of Raven configuration |
| This is the minimum configuration required to restrict access to resources in a particular directory to users with a Ucam-WebAuth login. See https://raven.cam.ac.uk/project/apache/README.Config for further customisation options.
| |
| | |
| ==Mac OS X Tiger Server==
| |
| | |
| Note the below applies to Mac OS X Tiger Server. Mac OS X Leopard and SnowLeopard work fine without doing the below and in fact doing the below will break Raven.
| |
| | |
| By default Apache on Mac OS X Server uses Apple's own authentication module, mod_auth_apple, in place of the standard Apache module, mod_auth. In Mac OS X Server version 10.4.6 (and probably in future versions of Mac OS X Server 10.4) mod_auth_apple won't inter-work with mod_ucam_webauth.
| |
| | |
| To work around this, disable use of mod_auth_Apple and re-enable mod_auth (which Apple continue to supply). To do so, edit /etc/httpd/httdp.conf and replace
| |
| | |
| LoadModule apple_auth_module libexec/httpd/mod_auth_apple.so
| |
| | |
| with
| |
| | |
| LoadModule auth_module libexec/httpd/mod_auth.so
| |
| | |
| and
| |
| | |
| AddModule mod_auth_apple.c
| |
| | |
| with
| |
| | |
| AddModule mod_auth.c
| |
| | |
| It may also be possible to make this change using the Apache management GUI - see Apple documentation for details.
| |
| | |
| ==Leopard and Snow Leopard Server==
| |
| | |
| (Tested with 10.5.6 and 10.6)
| |
|
| |
|
| When using 10.5 and 10.6 server ''do not'' disable the mod_auth_apple module as above. auth_module does not exist in 10.5 and 10.6 server and Raven will fail without mod_auth_apple enabled with a 'No groups file error' in the apache error log. You MUST also enable the authz_user_module to prevent apache 500 errors.
| | *10.5 & 10.6 specific edits |
|
| |
|
| ===Background to the problem===
| | Enable the authz_user_module module to prevent apache 500 errors. |
|
| |
|
| The standard Apache mod_auth supports authentication using user names and
| | *10.7 specific edits |
| passwords stored in files maintained by the htpassword utility. Apple's
| |
| mod_auth_apple appears to extend this to allow users to authenticate either
| |
| via credentials stored in htpassword files or via the system's login user
| |
| name/password database.
| |
|
| |
|
| While mod_ucam_webauth replaces the password validation functions of
| | There are two references to authz_user_module in the default 10.7 httpd.conf. Enable the reference in the <IfDefine MACOSXSERVER> section. |
| mod_auth and mod_auth_apple, it still relies on other functions that they
| |
| provide. Even though mod_auth_apple largely replicates mod_auth's
| |
| functionality it unfortunately does so in a way that is incompatible with
| |
| mod_ucam_webauth's needs.
| |
|
| |
|
| As far as we know the only thing you lose by replacing mod_auth_apple with
| | [[Legacy Raven info for 10.4 etc]] |
| mod_auth is the integration with the system's login user name/password
| |
| database. Obviously that's a problem if you need it, or if you are running
| |
| any web applications that rely on it. Otherwise this loss probably doesn't matter.
| |
