Installing the Apache authentication module under MacOS X

From RavenWiki
Jump to navigationJump to search

IMPORTANT 1: see section 'Mac OS X Server' (below) if installing on Mac OS X Tiger Server version 10.4.6 or later 10.4.x version.

IMPORTANT 2: If upgrading to Leopard/SnowLeopard also note that Leopard installs Apache 2.2.6 whilst Tiger comes with Apache 1.something so your Apache configuration and custom modules will need modification/recompiling.


1. Log in as administrator (aka admin) and install the Xcode tools if you haven't already got them installed on your system. This will give you all the stuff you need for writing code on your Mac.

You can pick the Xcode tools up from http://developer.apple.com/tools/download/ or install it from your distribution CD.

To install Xcode tools from the CD/DVD:

  • Insert the CD labelled "Mac OS X Xcode Tools" or the install DVD for Leopard and double-click on the XcodeTools.mpkg icon. For Leopard you need to double-click on "Optional Installs", then "Xcode Tools" to get to the XcodeTools.mpkg icon.
  • Enter your administrator password.
  • Follow the instructions in the installer.

To install the Xcode tools from the the package (i.e.. XcodeTools1.5_CD.dmg) that you downloaded from the developer.apple.com site:

  • Double-click on the XcodeTools1.5_CD.dmg.
  • Enter your administrator password.
  • Follow the instructions in the installer.

2. Download a copy of mod_ucam_webauth from https://raven.cam.ac.uk/project/apache/files/ (and if necessary double click on mod_ucam_webauth-1.4.2.tar). (By default this will be downloaded into a folder called mod_ucam_webauth-1.4.2 on your desktop or if using Leopard all downloaded items will go into your Downloads folder.)

  • Start the Terminal application.
  • Type the command "cd Desktop/mod_ucam_webauth-1.4.2" (or "cd Downloads/mod_ucam_webauth-1.4.2" on Leopard/SnowLeopard).
  • To build ucam_webauth on Tiger and SnowLeopard type the command "make".

You should see something along the following lines:

admin$ make
/usr/sbin/apxs -c -lcrypto \
mod_ucam_webauth.c
gcc -DDARWIN -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -g -Os -pipe -DHARD_SERVER_LIMIT=2048
-DEAPI -DSHARED_MODULE -I/usr/include/httpd -c mod_ucam_webauth.c
cc -bundle -undefined suppress -flat_namespace -Wl,-bind_at_load -o mod_ucam_webauth.so
mod_ucam_webauth.o -lcrypo
  • On Leopard you unfortunately cannot use APXS as it does not appear to understand about fat modules and just running "make" will result in a non-functional mod_ucam_webauth module. Thusly you need to type (best to cut and paste!) the following horror into your Terminal:
/usr/share/apr-1/build-1/libtool --silent --mode=compile gcc    -DDARWIN -DSIGPROCMASK_SETS_THREAD_MASK -no-cpp-precomp  -I/usr/include/apache2  -I/usr/include/apr-1   -I/usr/include/apr-1 -arch ppc -arch ppc64 -arch i386 -arch x86_64  -c -o mod_ucam_webauth.lo mod_ucam_webauth.c
/usr/share/apr-1/build-1/libtool --silent --mode=link gcc -o mod_ucam_webauth.la  -lcrypto -rpath /usr/libexec/apache2 -module -avoid-version -arch ppc -arch ppc64 -arch i386 -arch x86_64 mod_ucam_webauth.lo

If the above two commands result in errors for you, what you need to do is to run "make clean" then run "make SUFFIX=la". This should work without errors and produce some output that will contain two lines similar to the above two commands. What you need to do is to then run "make clean" again and then copy and paste the first command then the second command as was displayed when you ran "make SUFFIX=la" BUT you have to add the options "-arch ppc -arch ppc64 -arch i386 -arch x86_64" to each of the commands to cause the module to be built 4-way-fat as is needed for Leopard's Apache installation.

  • Then copy the module into the /usr/libexec/httpd/ directory by typing "sudo make install" on Tiger or "sudo make SUFFIX=la install" on Leopard and SnowLeopard.

You should see something along the following lines:

sudo make install
Password:
/usr/sbin/apxs -c -lcrypto \
mod_ucam_webauth.c
gcc -DDARWIN -DUSE_HSREGEX -DUSE_EXPAT -I../lib/expat-lite -g -Os -pipe -DHARD_SERVER_LIMIT=2048
-DEAPI -DSHARED_MODULE -I/usr/include/httpd -c mod_ucam_webauth.c
cc -bundle -undefined suppress -flat_namespace -Wl,-bind_at_load -o mod_ucam_webauth.so
mod_ucam_webauth.o -lcrypto
/usr/sbin/apxs -i mod_ucam_webauth.so
cp mod_ucam_webauth.so /usr/libexec/httpd/mod_ucam_webauth.so
chmod 755 /usr/libexec/httpd/mod_ucam_webauth.so

3. Download the necessary RSA public keys from https://raven.cam.ac.uk/project/keys/ and place them in /usr/conf/webauth_keys/ on Tiger or /etc/apache2/webauth_keys/ on Leopard. For Leopard the easiest way to do this is to simply execute the following commands on the Terminal:

sudo mkdir /etc/apache2/webauth_keys
cd /etc/apache2/webauth_keys
sudo curl -O https://raven.cam.ac.uk/project/keys/pubkey2

The Apache module only needs the "PEM formated PKCS#1 RSA public key" which is stored in a file named pubkey<n> (currently pubkey2). The names of the key files should not be changed - beware that they have no filename suffix but that some browsers may add .txt or similar when downloading them.

4. For Tiger, add the following to /etc/httpd/httpd.conf, after the line that reads "ClearModuleList":

LoadModule ucam_webauth_module libexec/httpd/mod_ucam_webauth.so
AddModule mod_ucam_webauth.c
AACookieKey "some random string"
<Directory "path to protected directory">
  AuthType Ucam-WebAuth
  Require valid-user
</Directory>

For Leopard and SnowLeopard, add the following to /etc/apache2/httpd.conf, after the last line beginning with "LoadModule":

LoadModule ucam_webauth_module libexec/apache2/mod_ucam_webauth.so
AAKeyDir "/etc/apache2/webauth_keys"
AACookieKey "some random string"
<Directory "path to protected directory">
  AuthType Ucam-WebAuth
  Require valid-user
</Directory>

This is the minimum configuration required to restrict access to resources in a particular directory to users with a Ucam-WebAuth login. See https://raven.cam.ac.uk/project/apache/README.Config for further customisation options.

Mac OS X Tiger Server

Note the below applies to Mac OS X Tiger Server. Mac OS X Leopard and SnowLeopard work fine without doing the below and in fact doing the below will break Raven.

By default Apache on Mac OS X Server uses Apple's own authentication module, mod_auth_apple, in place of the standard Apache module, mod_auth. In Mac OS X Server version 10.4.6 (and probably in future versions of Mac OS X Server 10.4) mod_auth_apple won't inter-work with mod_ucam_webauth.

To work around this, disable use of mod_auth_Apple and re-enable mod_auth (which Apple continue to supply). To do so, edit /etc/httpd/httdp.conf and replace

  LoadModule apple_auth_module     libexec/httpd/mod_auth_apple.so

with

 LoadModule auth_module            libexec/httpd/mod_auth.so

and

 AddModule mod_auth_apple.c

with

 AddModule mod_auth.c

It may also be possible to make this change using the Apache management GUI - see Apple documentation for details.

Leopard and Snow Leopard Server

(Tested with 10.5.6 and 10.6)

When using 10.5 and 10.6 server do not disable the mod_auth_apple module as above. auth_module does not exist in 10.5 and 10.6 server and Raven will fail without mod_auth_apple enabled with a 'No groups file error' in the apache error log.

Background to the problem

The standard Apache mod_auth supports authentication using user names and passwords stored in files maintained by the htpassword utility. Apple's mod_auth_apple appears to extend this to allow users to authenticate either via credentials stored in htpassword files or via the system's login user name/password database.

While mod_ucam_webauth replaces the password validation functions of mod_auth and mod_auth_apple, it still relies on other functions that they provide. Even though mod_auth_apple largely replicates mod_auth's functionality it unfortunately does so in a way that is incompatible with mod_ucam_webauth's needs.

As far as we know the only thing you lose by replacing mod_auth_apple with mod_auth is the integration with the system's login user name/password database. Obviously that's a problem if you need it, or if you are running any web applications that rely on it. Otherwise this loss probably doesn't matter.