SiNotes-Grid
Monday, May 22, 2006
WebAuth Installation & Configuraiton
Suppose you already have
1.Download the src from http://webauthv3.stanford.edu/download.html
2.Configure the src using,
./configure --with-apache=/usr/local/apache20 --with-apxs=/usr/local/apache20/bin/apxs --with-kerberos=/usr/local/kerberos5 --with-ldap=/usr/local/openLDAP
3. make
4. make check
5. make install
*N.B.*
1) If you doesn't specify the ininstalltion dir using prefix, the shared lib files will be installed in /usr/local/lib
2)The kerberos and ldap config parameters are required for me, otherwise make cant find the approprate lib files. After the installation, you may still find errors when try to load mod_webauth.so in apache, sth like " cant find libwebauth.so ", that's because mod_webauth depends on this lib files, you can either copy them from /usr/local/lib/* and /usr/local/kerberos5/lib to "/usr/lib" or "httpd20/lib ".
3) If you see "Segmentation fault" error when you try to start apache and it failed, make sure your apache process have write access to keyring and other cache files defined in your mod_webauth.conf!! (Be sure to create the directory if you havn't !!)You can switch on debug for webauth module in mod_webauth.conf and check http20/logs/error_log.
4) If you can start apache but fail to access the desired webpage,check your httpd20/logs/ssl8080_error_log
5) If you see error messages like" fail to checking webAuth's certificate" it's because the webKDC is using a self-signed certificate.(http://webauth.stanford.edu/manual/mod/mod_webauth.html) You can swith off the certificate checking during test/development stage by using:
6) *IMPORTANT* When you startup apache as root, you can set the user & group you want this httpd process to run as in your httpd.conf. Actually in apache2.0.58, it's set to "nobody" by default.
Which means the apache process might have difficulty to read your webKDC keytab file if they dont have correct access right. A recommended way is to modify your httpd.conf and change the default "nobody" user to the user who have read access to webKDC keytab file.
The minimul configration of webAuth with detailed explaination can be learned from:
http://webauth.stanford.edu/conf-basic.html
An Oxford specific configration is available at :
http://www.oucs.ox.ac.uk/webauth/index.xml?style=printable
1.Download the src from http://webauthv3.stanford.edu/download.html
2.Configure the src using,
./configure --with-apache=/usr/local/apache20 --with-apxs=/usr/local/apache20/bin/apxs --with-kerberos=/usr/local/kerberos5 --with-ldap=/usr/local/openLDAP
3. make
4. make check
5. make install
*N.B.*
1) If you doesn't specify the ininstalltion dir using prefix, the shared lib files will be installed in /usr/local/lib
2)The kerberos and ldap config parameters are required for me, otherwise make cant find the approprate lib files. After the installation, you may still find errors when try to load mod_webauth.so in apache, sth like " cant find libwebauth.so ", that's because mod_webauth depends on this lib files, you can either copy them from /usr/local/lib/* and /usr/local/kerberos5/lib to "/usr/lib" or "httpd20/lib ".
3) If you see "Segmentation fault" error when you try to start apache and it failed, make sure your apache process have write access to keyring and other cache files defined in your mod_webauth.conf!! (Be sure to create the directory if you havn't !!)You can switch on debug for webauth module in mod_webauth.conf and check http20/logs/error_log.
4) If you can start apache but fail to access the desired webpage,check your httpd20/logs/ssl8080_error_log
5) If you see error messages like" fail to checking webAuth's certificate" it's because the webKDC is using a self-signed certificate.(http://webauth.stanford.edu/manual/mod/mod_webauth.html) You can swith off the certificate checking during test/development stage by using:
WebAuthWebKdcSSLCertCheck off
Or, you can also use
WebAuthWebKdcSSLCertFile conf/webauth/webkdc.cert
6) *IMPORTANT* When you startup apache as root, you can set the user & group you want this httpd process to run as in your httpd.conf. Actually in apache2.0.58, it's set to "nobody" by default.
Which means the apache process might have difficulty to read your webKDC keytab file if they dont have correct access right. A recommended way is to modify your httpd.conf and change the default "nobody" user to the user who have read access to webKDC keytab file.
The minimul configration of webAuth with detailed explaination can be learned from:
http://webauth.stanford.edu/conf-basic.html
An Oxford specific configration is available at :
http://www.oucs.ox.ac.uk/webauth/index.xml?style=printable
posted by Synew # 3:35 AM 
Archives
