RUBYCAS SERVER USING MOD_PASSENGER, LOCAL MYSQL DATABASE, AND LDAP AUTH ON PUIAS
[root@localhost ~]# yum install puias-{addons,unsupported} [root@localhost ~]# yum install ruby{-mysql,gem-rubycas-server,gem-net-ldap} mod_{ssl,passenger} mysql-server
Open /etc/sysconfig/iptables and allow port 443 (https) traffic:
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
Configure httpd:
[root@localhost ~]# chkconfig httpd on [root@localhost ~]# rm -f /etc/httpd/conf.d/welcome.conf
Configure /etc/httpd/conf.d/ssl.conf to look something like this:
LoadModule ssl_module modules/mod_ssl.so Listen 443 SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin <VirtualHost _default_:443> RailsAutoDetect Off RackBaseUri / DocumentRoot "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public" ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/httpd.pem <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> <Directory "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public"> AllowOverride All Allow from all </Directory> SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" </VirtualHost>
Create a test cert and key for httpd - BE SURE TO REPLACE THESE IN PRODUCTION:
[root@localhost ~]# cd /etc/pki/tls/certs [root@localhost ~]# make httpd.pem Now fill out the questionaire...
Configure MySQL (example assumes local mysql):
[root@localhost ~]# chkconfig mysqld on [root@localhost ~]# service mysqld start [root@localhost ~]# /usr/bin/mysql_secure_installation
Fill out the questions, be sure to set a new root password and remove all test accounts/dbs. It would also be very wise to create a rubycas user with limited permissions, doing so is beyond the scope of this document.
[root@localhost ~]# mysql -u root -p mysql> create database casserver; mysql> use casserver; mysql> source /etc/rubycas-server/create_rubycas_mysql_db.sql
Create and configure the file /etc/rubycas-server/config.yml
There is an example config file located at /etc/rubycas-server/config.yml.example. Here is a trimmed example, all the helpful comments have been removed:
database: pool: 10 adapter: mysql database: casserver username: root password: CHANGEME host: localhost reconnect: true authenticator: class: CASServer::Authenticators::LDAP ldap: host: ldap.example.com port: 389 base: dc=example,dc=com username_attribute: uid filter: (objectClass=person) theme: simple organization: CAS infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a> default_locale: en log: file: /var/log/casserver.log level: INFO
At this point, you can test your implementation:
[root@localhost ~]# setenforce 0 [root@localhost ~]# service httpd start
Note that I disabled SELinux. This should be used only for testing purposes, to generate policy files. Here is an example SELinux policy file that worked for me (but may still be a little lax):
module cscas 1.1; require { type httpd_t; type mysqld_port_t; type passenger_t; type passenger_tmp_t; type var_log_t; class capability { sys_resource sys_ptrace }; class dir { write getattr search add_name }; class file { write getattr setattr read create open append }; class sock_file { write getattr setattr create unlink }; class tcp_socket { name_connect listen }; } #============= httpd_t ============== allow httpd_t passenger_tmp_t:dir { write search getattr add_name }; allow httpd_t passenger_tmp_t:file { write create open setattr }; allow httpd_t passenger_tmp_t:sock_file write; #============= passenger_t ============== allow passenger_t mysqld_port_t:tcp_socket name_connect; allow passenger_t passenger_tmp_t:sock_file { write create unlink getattr setattr }; allow passenger_t self:capability { sys_resource sys_ptrace }; allow passenger_t var_log_t:file { getattr open append };
Now, you can set up a client mod_auth_cas. Something that works looks like:
# Uncomment for testing. Never leave these uncommented in production. # CASDebug On # CASValidateServer Off CASLoginURL https://signon.example.com/login CASValidateURL https://signon.example.com/serviceValidate CASCookiePath /var/www/cascookies/ <Directory "/protected"> AuthType CAS AuthName "Staff ONLY" Require user john joe bob </Directory>