Changes between Version 1 and Version 2 of RubyCASServer

Timestamp:

Oct 27, 2011 1:41:01 PM (14 years ago)

Author:

brose

Comment:

--

RubyCASServer

@@ -5 +5 @@
 [[BR]]
 Open /etc/sysconfig/iptables and allow port 443 (https) traffic:[[BR]]
--A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT[[BR]]
-[[BR]]
-Create the file /usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/config.ru[[BR]]
-See the example in this folder.[[BR]]
+{{{
+-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
+}}}
+[[BR]]
+Create the file /usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/config.ru with the following content:[[BR]]
+{{{
+require 'rubygems'
+
+$:.unshift "#{File.dirname(__FILE__)}/lib"
+require "casserver"
+
+use Rack::ShowExceptions
+use Rack::Runtime
+use Rack::CommonLogger
+
+run CASServer::Server.new
+}}}
 [[BR]]
 Configure httpd:[[BR]]
 [root@localhost ~]# chkconfig httpd on[[BR]]
 [root@localhost ~]# rm -f /etc/httpd/conf.d/welcome.conf[[BR]]
-Configure /etc/httpd/conf.d/ssl.conf as per the given example[[BR]]
+Configure /etc/httpd/conf.d/ssl.conf to look something like this:[[BR]]
+{{{
+LoadModule ssl_module modules/mod_ssl.so
+Listen 443
+
+SSLPassPhraseDialog  builtin
+SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
+SSLSessionCacheTimeout  300
+SSLMutex default
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+SSLCryptoDevice builtin
+
+<VirtualHost _default_:443>
+        RailsAutoDetect Off
+        RackBaseUri /
+
+        DocumentRoot "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public"
+        ErrorLog logs/ssl_error_log
+        TransferLog logs/ssl_access_log
+        LogLevel warn
+
+        SSLEngine on
+        SSLProtocol all -SSLv2
+        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
+        SSLCertificateFile /etc/pki/tls/certs/httpd.pem
+
+        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
+                SSLOptions +StdEnvVars
+        </Files>
+
+        <Directory "/var/www/cgi-bin">
+                SSLOptions +StdEnvVars
+        </Directory>
+
+        <Directory "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public">
+                AllowOverride All
+                Allow from all
+        </Directory>
+
+        SetEnvIf User-Agent ".*MSIE.*" \
+          nokeepalive ssl-unclean-shutdown \
+          downgrade-1.0 force-response-1.0
+        CustomLog logs/ssl_request_log \
+          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+</VirtualHost>
+}}}
 [[BR]]
 Create a test cert and key for httpd - BE SURE TO REPLACE THESE IN PRODUCTION:[[BR]]
@@ -29 +88 @@
 mysql> use casserver;[[BR]]
 mysql> source /path/to/create_rubycas_mysql_db.sql[[BR]]
+The SQL file should look like this:[[BR]]
+{{{
+-- MySQL dump 10.13  Distrib 5.1.52, for unknown-linux-gnu (x86_64)
+--
+-- Host: localhost    Database: casserver
+-- ------------------------------------------------------
+-- Server version       5.1.52
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+--
+-- Table structure for table `casserver_lt`
+--
+
+DROP TABLE IF EXISTS `casserver_lt`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `casserver_lt` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `ticket` varchar(255) NOT NULL,
+  `created_on` datetime NOT NULL,
+  `consumed` datetime DEFAULT NULL,
+  `client_hostname` varchar(255) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Table structure for table `casserver_pgt`
+--
+
+DROP TABLE IF EXISTS `casserver_pgt`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `casserver_pgt` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `ticket` varchar(255) NOT NULL,
+  `created_on` datetime NOT NULL,
+  `client_hostname` varchar(255) NOT NULL,
+  `iou` varchar(255) NOT NULL,
+  `service_ticket_id` int(11) NOT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Table structure for table `casserver_st`
+--
+
+DROP TABLE IF EXISTS `casserver_st`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `casserver_st` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `ticket` varchar(255) NOT NULL,
+  `service` text NOT NULL,
+  `created_on` datetime NOT NULL,
+  `consumed` datetime DEFAULT NULL,
+  `client_hostname` varchar(255) NOT NULL,
+  `username` varchar(255) NOT NULL,
+  `type` varchar(255) NOT NULL,
+  `granted_by_pgt_id` int(11) DEFAULT NULL,
+  `granted_by_tgt_id` int(11) DEFAULT NULL,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Table structure for table `casserver_tgt`
+--
+
+DROP TABLE IF EXISTS `casserver_tgt`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `casserver_tgt` (
+  `id` int(11) NOT NULL AUTO_INCREMENT,
+  `ticket` varchar(255) NOT NULL,
+  `created_on` datetime NOT NULL,
+  `client_hostname` varchar(255) NOT NULL,
+  `username` varchar(255) NOT NULL,
+  `extra_attributes` text,
+  PRIMARY KEY (`id`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+--
+-- Table structure for table `schema_migrations`
+--
+
+DROP TABLE IF EXISTS `schema_migrations`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `schema_migrations` (
+  `version` varchar(255) NOT NULL,
+  UNIQUE KEY `unique_schema_migrations` (`version`)
+) ENGINE=InnoDB DEFAULT CHARSET=latin1;
+/*!40101 SET character_set_client = @saved_cs_client */;
+/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+
+-- Dump completed on 2011-10-27  9:53:58
+}}}
 [[BR]]
 Create and configure the file /etc/rubycas-server/config.yml[[BR]]
-See example in this folder.[[BR]]
+There is an example config file located at /etc/rubycas-server/config.yml.example. Here is a trimmed example, all the helpful comments have been removed:[[BR]]
+{{{
+database:
+  pool: 10
+  adapter: mysql
+  database: casserver
+  username: root
+  password: CHANGEME
+  host: localhost
+  
+authenticator:
+  class: CASServer::Authenticators::LDAP
+  ldap:
+    host: ldap.example.com
+    port: 389
+    base: dc=example,dc=com
+    username_attribute: uid
+    filter: (objectClass=person)
+theme: simple
+organization: CAS
+infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
+default_locale: en
+log:
+  file: /var/log/casserver.log
+  level: INFO
+}}}
 [[BR]]
 At this point, you can test your implementation:[[BR]]
@@ -38 +240 @@
 [[BR]]
 Note that I disabled SELinux. This should be used only for testing purposes, to generate policy files.[[BR]]
-Please see rubycas-server.te in this directory for an example SELinux policy file that worked for me.[[BR]]
+Here is an example SELinux policy file that worked for me:[[BR]]
+{{{
+module rubycasserver 1.0;
+
+require {
+        type unconfined_t;
+        type init_t;
+        type auditd_t;
+        type mysqld_t;
+        type syslogd_t;
+        type getty_t;
+        type initrc_t;
+        type var_log_t;
+        type tmp_t;
+        type rpm_script_t;
+        type mysqld_db_t;
+        type dhcpc_t;
+        type local_login_t;
+        type httpd_tmp_t;
+        type kernel_t;
+        type mysqld_var_run_t;
+        type usr_t;
+        type postfix_qmgr_t;
+        type passenger_t;
+        type postfix_master_t;
+        type udev_t;
+        type mysqld_safe_t;
+        type postfix_pickup_t;
+        type groupadd_t;
+        type crond_t;
+        type rpm_t;
+        type system_cronjob_t;
+        type plymouthd_t;
+        type httpd_t;
+        type sshd_t;
+        class unix_stream_socket connectto;
+        class capability { sys_resource sys_ptrace sys_tty_config };
+        class tcp_socket listen;
+        class file { setattr read create write getattr unlink open append };
+        class sock_file { write getattr setattr create unlink };
+        class dir { search setattr read create write getattr rmdir remove_name add_name };
+}
+
+#============= httpd_t ==============
+allow httpd_t tmp_t:sock_file write;
+
+#============= passenger_t ==============
+allow passenger_t auditd_t:dir { getattr search };
+allow passenger_t auditd_t:file { read open };
+allow passenger_t crond_t:dir { getattr search };
+allow passenger_t crond_t:file { read open };
+allow passenger_t dhcpc_t:dir { getattr search };
+allow passenger_t dhcpc_t:file { read open };
+allow passenger_t getty_t:dir { getattr search };
+allow passenger_t getty_t:file { read open };
+allow passenger_t groupadd_t:dir { getattr search };
+allow passenger_t groupadd_t:file { read open };
+allow passenger_t httpd_t:dir { getattr search };
+allow passenger_t httpd_t:file { read open };
+allow passenger_t httpd_tmp_t:file { getattr unlink setattr };
+allow passenger_t init_t:dir { getattr search };
+allow passenger_t init_t:file { read open };
+allow passenger_t initrc_t:dir { getattr search };
+allow passenger_t initrc_t:file { read open };
+allow passenger_t kernel_t:dir { getattr search };
+allow passenger_t kernel_t:file { read open };
+allow passenger_t local_login_t:dir { getattr search };
+allow passenger_t local_login_t:file { read open };
+allow passenger_t mysqld_db_t:dir search;
+allow passenger_t mysqld_safe_t:dir { getattr search };
+allow passenger_t mysqld_safe_t:file { read open };
+allow passenger_t mysqld_t:dir { getattr search };
+allow passenger_t mysqld_t:file { read open };
+allow passenger_t mysqld_t:unix_stream_socket connectto;
+allow passenger_t mysqld_var_run_t:sock_file write;
+allow passenger_t plymouthd_t:dir { getattr search };
+allow passenger_t plymouthd_t:file { read open };
+allow passenger_t postfix_master_t:dir { getattr search };
+allow passenger_t postfix_master_t:file { read open };
+allow passenger_t postfix_pickup_t:dir { getattr search };
+allow passenger_t postfix_pickup_t:file { read open };
+allow passenger_t postfix_qmgr_t:dir { getattr search };
+allow passenger_t postfix_qmgr_t:file { read open };
+allow passenger_t rpm_script_t:dir { getattr search };
+allow passenger_t rpm_script_t:file { read open };
+allow passenger_t rpm_t:dir { search getattr };
+allow passenger_t rpm_t:file { read open };
+allow passenger_t self:capability { sys_resource sys_ptrace sys_tty_config };
+allow passenger_t self:tcp_socket listen;
+allow passenger_t sshd_t:dir { getattr search };
+allow passenger_t sshd_t:file { read open };
+allow passenger_t syslogd_t:dir { getattr search };
+allow passenger_t syslogd_t:file { read open };
+allow passenger_t system_cronjob_t:dir { getattr search };
+allow passenger_t system_cronjob_t:file { read open };
+allow passenger_t tmp_t:dir { write rmdir setattr read remove_name create add_name };
+allow passenger_t tmp_t:file { write getattr setattr read create unlink open };
+allow passenger_t tmp_t:sock_file { write create unlink getattr setattr };
+allow passenger_t udev_t:dir { getattr search };
+allow passenger_t udev_t:file { read open };
+allow passenger_t unconfined_t:dir { getattr search };
+allow passenger_t unconfined_t:file { read open };
+allow passenger_t usr_t:file { read getattr open };
+allow passenger_t var_log_t:file { getattr open append };
+}}}