RUBYCAS SERVER USING MOD_PASSENGER, LOCAL MYSQL DATABASE, AND LDAP AUTH ON PUIAS[[BR]] [[BR]] [root@localhost ~]# yum install puias-{addons,unsupported}[[BR]] [root@localhost ~]# yum install rubygem-rubycas-server ruby-mysql mod_ssl mod_passenger mysql-server rubygem-net-ldap[[BR]] [[BR]] Open /etc/sysconfig/iptables and allow port 443 (https) traffic:[[BR]] {{{ -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT }}} [[BR]] Configure httpd:[[BR]] [root@localhost ~]# chkconfig httpd on[[BR]] [root@localhost ~]# rm -f /etc/httpd/conf.d/welcome.conf[[BR]] Configure /etc/httpd/conf.d/ssl.conf to look something like this:[[BR]] {{{ LoadModule ssl_module modules/mod_ssl.so Listen 443 SSLPassPhraseDialog builtin SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000) SSLSessionCacheTimeout 300 SSLMutex default SSLRandomSeed startup file:/dev/urandom 256 SSLRandomSeed connect builtin SSLCryptoDevice builtin RailsAutoDetect Off RackBaseUri / DocumentRoot "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public" ErrorLog logs/ssl_error_log TransferLog logs/ssl_access_log LogLevel warn SSLEngine on SSLProtocol all -SSLv2 SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW SSLCertificateFile /etc/pki/tls/certs/httpd.pem SSLOptions +StdEnvVars SSLOptions +StdEnvVars AllowOverride All Allow from all SetEnvIf User-Agent ".*MSIE.*" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b" }}} [[BR]] Create a test cert and key for httpd - BE SURE TO REPLACE THESE IN PRODUCTION:[[BR]] [root@localhost ~]# cd /etc/pki/tls/certs[[BR]] [root@localhost ~]# make httpd.pem[[BR]] [Fill out the questionaire][[BR]] [[BR]] Configure MySQL:[[BR]] [root@localhost ~]# chkconfig mysqld on[[BR]] [root@localhost ~]# service mysqld start[[BR]] [root@localhost ~]# /usr/bin/mysql_secure_installation[[BR]] Fill out the questions, be sure to set a new root password and remove all test accounts/dbs.[[BR]] [root@localhost ~]# mysql -u root -p[[BR]] mysql> create database casserver;[[BR]] mysql> use casserver;[[BR]] mysql> source /etc/rubycas-server/create_rubycas_mysql_db.sql[[BR]] [[BR]] Create and configure the file /etc/rubycas-server/config.yml[[BR]] There is an example config file located at /etc/rubycas-server/config.yml.example. Here is a trimmed example, all the helpful comments have been removed:[[BR]] {{{ database: pool: 10 adapter: mysql database: casserver username: root password: CHANGEME host: localhost authenticator: class: CASServer::Authenticators::LDAP ldap: host: ldap.example.com port: 389 base: dc=example,dc=com username_attribute: uid filter: (objectClass=person) theme: simple organization: CAS infoline: Powered by RubyCAS-Server default_locale: en log: file: /var/log/casserver.log level: INFO }}} [[BR]] At this point, you can test your implementation:[[BR]] [root@localhost ~]# setenforce 0[[BR]] [root@localhost ~]# service httpd start[[BR]] [[BR]] Note that I disabled SELinux. This should be used only for testing purposes, to generate policy files.[[BR]] Here is an example SELinux policy file that worked for me (but needs a serious cleanup):[[BR]] {{{ module rubycasserver 1.0; require { type unconfined_t; type init_t; type auditd_t; type mysqld_t; type syslogd_t; type getty_t; type initrc_t; type var_log_t; type tmp_t; type rpm_script_t; type mysqld_db_t; type dhcpc_t; type local_login_t; type httpd_tmp_t; type kernel_t; type mysqld_var_run_t; type usr_t; type postfix_qmgr_t; type passenger_t; type postfix_master_t; type udev_t; type mysqld_safe_t; type postfix_pickup_t; type groupadd_t; type crond_t; type rpm_t; type system_cronjob_t; type plymouthd_t; type httpd_t; type sshd_t; class unix_stream_socket connectto; class capability { sys_resource sys_ptrace sys_tty_config }; class tcp_socket listen; class file { setattr read create write getattr unlink open append }; class sock_file { write getattr setattr create unlink }; class dir { search setattr read create write getattr rmdir remove_name add_name }; } #============= httpd_t ============== allow httpd_t tmp_t:sock_file write; #============= passenger_t ============== allow passenger_t auditd_t:dir { getattr search }; allow passenger_t auditd_t:file { read open }; allow passenger_t crond_t:dir { getattr search }; allow passenger_t crond_t:file { read open }; allow passenger_t dhcpc_t:dir { getattr search }; allow passenger_t dhcpc_t:file { read open }; allow passenger_t getty_t:dir { getattr search }; allow passenger_t getty_t:file { read open }; allow passenger_t groupadd_t:dir { getattr search }; allow passenger_t groupadd_t:file { read open }; allow passenger_t httpd_t:dir { getattr search }; allow passenger_t httpd_t:file { read open }; allow passenger_t httpd_tmp_t:file { getattr unlink setattr }; allow passenger_t init_t:dir { getattr search }; allow passenger_t init_t:file { read open }; allow passenger_t initrc_t:dir { getattr search }; allow passenger_t initrc_t:file { read open }; allow passenger_t kernel_t:dir { getattr search }; allow passenger_t kernel_t:file { read open }; allow passenger_t local_login_t:dir { getattr search }; allow passenger_t local_login_t:file { read open }; allow passenger_t mysqld_db_t:dir search; allow passenger_t mysqld_safe_t:dir { getattr search }; allow passenger_t mysqld_safe_t:file { read open }; allow passenger_t mysqld_t:dir { getattr search }; allow passenger_t mysqld_t:file { read open }; allow passenger_t mysqld_t:unix_stream_socket connectto; allow passenger_t mysqld_var_run_t:sock_file write; allow passenger_t plymouthd_t:dir { getattr search }; allow passenger_t plymouthd_t:file { read open }; allow passenger_t postfix_master_t:dir { getattr search }; allow passenger_t postfix_master_t:file { read open }; allow passenger_t postfix_pickup_t:dir { getattr search }; allow passenger_t postfix_pickup_t:file { read open }; allow passenger_t postfix_qmgr_t:dir { getattr search }; allow passenger_t postfix_qmgr_t:file { read open }; allow passenger_t rpm_script_t:dir { getattr search }; allow passenger_t rpm_script_t:file { read open }; allow passenger_t rpm_t:dir { search getattr }; allow passenger_t rpm_t:file { read open }; allow passenger_t self:capability { sys_resource sys_ptrace sys_tty_config }; allow passenger_t self:tcp_socket listen; allow passenger_t sshd_t:dir { getattr search }; allow passenger_t sshd_t:file { read open }; allow passenger_t syslogd_t:dir { getattr search }; allow passenger_t syslogd_t:file { read open }; allow passenger_t system_cronjob_t:dir { getattr search }; allow passenger_t system_cronjob_t:file { read open }; allow passenger_t tmp_t:dir { write rmdir setattr read remove_name create add_name }; allow passenger_t tmp_t:file { write getattr setattr read create unlink open }; allow passenger_t tmp_t:sock_file { write create unlink getattr setattr }; allow passenger_t udev_t:dir { getattr search }; allow passenger_t udev_t:file { read open }; allow passenger_t unconfined_t:dir { getattr search }; allow passenger_t unconfined_t:file { read open }; allow passenger_t usr_t:file { read getattr open }; allow passenger_t var_log_t:file { getattr open append }; }}}