wiki:RubyCASServer

Version 2 (modified by brose, 12 years ago) (diff)

--

RUBYCAS SERVER USING MOD_PASSENGER, LOCAL MYSQL DATABASE, AND LDAP AUTH ON PUIAS

[root@localhost ~]# yum install puias-{addons,unsupported}
[root@localhost ~]# yum install rubygem-rubycas-server ruby-mysql mod_ssl mod_passenger mysql-server rubygem-net-ldap

Open /etc/sysconfig/iptables and allow port 443 (https) traffic:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT


Create the file /usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/config.ru with the following content:

require 'rubygems'

$:.unshift "#{File.dirname(__FILE__)}/lib"
require "casserver"

use Rack::ShowExceptions
use Rack::Runtime
use Rack::CommonLogger

run CASServer::Server.new


Configure httpd:
[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# rm -f /etc/httpd/conf.d/welcome.conf
Configure /etc/httpd/conf.d/ssl.conf to look something like this:

LoadModule ssl_module modules/mod_ssl.so
Listen 443

SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
	RailsAutoDetect Off
	RackBaseUri /

	DocumentRoot "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public"
	ErrorLog logs/ssl_error_log
	TransferLog logs/ssl_access_log
	LogLevel warn

	SSLEngine on
	SSLProtocol all -SSLv2
	SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
	SSLCertificateFile /etc/pki/tls/certs/httpd.pem

	<Files ~ "\.(cgi|shtml|phtml|php3?)$">
		SSLOptions +StdEnvVars
	</Files>

	<Directory "/var/www/cgi-bin">
		SSLOptions +StdEnvVars
	</Directory>

	<Directory "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public">
		AllowOverride All
		Allow from all
	</Directory>

	SetEnvIf User-Agent ".*MSIE.*" \
	  nokeepalive ssl-unclean-shutdown \
	  downgrade-1.0 force-response-1.0
	CustomLog logs/ssl_request_log \
	  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


Create a test cert and key for httpd - BE SURE TO REPLACE THESE IN PRODUCTION:
[root@localhost ~]# cd /etc/pki/tls/certs
[root@localhost ~]# make httpd.pem
[Fill out the questionaire]

Configure MySQL:
[root@localhost ~]# chkconfig mysqld on
[root@localhost ~]# service mysqld start
[root@localhost ~]# /usr/bin/mysql_secure_installation
Fill out the questions, be sure to set a new root password and remove all test accounts/dbs.
[root@localhost ~]# mysql -u root -p
mysql> create database casserver;
mysql> use casserver;
mysql> source /path/to/create_rubycas_mysql_db.sql
The SQL file should look like this:

-- MySQL dump 10.13  Distrib 5.1.52, for unknown-linux-gnu (x86_64)
--
-- Host: localhost    Database: casserver
-- ------------------------------------------------------
-- Server version	5.1.52

/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
/*!40101 SET NAMES utf8 */;
/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
/*!40103 SET TIME_ZONE='+00:00' */;
/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;

--
-- Table structure for table `casserver_lt`
--

DROP TABLE IF EXISTS `casserver_lt`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `casserver_lt` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `ticket` varchar(255) NOT NULL,
  `created_on` datetime NOT NULL,
  `consumed` datetime DEFAULT NULL,
  `client_hostname` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Table structure for table `casserver_pgt`
--

DROP TABLE IF EXISTS `casserver_pgt`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `casserver_pgt` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `ticket` varchar(255) NOT NULL,
  `created_on` datetime NOT NULL,
  `client_hostname` varchar(255) NOT NULL,
  `iou` varchar(255) NOT NULL,
  `service_ticket_id` int(11) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Table structure for table `casserver_st`
--

DROP TABLE IF EXISTS `casserver_st`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `casserver_st` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `ticket` varchar(255) NOT NULL,
  `service` text NOT NULL,
  `created_on` datetime NOT NULL,
  `consumed` datetime DEFAULT NULL,
  `client_hostname` varchar(255) NOT NULL,
  `username` varchar(255) NOT NULL,
  `type` varchar(255) NOT NULL,
  `granted_by_pgt_id` int(11) DEFAULT NULL,
  `granted_by_tgt_id` int(11) DEFAULT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Table structure for table `casserver_tgt`
--

DROP TABLE IF EXISTS `casserver_tgt`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `casserver_tgt` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `ticket` varchar(255) NOT NULL,
  `created_on` datetime NOT NULL,
  `client_hostname` varchar(255) NOT NULL,
  `username` varchar(255) NOT NULL,
  `extra_attributes` text,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;

--
-- Table structure for table `schema_migrations`
--

DROP TABLE IF EXISTS `schema_migrations`;
/*!40101 SET @saved_cs_client     = @@character_set_client */;
/*!40101 SET character_set_client = utf8 */;
CREATE TABLE `schema_migrations` (
  `version` varchar(255) NOT NULL,
  UNIQUE KEY `unique_schema_migrations` (`version`)
) ENGINE=InnoDB DEFAULT CHARSET=latin1;
/*!40101 SET character_set_client = @saved_cs_client */;
/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;

/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;

-- Dump completed on 2011-10-27  9:53:58


Create and configure the file /etc/rubycas-server/config.yml
There is an example config file located at /etc/rubycas-server/config.yml.example. Here is a trimmed example, all the helpful comments have been removed:

database:
  pool: 10
  adapter: mysql
  database: casserver
  username: root
  password: CHANGEME
  host: localhost
  
authenticator:
  class: CASServer::Authenticators::LDAP
  ldap:
    host: ldap.example.com
    port: 389
    base: dc=example,dc=com
    username_attribute: uid
    filter: (objectClass=person)
theme: simple
organization: CAS
infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
default_locale: en
log:
  file: /var/log/casserver.log
  level: INFO


At this point, you can test your implementation:
[root@localhost ~]# setenforce 0
[root@localhost ~]# service httpd start

Note that I disabled SELinux. This should be used only for testing purposes, to generate policy files.
Here is an example SELinux policy file that worked for me:

module rubycasserver 1.0;

require {
	type unconfined_t;
	type init_t;
	type auditd_t;
	type mysqld_t;
	type syslogd_t;
	type getty_t;
	type initrc_t;
	type var_log_t;
	type tmp_t;
	type rpm_script_t;
	type mysqld_db_t;
	type dhcpc_t;
	type local_login_t;
	type httpd_tmp_t;
	type kernel_t;
	type mysqld_var_run_t;
	type usr_t;
	type postfix_qmgr_t;
	type passenger_t;
	type postfix_master_t;
	type udev_t;
	type mysqld_safe_t;
	type postfix_pickup_t;
	type groupadd_t;
	type crond_t;
	type rpm_t;
	type system_cronjob_t;
	type plymouthd_t;
	type httpd_t;
	type sshd_t;
	class unix_stream_socket connectto;
	class capability { sys_resource sys_ptrace sys_tty_config };
	class tcp_socket listen;
	class file { setattr read create write getattr unlink open append };
	class sock_file { write getattr setattr create unlink };
	class dir { search setattr read create write getattr rmdir remove_name add_name };
}

#============= httpd_t ==============
allow httpd_t tmp_t:sock_file write;

#============= passenger_t ==============
allow passenger_t auditd_t:dir { getattr search };
allow passenger_t auditd_t:file { read open };
allow passenger_t crond_t:dir { getattr search };
allow passenger_t crond_t:file { read open };
allow passenger_t dhcpc_t:dir { getattr search };
allow passenger_t dhcpc_t:file { read open };
allow passenger_t getty_t:dir { getattr search };
allow passenger_t getty_t:file { read open };
allow passenger_t groupadd_t:dir { getattr search };
allow passenger_t groupadd_t:file { read open };
allow passenger_t httpd_t:dir { getattr search };
allow passenger_t httpd_t:file { read open };
allow passenger_t httpd_tmp_t:file { getattr unlink setattr };
allow passenger_t init_t:dir { getattr search };
allow passenger_t init_t:file { read open };
allow passenger_t initrc_t:dir { getattr search };
allow passenger_t initrc_t:file { read open };
allow passenger_t kernel_t:dir { getattr search };
allow passenger_t kernel_t:file { read open };
allow passenger_t local_login_t:dir { getattr search };
allow passenger_t local_login_t:file { read open };
allow passenger_t mysqld_db_t:dir search;
allow passenger_t mysqld_safe_t:dir { getattr search };
allow passenger_t mysqld_safe_t:file { read open };
allow passenger_t mysqld_t:dir { getattr search };
allow passenger_t mysqld_t:file { read open };
allow passenger_t mysqld_t:unix_stream_socket connectto;
allow passenger_t mysqld_var_run_t:sock_file write;
allow passenger_t plymouthd_t:dir { getattr search };
allow passenger_t plymouthd_t:file { read open };
allow passenger_t postfix_master_t:dir { getattr search };
allow passenger_t postfix_master_t:file { read open };
allow passenger_t postfix_pickup_t:dir { getattr search };
allow passenger_t postfix_pickup_t:file { read open };
allow passenger_t postfix_qmgr_t:dir { getattr search };
allow passenger_t postfix_qmgr_t:file { read open };
allow passenger_t rpm_script_t:dir { getattr search };
allow passenger_t rpm_script_t:file { read open };
allow passenger_t rpm_t:dir { search getattr };
allow passenger_t rpm_t:file { read open };
allow passenger_t self:capability { sys_resource sys_ptrace sys_tty_config };
allow passenger_t self:tcp_socket listen;
allow passenger_t sshd_t:dir { getattr search };
allow passenger_t sshd_t:file { read open };
allow passenger_t syslogd_t:dir { getattr search };
allow passenger_t syslogd_t:file { read open };
allow passenger_t system_cronjob_t:dir { getattr search };
allow passenger_t system_cronjob_t:file { read open };
allow passenger_t tmp_t:dir { write rmdir setattr read remove_name create add_name };
allow passenger_t tmp_t:file { write getattr setattr read create unlink open };
allow passenger_t tmp_t:sock_file { write create unlink getattr setattr };
allow passenger_t udev_t:dir { getattr search };
allow passenger_t udev_t:file { read open };
allow passenger_t unconfined_t:dir { getattr search };
allow passenger_t unconfined_t:file { read open };
allow passenger_t usr_t:file { read getattr open };
allow passenger_t var_log_t:file { getattr open append };