wiki:RubyCASServer

RUBYCAS SERVER USING MOD_PASSENGER, LOCAL MYSQL DATABASE, AND LDAP AUTH ON PUIAS

[root@localhost ~]# yum install puias-{addons,unsupported}
[root@localhost ~]# yum install ruby{-mysql,gem-rubycas-server,gem-net-ldap} mod_{ssl,passenger} mysql-server


Open /etc/sysconfig/iptables and allow port 443 (https) traffic:

-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT


Configure httpd:

[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# rm -f /etc/httpd/conf.d/welcome.conf

Configure /etc/httpd/conf.d/ssl.conf to look something like this:

LoadModule ssl_module modules/mod_ssl.so
Listen 443

SSLPassPhraseDialog  builtin
SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout  300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom  256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin

<VirtualHost _default_:443>
	RailsAutoDetect Off
	RackBaseUri /

	DocumentRoot "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public"
	ErrorLog logs/ssl_error_log
	TransferLog logs/ssl_access_log
	LogLevel warn

	SSLEngine on
	SSLProtocol all -SSLv2
	SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
	SSLCertificateFile /etc/pki/tls/certs/httpd.pem

	<Files ~ "\.(cgi|shtml|phtml|php3?)$">
		SSLOptions +StdEnvVars
	</Files>

	<Directory "/var/www/cgi-bin">
		SSLOptions +StdEnvVars
	</Directory>

	<Directory "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public">
		AllowOverride All
		Allow from all
	</Directory>

	SetEnvIf User-Agent ".*MSIE.*" \
	  nokeepalive ssl-unclean-shutdown \
	  downgrade-1.0 force-response-1.0
	CustomLog logs/ssl_request_log \
	  "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>


Create a test cert and key for httpd - BE SURE TO REPLACE THESE IN PRODUCTION:

[root@localhost ~]# cd /etc/pki/tls/certs
[root@localhost ~]# make httpd.pem
Now fill out the questionaire...


Configure MySQL (example assumes local mysql):

[root@localhost ~]# chkconfig mysqld on
[root@localhost ~]# service mysqld start
[root@localhost ~]# /usr/bin/mysql_secure_installation

Fill out the questions, be sure to set a new root password and remove all test accounts/dbs. It would also be very wise to create a rubycas user with limited permissions, doing so is beyond the scope of this document.

[root@localhost ~]# mysql -u root -p
mysql> create database casserver;
mysql> use casserver;
mysql> source /etc/rubycas-server/create_rubycas_mysql_db.sql


Create and configure the file /etc/rubycas-server/config.yml
There is an example config file located at /etc/rubycas-server/config.yml.example. Here is a trimmed example, all the helpful comments have been removed:

database:
  pool: 10
  adapter: mysql
  database: casserver
  username: root
  password: CHANGEME
  host: localhost
  reconnect: true
authenticator:
  class: CASServer::Authenticators::LDAP
  ldap:
    host: ldap.example.com
    port: 389
    base: dc=example,dc=com
    username_attribute: uid
    filter: (objectClass=person)
theme: simple
organization: CAS
infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
default_locale: en
log:
  file: /var/log/casserver.log
  level: INFO


At this point, you can test your implementation:

[root@localhost ~]# setenforce 0
[root@localhost ~]# service httpd start


Note that I disabled SELinux. This should be used only for testing purposes, to generate policy files. Here is an example SELinux policy file that worked for me (but may still be a little lax):

module cscas 1.1;

require {
        type httpd_t;
        type mysqld_port_t;
        type passenger_t;
        type passenger_tmp_t;
        type var_log_t;
        class capability { sys_resource sys_ptrace };
        class dir { write getattr search add_name };
        class file { write getattr setattr read create open append };
        class sock_file { write getattr setattr create unlink };
        class tcp_socket { name_connect listen };
}

#============= httpd_t ==============
allow httpd_t passenger_tmp_t:dir { write search getattr add_name };
allow httpd_t passenger_tmp_t:file { write create open setattr };
allow httpd_t passenger_tmp_t:sock_file write;

#============= passenger_t ==============
allow passenger_t mysqld_port_t:tcp_socket name_connect;
allow passenger_t passenger_tmp_t:sock_file { write create unlink getattr setattr };
allow passenger_t self:capability { sys_resource sys_ptrace };
allow passenger_t var_log_t:file { getattr open append };

Now, you can set up a client mod_auth_cas. Something that works looks like:

# Uncomment for testing. Never leave these uncommented in production.
# CASDebug On
# CASValidateServer Off

CASLoginURL https://signon.example.com/login
CASValidateURL https://signon.example.com/serviceValidate
CASCookiePath /var/www/cascookies/

<Directory "/protected">
   AuthType CAS
   AuthName "Staff ONLY"
   Require user john joe bob
</Directory>

Last modified 5 years ago Last modified on May 2, 2012 10:13:23 AM