RUBYCAS SERVER USING MOD_PASSENGER, LOCAL MYSQL DATABASE, AND LDAP AUTH ON PUIAS[[BR]]
[[BR]]
{{{
[root@localhost ~]# yum install puias-{addons,unsupported}[[BR]]
[root@localhost ~]# yum install ruby{-mysql,gem-rubycas-server,gem-net-ldap} mod_{ssl,passenger} mysql-server
}}}
[[BR]]
Open /etc/sysconfig/iptables and allow port 443 (https) traffic:[[BR]]
{{{
-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
}}}
[[BR]]
Configure httpd:[[BR]]
{{{
[root@localhost ~]# chkconfig httpd on
[root@localhost ~]# rm -f /etc/httpd/conf.d/welcome.conf
}}}
Configure /etc/httpd/conf.d/ssl.conf to look something like this:[[BR]]
{{{
LoadModule ssl_module modules/mod_ssl.so
Listen 443
SSLPassPhraseDialog builtin
SSLSessionCache shmcb:/var/cache/mod_ssl/scache(512000)
SSLSessionCacheTimeout 300
SSLMutex default
SSLRandomSeed startup file:/dev/urandom 256
SSLRandomSeed connect builtin
SSLCryptoDevice builtin
RailsAutoDetect Off
RackBaseUri /
DocumentRoot "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public"
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel warn
SSLEngine on
SSLProtocol all -SSLv2
SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
SSLCertificateFile /etc/pki/tls/certs/httpd.pem
SSLOptions +StdEnvVars
SSLOptions +StdEnvVars
AllowOverride All
Allow from all
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog logs/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
}}}
[[BR]]
Create a test cert and key for httpd - BE SURE TO REPLACE THESE IN PRODUCTION:[[BR]]
{{{
[root@localhost ~]# cd /etc/pki/tls/certs
[root@localhost ~]# make httpd.pem
Now fill out the questionaire...
}}}
[[BR]]
Configure MySQL (example assumes local mysql):[[BR]]
{{{
[root@localhost ~]# chkconfig mysqld on
[root@localhost ~]# service mysqld start
[root@localhost ~]# /usr/bin/mysql_secure_installation
}}}
Fill out the questions, be sure to set a new root password and remove all test accounts/dbs. It would also be very wise to create a rubycas user with limited permissions, doing so is beyond the scope of this document.[[BR]]
{{{
[root@localhost ~]# mysql -u root -p
mysql> create database casserver;
mysql> use casserver;
mysql> source /etc/rubycas-server/create_rubycas_mysql_db.sql
}}}
[[BR]]
Create and configure the file /etc/rubycas-server/config.yml[[BR]]
There is an example config file located at /etc/rubycas-server/config.yml.example. Here is a trimmed example, all the helpful comments have been removed:[[BR]]
{{{
database:
pool: 10
adapter: mysql
database: casserver
username: root
password: CHANGEME
host: localhost
reconnect: true
authenticator:
class: CASServer::Authenticators::LDAP
ldap:
host: ldap.example.com
port: 389
base: dc=example,dc=com
username_attribute: uid
filter: (objectClass=person)
theme: simple
organization: CAS
infoline: Powered by RubyCAS-Server
default_locale: en
log:
file: /var/log/casserver.log
level: INFO
}}}
[[BR]]
At this point, you can test your implementation:[[BR]]
{{{
[root@localhost ~]# setenforce 0
[root@localhost ~]# service httpd start
}}}
[[BR]]
Note that I disabled SELinux. This should be used only for testing purposes, to generate policy files. Here is an example SELinux policy file that worked for me (but needs a serious cleanup):[[BR]]
{{{
module rubycasserver 1.0;
require {
type unconfined_t;
type init_t;
type auditd_t;
type mysqld_t;
type syslogd_t;
type getty_t;
type initrc_t;
type var_log_t;
type tmp_t;
type rpm_script_t;
type mysqld_db_t;
type dhcpc_t;
type local_login_t;
type httpd_tmp_t;
type kernel_t;
type mysqld_var_run_t;
type usr_t;
type postfix_qmgr_t;
type passenger_t;
type postfix_master_t;
type udev_t;
type mysqld_safe_t;
type postfix_pickup_t;
type groupadd_t;
type crond_t;
type rpm_t;
type system_cronjob_t;
type plymouthd_t;
type httpd_t;
type sshd_t;
class unix_stream_socket connectto;
class capability { sys_resource sys_ptrace sys_tty_config };
class tcp_socket listen;
class file { setattr read create write getattr unlink open append };
class sock_file { write getattr setattr create unlink };
class dir { search setattr read create write getattr rmdir remove_name add_name };
}
#============= httpd_t ==============
allow httpd_t tmp_t:sock_file write;
#============= passenger_t ==============
allow passenger_t auditd_t:dir { getattr search };
allow passenger_t auditd_t:file { read open };
allow passenger_t crond_t:dir { getattr search };
allow passenger_t crond_t:file { read open };
allow passenger_t dhcpc_t:dir { getattr search };
allow passenger_t dhcpc_t:file { read open };
allow passenger_t getty_t:dir { getattr search };
allow passenger_t getty_t:file { read open };
allow passenger_t groupadd_t:dir { getattr search };
allow passenger_t groupadd_t:file { read open };
allow passenger_t httpd_t:dir { getattr search };
allow passenger_t httpd_t:file { read open };
allow passenger_t httpd_tmp_t:file { getattr unlink setattr };
allow passenger_t init_t:dir { getattr search };
allow passenger_t init_t:file { read open };
allow passenger_t initrc_t:dir { getattr search };
allow passenger_t initrc_t:file { read open };
allow passenger_t kernel_t:dir { getattr search };
allow passenger_t kernel_t:file { read open };
allow passenger_t local_login_t:dir { getattr search };
allow passenger_t local_login_t:file { read open };
allow passenger_t mysqld_db_t:dir search;
allow passenger_t mysqld_safe_t:dir { getattr search };
allow passenger_t mysqld_safe_t:file { read open };
allow passenger_t mysqld_t:dir { getattr search };
allow passenger_t mysqld_t:file { read open };
allow passenger_t mysqld_t:unix_stream_socket connectto;
allow passenger_t mysqld_var_run_t:sock_file write;
allow passenger_t plymouthd_t:dir { getattr search };
allow passenger_t plymouthd_t:file { read open };
allow passenger_t postfix_master_t:dir { getattr search };
allow passenger_t postfix_master_t:file { read open };
allow passenger_t postfix_pickup_t:dir { getattr search };
allow passenger_t postfix_pickup_t:file { read open };
allow passenger_t postfix_qmgr_t:dir { getattr search };
allow passenger_t postfix_qmgr_t:file { read open };
allow passenger_t rpm_script_t:dir { getattr search };
allow passenger_t rpm_script_t:file { read open };
allow passenger_t rpm_t:dir { search getattr };
allow passenger_t rpm_t:file { read open };
allow passenger_t self:capability { sys_resource sys_ptrace sys_tty_config };
allow passenger_t self:tcp_socket listen;
allow passenger_t sshd_t:dir { getattr search };
allow passenger_t sshd_t:file { read open };
allow passenger_t syslogd_t:dir { getattr search };
allow passenger_t syslogd_t:file { read open };
allow passenger_t system_cronjob_t:dir { getattr search };
allow passenger_t system_cronjob_t:file { read open };
allow passenger_t tmp_t:dir { write rmdir setattr read remove_name create add_name };
allow passenger_t tmp_t:file { write getattr setattr read create unlink open };
allow passenger_t tmp_t:sock_file { write create unlink getattr setattr };
allow passenger_t udev_t:dir { getattr search };
allow passenger_t udev_t:file { read open };
allow passenger_t unconfined_t:dir { getattr search };
allow passenger_t unconfined_t:file { read open };
allow passenger_t usr_t:file { read getattr open };
allow passenger_t var_log_t:file { getattr open append };
}}}