Changes between Version 1 and Version 2 of RubyCASServer


Ignore:
Timestamp:
Oct 27, 2011 1:41:01 PM (10 years ago)
Author:
brose
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • RubyCASServer

    v1 v2  
    55[[BR]]
    66Open /etc/sysconfig/iptables and allow port 443 (https) traffic:[[BR]]
    7 -A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT[[BR]]
    8 [[BR]]
    9 Create the file /usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/config.ru[[BR]]
    10 See the example in this folder.[[BR]]
     7{{{
     8-A INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j ACCEPT
     9}}}
     10[[BR]]
     11Create the file /usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/config.ru with the following content:[[BR]]
     12{{{
     13require 'rubygems'
     14
     15$:.unshift "#{File.dirname(__FILE__)}/lib"
     16require "casserver"
     17
     18use Rack::ShowExceptions
     19use Rack::Runtime
     20use Rack::CommonLogger
     21
     22run CASServer::Server.new
     23}}}
    1124[[BR]]
    1225Configure httpd:[[BR]]
    1326[root@localhost ~]# chkconfig httpd on[[BR]]
    1427[root@localhost ~]# rm -f /etc/httpd/conf.d/welcome.conf[[BR]]
    15 Configure /etc/httpd/conf.d/ssl.conf as per the given example[[BR]]
     28Configure /etc/httpd/conf.d/ssl.conf to look something like this:[[BR]]
     29{{{
     30LoadModule ssl_module modules/mod_ssl.so
     31Listen 443
     32
     33SSLPassPhraseDialog  builtin
     34SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
     35SSLSessionCacheTimeout  300
     36SSLMutex default
     37SSLRandomSeed startup file:/dev/urandom  256
     38SSLRandomSeed connect builtin
     39SSLCryptoDevice builtin
     40
     41<VirtualHost _default_:443>
     42        RailsAutoDetect Off
     43        RackBaseUri /
     44
     45        DocumentRoot "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public"
     46        ErrorLog logs/ssl_error_log
     47        TransferLog logs/ssl_access_log
     48        LogLevel warn
     49
     50        SSLEngine on
     51        SSLProtocol all -SSLv2
     52        SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
     53        SSLCertificateFile /etc/pki/tls/certs/httpd.pem
     54
     55        <Files ~ "\.(cgi|shtml|phtml|php3?)$">
     56                SSLOptions +StdEnvVars
     57        </Files>
     58
     59        <Directory "/var/www/cgi-bin">
     60                SSLOptions +StdEnvVars
     61        </Directory>
     62
     63        <Directory "/usr/lib/ruby/gems/1.8/gems/rubycas-server-1.0/public">
     64                AllowOverride All
     65                Allow from all
     66        </Directory>
     67
     68        SetEnvIf User-Agent ".*MSIE.*" \
     69          nokeepalive ssl-unclean-shutdown \
     70          downgrade-1.0 force-response-1.0
     71        CustomLog logs/ssl_request_log \
     72          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
     73</VirtualHost>
     74}}}
    1675[[BR]]
    1776Create a test cert and key for httpd - BE SURE TO REPLACE THESE IN PRODUCTION:[[BR]]
     
    2988mysql> use casserver;[[BR]]
    3089mysql> source /path/to/create_rubycas_mysql_db.sql[[BR]]
     90The SQL file should look like this:[[BR]]
     91{{{
     92-- MySQL dump 10.13  Distrib 5.1.52, for unknown-linux-gnu (x86_64)
     93--
     94-- Host: localhost    Database: casserver
     95-- ------------------------------------------------------
     96-- Server version       5.1.52
     97
     98/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
     99/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
     100/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
     101/*!40101 SET NAMES utf8 */;
     102/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
     103/*!40103 SET TIME_ZONE='+00:00' */;
     104/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
     105/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
     106/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
     107/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
     108
     109--
     110-- Table structure for table `casserver_lt`
     111--
     112
     113DROP TABLE IF EXISTS `casserver_lt`;
     114/*!40101 SET @saved_cs_client     = @@character_set_client */;
     115/*!40101 SET character_set_client = utf8 */;
     116CREATE TABLE `casserver_lt` (
     117  `id` int(11) NOT NULL AUTO_INCREMENT,
     118  `ticket` varchar(255) NOT NULL,
     119  `created_on` datetime NOT NULL,
     120  `consumed` datetime DEFAULT NULL,
     121  `client_hostname` varchar(255) NOT NULL,
     122  PRIMARY KEY (`id`)
     123) ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1;
     124/*!40101 SET character_set_client = @saved_cs_client */;
     125
     126--
     127-- Table structure for table `casserver_pgt`
     128--
     129
     130DROP TABLE IF EXISTS `casserver_pgt`;
     131/*!40101 SET @saved_cs_client     = @@character_set_client */;
     132/*!40101 SET character_set_client = utf8 */;
     133CREATE TABLE `casserver_pgt` (
     134  `id` int(11) NOT NULL AUTO_INCREMENT,
     135  `ticket` varchar(255) NOT NULL,
     136  `created_on` datetime NOT NULL,
     137  `client_hostname` varchar(255) NOT NULL,
     138  `iou` varchar(255) NOT NULL,
     139  `service_ticket_id` int(11) NOT NULL,
     140  PRIMARY KEY (`id`)
     141) ENGINE=InnoDB DEFAULT CHARSET=latin1;
     142/*!40101 SET character_set_client = @saved_cs_client */;
     143
     144--
     145-- Table structure for table `casserver_st`
     146--
     147
     148DROP TABLE IF EXISTS `casserver_st`;
     149/*!40101 SET @saved_cs_client     = @@character_set_client */;
     150/*!40101 SET character_set_client = utf8 */;
     151CREATE TABLE `casserver_st` (
     152  `id` int(11) NOT NULL AUTO_INCREMENT,
     153  `ticket` varchar(255) NOT NULL,
     154  `service` text NOT NULL,
     155  `created_on` datetime NOT NULL,
     156  `consumed` datetime DEFAULT NULL,
     157  `client_hostname` varchar(255) NOT NULL,
     158  `username` varchar(255) NOT NULL,
     159  `type` varchar(255) NOT NULL,
     160  `granted_by_pgt_id` int(11) DEFAULT NULL,
     161  `granted_by_tgt_id` int(11) DEFAULT NULL,
     162  PRIMARY KEY (`id`)
     163) ENGINE=InnoDB DEFAULT CHARSET=latin1;
     164/*!40101 SET character_set_client = @saved_cs_client */;
     165
     166--
     167-- Table structure for table `casserver_tgt`
     168--
     169
     170DROP TABLE IF EXISTS `casserver_tgt`;
     171/*!40101 SET @saved_cs_client     = @@character_set_client */;
     172/*!40101 SET character_set_client = utf8 */;
     173CREATE TABLE `casserver_tgt` (
     174  `id` int(11) NOT NULL AUTO_INCREMENT,
     175  `ticket` varchar(255) NOT NULL,
     176  `created_on` datetime NOT NULL,
     177  `client_hostname` varchar(255) NOT NULL,
     178  `username` varchar(255) NOT NULL,
     179  `extra_attributes` text,
     180  PRIMARY KEY (`id`)
     181) ENGINE=InnoDB DEFAULT CHARSET=latin1;
     182/*!40101 SET character_set_client = @saved_cs_client */;
     183
     184--
     185-- Table structure for table `schema_migrations`
     186--
     187
     188DROP TABLE IF EXISTS `schema_migrations`;
     189/*!40101 SET @saved_cs_client     = @@character_set_client */;
     190/*!40101 SET character_set_client = utf8 */;
     191CREATE TABLE `schema_migrations` (
     192  `version` varchar(255) NOT NULL,
     193  UNIQUE KEY `unique_schema_migrations` (`version`)
     194) ENGINE=InnoDB DEFAULT CHARSET=latin1;
     195/*!40101 SET character_set_client = @saved_cs_client */;
     196/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
     197
     198/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
     199/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
     200/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
     201/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
     202/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
     203/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
     204/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
     205
     206-- Dump completed on 2011-10-27  9:53:58
     207}}}
    31208[[BR]]
    32209Create and configure the file /etc/rubycas-server/config.yml[[BR]]
    33 See example in this folder.[[BR]]
     210There is an example config file located at /etc/rubycas-server/config.yml.example. Here is a trimmed example, all the helpful comments have been removed:[[BR]]
     211{{{
     212database:
     213  pool: 10
     214  adapter: mysql
     215  database: casserver
     216  username: root
     217  password: CHANGEME
     218  host: localhost
     219 
     220authenticator:
     221  class: CASServer::Authenticators::LDAP
     222  ldap:
     223    host: ldap.example.com
     224    port: 389
     225    base: dc=example,dc=com
     226    username_attribute: uid
     227    filter: (objectClass=person)
     228theme: simple
     229organization: CAS
     230infoline: Powered by <a href="http://code.google.com/p/rubycas-server/">RubyCAS-Server</a>
     231default_locale: en
     232log:
     233  file: /var/log/casserver.log
     234  level: INFO
     235}}}
    34236[[BR]]
    35237At this point, you can test your implementation:[[BR]]
     
    38240[[BR]]
    39241Note that I disabled SELinux. This should be used only for testing purposes, to generate policy files.[[BR]]
    40 Please see rubycas-server.te in this directory for an example SELinux policy file that worked for me.[[BR]]
     242Here is an example SELinux policy file that worked for me:[[BR]]
     243{{{
     244module rubycasserver 1.0;
     245
     246require {
     247        type unconfined_t;
     248        type init_t;
     249        type auditd_t;
     250        type mysqld_t;
     251        type syslogd_t;
     252        type getty_t;
     253        type initrc_t;
     254        type var_log_t;
     255        type tmp_t;
     256        type rpm_script_t;
     257        type mysqld_db_t;
     258        type dhcpc_t;
     259        type local_login_t;
     260        type httpd_tmp_t;
     261        type kernel_t;
     262        type mysqld_var_run_t;
     263        type usr_t;
     264        type postfix_qmgr_t;
     265        type passenger_t;
     266        type postfix_master_t;
     267        type udev_t;
     268        type mysqld_safe_t;
     269        type postfix_pickup_t;
     270        type groupadd_t;
     271        type crond_t;
     272        type rpm_t;
     273        type system_cronjob_t;
     274        type plymouthd_t;
     275        type httpd_t;
     276        type sshd_t;
     277        class unix_stream_socket connectto;
     278        class capability { sys_resource sys_ptrace sys_tty_config };
     279        class tcp_socket listen;
     280        class file { setattr read create write getattr unlink open append };
     281        class sock_file { write getattr setattr create unlink };
     282        class dir { search setattr read create write getattr rmdir remove_name add_name };
     283}
     284
     285#============= httpd_t ==============
     286allow httpd_t tmp_t:sock_file write;
     287
     288#============= passenger_t ==============
     289allow passenger_t auditd_t:dir { getattr search };
     290allow passenger_t auditd_t:file { read open };
     291allow passenger_t crond_t:dir { getattr search };
     292allow passenger_t crond_t:file { read open };
     293allow passenger_t dhcpc_t:dir { getattr search };
     294allow passenger_t dhcpc_t:file { read open };
     295allow passenger_t getty_t:dir { getattr search };
     296allow passenger_t getty_t:file { read open };
     297allow passenger_t groupadd_t:dir { getattr search };
     298allow passenger_t groupadd_t:file { read open };
     299allow passenger_t httpd_t:dir { getattr search };
     300allow passenger_t httpd_t:file { read open };
     301allow passenger_t httpd_tmp_t:file { getattr unlink setattr };
     302allow passenger_t init_t:dir { getattr search };
     303allow passenger_t init_t:file { read open };
     304allow passenger_t initrc_t:dir { getattr search };
     305allow passenger_t initrc_t:file { read open };
     306allow passenger_t kernel_t:dir { getattr search };
     307allow passenger_t kernel_t:file { read open };
     308allow passenger_t local_login_t:dir { getattr search };
     309allow passenger_t local_login_t:file { read open };
     310allow passenger_t mysqld_db_t:dir search;
     311allow passenger_t mysqld_safe_t:dir { getattr search };
     312allow passenger_t mysqld_safe_t:file { read open };
     313allow passenger_t mysqld_t:dir { getattr search };
     314allow passenger_t mysqld_t:file { read open };
     315allow passenger_t mysqld_t:unix_stream_socket connectto;
     316allow passenger_t mysqld_var_run_t:sock_file write;
     317allow passenger_t plymouthd_t:dir { getattr search };
     318allow passenger_t plymouthd_t:file { read open };
     319allow passenger_t postfix_master_t:dir { getattr search };
     320allow passenger_t postfix_master_t:file { read open };
     321allow passenger_t postfix_pickup_t:dir { getattr search };
     322allow passenger_t postfix_pickup_t:file { read open };
     323allow passenger_t postfix_qmgr_t:dir { getattr search };
     324allow passenger_t postfix_qmgr_t:file { read open };
     325allow passenger_t rpm_script_t:dir { getattr search };
     326allow passenger_t rpm_script_t:file { read open };
     327allow passenger_t rpm_t:dir { search getattr };
     328allow passenger_t rpm_t:file { read open };
     329allow passenger_t self:capability { sys_resource sys_ptrace sys_tty_config };
     330allow passenger_t self:tcp_socket listen;
     331allow passenger_t sshd_t:dir { getattr search };
     332allow passenger_t sshd_t:file { read open };
     333allow passenger_t syslogd_t:dir { getattr search };
     334allow passenger_t syslogd_t:file { read open };
     335allow passenger_t system_cronjob_t:dir { getattr search };
     336allow passenger_t system_cronjob_t:file { read open };
     337allow passenger_t tmp_t:dir { write rmdir setattr read remove_name create add_name };
     338allow passenger_t tmp_t:file { write getattr setattr read create unlink open };
     339allow passenger_t tmp_t:sock_file { write create unlink getattr setattr };
     340allow passenger_t udev_t:dir { getattr search };
     341allow passenger_t udev_t:file { read open };
     342allow passenger_t unconfined_t:dir { getattr search };
     343allow passenger_t unconfined_t:file { read open };
     344allow passenger_t usr_t:file { read getattr open };
     345allow passenger_t var_log_t:file { getattr open append };
     346}}}