System PreparationTurn off SELinuxCurrently, Moonshot will not work while SELinux is in enforcing mode. Until we resolve this, simply turn SELinux to permissive mode. This can be done temporarily (i.e., on reboot it will be turned back on), or permanently (the change will persist). TemporarilyThe following command will turn Enforcing mode off: Code Block |
---|
| $ echo 0 > /selinux/enforce |
PermanentlyEdit /etc/sysconfig/selinux and change "SELINUX=enforcing" to "SELINUX=permissive". Reboot the system. Add the Moonshot librariesIf you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on RHEL/CentOS/SL 6. Installation InstructionsTo use the Apache module, install it and the MIT Kerberos client package: Code Block |
---|
| $ yum install mod_auth_gssapi krb5-workstation |
Add a dummy Kerberos key to make the module happy: Code Block |
---|
| $ ktutil
ktutil: addent -password -p HTTP/localhost@YOUR-WEBSERVER-HOSTNAME -k 1 -e aes256-cts
<enter any password>
ktutil: wkt /etc/httpd/krb5.keytab
ktutil: quit |
Export the location of the keytab file into Apache's config: Code Block |
---|
| $ echo export KRB5_KTNAME=/etc/httpd/krb5.keytab >> /etc/httpd/envvars |
Note |
---|
| Alternatively, you can use the GSSKrb5Keytab configuration option directive in the Location directive in Section 3.1 to specify the keytab. |
Assign the correct permissions to the keytab file: Code Block |
---|
| $ chown apache.apache /etc/httpd/krb5.keytab |
Ensure that the certificates referenced in /etc/radsec.conf can be read by the Apache user: Code Block |
---|
| $ su - --shell=/bin/bash apache
$ cat path_to_ca.pem
$ cat path_to_client.pem
$ cat path_to_client.key |
If they cannot be read, add the Apache user to the group that has read access to the certificates.: Code Block |
---|
| $ usermod -a -G <group> apache |
Verify that the KeepAlive option is enabled in the Apache configuration file /etc/httpd/conf/httpd.conf :
Restart Apache: Code Block |
---|
| $ service httpd restart |
Configuration Instructions Warning |
---|
title | Shibboleth2 Apache module incompatibility |
---|
| Please note that this module is currently not compatible with the Shibboleth2 service provider Apache module. When testing or using the Moonshot module, disable the Shibboleth module and restart the webserver before attempting your test. We are attempting to resolve this problem.read Section 6.2 in Apache HTTPD on module incompatibilities. |
Protecting a location with MoonshotTo protect a particular location on your Apache server, you must configure it with an AuthType of "Negotiate". The /etc/httpd/conf.d/auth_gssapi.conf file contains a sample configuration that can get you started. Tip |
---|
| To allow anyone with a valid Moonshot account to access /wherever , you would do the following: Code Block |
---|
| <Location "/wherever">
AuthType Negotiate
Require valid-user
</Location> |
|
Populating REMOTE_USERWeb services often rely on the REMOTE_USER Apache environment variable for user information, such as a local user account or a pseudonymous identifier. To populate REMOTE_USER , update the FreeRADIUS reply from the RP Proxy with the User-Name RADIUS attribute in the RP Proxy's post-auth section: Code Block |
---|
update reply {
User-Name := "content"
} |
Accessing Moonshot attributesThe Moonshot module can use either the Shibboleth attribute resolver library to map RADIUS and SAML attributes to internal Shibboleth attributes, and then to environment variables, or use its own internal JSON attribute resolver to map either RADIUS attributes or SAML attributes to environment variables. Read more at Configure a Linux Server's Attribute Resolution about how to configure Shibboleth or the internal JSON attribute resolvers. We are working on enhancements that allow the Moonshot module to expose attributes in the same way as the RedHat module. HTTPS Internet Explorer compatibilityFor updated best practice with Internet Explorer connections, you should also read Microsoft's HTTPS and Keep-Alive Connections article. |