Apache Moonshot module information
These instructions relate to using the Apache Moonshot module package. To build the module manually, see the Building Apache HTTPD module on RHEL/CentOS/SL 6 manually page.
All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).
1. System Preparation
1.1. Turn off SELinux
Currently, Moonshot will not work while SELinux is in enforcing mode. Until we resolve this, simply turn SELinux to permissive mode. This can be done temporarily (i.e., on reboot it will be turned back on), or permanently (the change will persist).
The following command will turn Enforcing mode off:
/etc/sysconfig/selinux and change "SELINUX=enforcing" to "SELINUX=permissive". Reboot the system.
1.2. Add the Moonshot libraries
If you have not already done so, you first need to follow the instructions on how to install the Moonshot Libraries on RHEL/CentOS/SL 6.
2. Installation Instructions
To use the Apache module, install it and the MIT Kerberos client package:
Add a dummy Kerberos key to make the module happy:
Export the location of the keytab file into Apache's config:
Alternatively, you can use the
GSSKrb5Keytabconfiguration directive in the
Locationdirective in Section 3.1 to specify the keytab.
Assign the correct permissions to the keytab file:
Ensure that the certificates referenced in
/etc/radsec.confcan be read by the Apache user:
If they cannot be read, add the Apache user to the group that has read access to the certificates:
Verify that the
KeepAliveoption is enabled in the Apache configuration file
3. Configuration Instructions
Shibboleth2 Apache module incompatibility
Please read Section 6.2 in Apache HTTPD on module incompatibilities.
3.1. Protecting a location with Moonshot
To protect a particular location on your Apache server, you must configure it with an AuthType of "Negotiate".
/etc/httpd/conf.d/auth_gssapi.conf file contains a sample configuration that can get you started.
To allow anyone with a valid Moonshot account to access
/wherever, you would do the following:
3.2. Populating REMOTE_USER
Web services often rely on the
REMOTE_USER Apache environment variable for user information, such as a local user account or a pseudonymous identifier.
REMOTE_USER, update the FreeRADIUS reply from the RP Proxy with the
User-Name RADIUS attribute in the RP Proxy's post-auth section:
3.3. Accessing Moonshot attributes
The Moonshot module can use either the Shibboleth attribute resolver library to map RADIUS and SAML attributes to internal Shibboleth attributes, and then to environment variables, or use its own internal JSON attribute resolver to map either RADIUS attributes or SAML attributes to environment variables. Read more at Configure a Linux Server's Attribute Resolution about how to configure Shibboleth or the internal JSON attribute resolvers.
We are working on enhancements that allow the Moonshot module to expose attributes in the same way as the RedHat module.
4. HTTPS Internet Explorer compatibility
For updated best practice with Internet Explorer connections, you should also read Microsoft's HTTPS and Keep-Alive Connections article.