Versions Compared

Version Old Version 7 New Version 8
Changes made by

Stefan Paetow

Stefan Paetow

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Numberedheadings

System Preparation

Add the Moonshot libraries

If you have not already done so, you first need to follow the instructions on how to .

Installation Instructions

  1. To use the Apache module, install it and the MIT Kerberos client package:

    bash


  2. To install the Apache module, issue the following command (or create the appropriate symlinks manually):

    bash


  3. Add a dummy Kerberos key to make the module happy:

    bash


  4. Export the location of the keytab file into Apache's config:

    bash


  5. Assign the correct permissions to the keytab file:

    bash


  6. Ensure that the certificates referenced in /etc/radsec.conf can be read by the Apache user:

    bash


  7. Verify that the KeepAlive option is enabled in the Apache configuration file /etc/apache2/apache2.conf:

    bash


  8. Restart Apache:

    bash


Configuration Instructions

Shibboleth2 Apache module incompatibility

Please read Section 6.2 in on module incompatibilities.

Protecting a location with Moonshot

To protect a particular location on your Apache server, you must configure it with an AuthType of "Negotiate".

The /etc/apache2/conf.d/auth_gssapi.conf file contains a sample configuration that can get you started.

Example

To allow anyone with a valid Moonshot account to access /wherever, you would do the following:

true


Populating REMOTE_USER

Web services often rely on the REMOTE_USER Apache environment variable for user information, such as a local user account or a pseudonymous identifier.

To populate REMOTE_USER, update the FreeRADIUS reply from the RP Proxy with the User-Name RADIUS attribute in the :

Accessing Moonshot attributes

The Moonshot module can use either the Shibboleth attribute resolver library to map RADIUS and SAML attributes to internal Shibboleth attributes, and then to environment variables, or use its own internal JSON attribute resolver to map either RADIUS attributes or SAML attributes to environment variables. Read more at about how to configure Shibboleth or the internal JSON attribute resolvers.

We are working on enhancements that allow the Moonshot module to expose attributes in the same way as the RedHat module.

HTTPS Internet Explorer compatibility

For updated best practice with Internet Explorer connections, you should also read Microsoft's HTTPS and Keep-Alive Connections article.