Versions Compared

Version Old Version 2 New Version Current
Changes made by

Stefan Paetow

Alejandro Perez Mendez

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

All of the instructions below assume that you have root access, and will work as the root user (either directly or using sudo).

Warning

This package is for the x86 platform only. Please follow the instructions for manually building the Apache module for x64 platforms.


Numberedheadings

System Preparation

Add the Moonshot libraries and configure the server

If you have not already done so, you first need to follow the instructions on how to .to 

Installation Instructions

  1. To use the Apache module, install it and the MIT Kerberos client package:

    bashtrue


  2. VERIFY! To install the Apache module, issue the following command (or create the appropriate symlinks manually):

    bash

    Add a dummy Kerberos key to make the module happy:

    bash

    Export the location of the keytab file into Apache's config:

    bash

    Assign the correct permissions to the keytab file:

    bashtrue


  3. Ensure that the certificates referenced in /etc/radsec.conf can be read by the Apache user:

    bashtrue


  4. Verify that the KeepAlive option is enabled in the Apache configuration file /etc/apache2/apache2.conf:

    bashtrue


  5. Restart Apache:

    bashtrue


Configuration Instructions

Shibboleth2 Apache module incompatibility

Please

note that this module is currently not compatible with the Shibboleth2 service provider Apache module. When testing or using the Moonshot module, disable the Shibboleth module and restart the webserver before attempting your test. We are attempting to resolve this problem.

read Section in on module incompatibilities.

Protecting a location with Moonshot

To protect a particular location on your Apache server, you must configure it with an AuthType of "Negotiate".

ExampleTo

of GSSAPI.

Here's a sample configuration that can get you started to allow anyone with a valid Moonshot account to access /wherever

, you would do the following

:

bashtrue

Populating REMOTE_USER

Web services often rely on the REMOTE_USER Apache environment variable for user information, such as a local user account or a pseudonymous identifier.

To populate REMOTE_USER, update the reply from the RP Proxy with the User-Name RADIUS attribute in the RP Proxy's post-auth section:

HTTPS Internet Explorer compatibility

For updated best practice with Internet Explorer connections, you should also read Microsoft's HTTPS and Keep-Alive Connections article


Configuration DirectivesFor more information on the configuration directives supported by the GSSAPI module, see its homepage at https://github.com/modauthgssapi/mod_auth_gssapi.