Add the Moonshot libraries and configure the server
If you have not already done so, you first need to follow the instructions on how to .to
Installation Instructions
To use the Apache module, install itand the MIT Kerberos client package:
bashtrue
VERIFY! To install the Apache module, issue the following command (or create the appropriate symlinks manually):
bash
Add a dummy Kerberos key to make the module happy:
bash
Export the location of the keytab file into Apache's config:
bash
Assign the correct permissions to the keytab file:
bashtrue
Ensure that the certificates referenced in /etc/radsec.conf can be read by the Apache user:
bashtrue
Verify that the KeepAlive option is enabled in the Apache configuration file /etc/apache2/apache2.conf:
bashtrue
Restart Apache:
bashtrue
Configuration Instructions
Shibboleth2 Apache module incompatibility
Please read Section
6.2
in on module incompatibilities.
Protecting a location with Moonshot
To protect a particular location on your Apache server, you must configure it with an AuthTypeof "Negotiate".
ExampleTo
of GSSAPI.
Here's a sample configuration that can get you started to allow anyone with a valid Moonshot account to access /wherever
, you would do the following
:
bashtruePopulating REMOTE_USER
Web services often rely on the REMOTE_USER Apache environment variable for user information, such as a local user account or a pseudonymous identifier.
To populate REMOTE_USER, update the reply from the RP Proxy with the User-Name RADIUS attribute in the RP Proxy's post-auth section:
HTTPS Internet Explorer compatibility
For updated best practice with Internet Explorer connections, you should also read Microsoft's HTTPS and Keep-Alive Connections article