This is different than with Mac OS X 10.5, which has an httpd built with 64- and 32-bit PowerPC and x86 architectures. WebAuth, like many other Apache modules, did not build properly, since each module needed to be of four architectures, too. (Instructions for Leopard Server are here. For instructions on installing WebAuth on other Unix-like operating systems, see here.)
Here's a list of things that are, I think, unique to the process of installing and using WebAuth on Mac OS X Server 10.6, after the jump.
- To compile WebAuth you'll need both remctl and wallet (necessary if you're a Stanford affiliate, so you can create stanford.edu keytabs).
- To compile anything, you need Apple's free Xcode developer tools.
- Modules live in /usr/libexec/apache2. The WebAuth build process properly uses apsx to sort things in the proper location.
- The main httpd.conf live in /etc/apache2 while virtual hosts are called sites and live in /etc/apache2/sites. There is no extras directory, so all the other conf files live in /etc/apache2 too (plus there's no man or bin directories here either — those files are in their OS locations).
- Unlike tweaks on /etc/smbd.conf, you can make your httpd.conf edits anywhere. If your parameters conflict with what's entered via Server Admin, the entry closest to the end of the conf file wins.
- Your WebAuth folder, then, also lives in /etc/apache2.
- The user/group that httpd runs as is _www (aka www); this is already in the default httpd.conf, along with entries specific to the HFS filesystem and other unique Mac OS X attributes like forked files.
- Once you install the WebAuth modules, you can use Server Admin.app to enable/disable them. This still all writes to httpd.conf. The don't appear automatically. Either add them graphically using Server Admin or write them out manually in the httpd.conf file.
- Apache is started using a launchd item at /System/Library/LaunchDaemons/org.apache.httpd.plist.
- The default webroot is /Library/WebServer/Documents — think of this as the htdocs directory.
- SSL certificates live in /etc/certificates; Server Admin creates httpd.conf files with proper paths to this directory, but you need to make hand edits if you have intermediate certificates.
- Certificates are commonly managed using Server Admin.app too.
- Although you'll see /private/etc/apache2/servermgr_web_apache2_config.plist, don't mess with this. That's what Server Admin.app writes to; if you edit this, you'll break the internet. The thing that takes Server Admin's XML values and schmooshes it into httpd.conf is /usr/share/servermgrd/bundles/servermgr_web.bundle/Contents/MacOS/servermgr_web.
- Don't hook stanford-webauth.conf using an include in httpd.conf. Instead, for some odd reason, you need to write out all those values in httpd.conf itself (wherever, but mine are at the end of the conf file).
- Don't put WebAuth access restrictions parameters in your main httpd.conf. Server Admin.app will complain (accurately) it can't create charts and graphs to display in that applications monitoring window. This is because it's effectively prohibited by WebAuth itself. You'll see a message like this in your system.log.
- You need to move your WebAuth parameters to the specific vhost file in /etc/apache2/sites instead. This needs to be a hand-edit, since Server Admin doesn't permit raw editing of the configuration files.
- Using mod_webauthldap.so, you need to create a symlink where /usr/webauth is created to point to /etc/apache2/webauth. There is probably a flag that could be used to compile this module differently, but the symlink works just as well.
- You can set ACLs on the web-hosted directories and on /etc/apache2/webauth using Server Admin if you create a symlink targeted to some directory otherwise visible to the Finder.
WebAuthLdapKeytab webauth/keytab
WebAuthLdapTktCache webauth/krb5cc_ldap
WebAuthLdapHost ldap.stanford.edu
WebAuthLdapBase cn=people,dc=stanford,dc=edu
WebAuthLdapAuthorizationAttribute suPrivilegeGroup
WebAuthKeyring "/etc/apache2/webauth/keyring"
WebAuthKeytab "/etc/apache2/webauth/keytab"
WebAuthServiceTokenCache webauth/service_token_cache
WebAuthLoginURL https://weblogin.stanford.edu/login/
WebAuthWebKdcURL https://weblogin.stanford.edu/webkdc-service/
WebAuthWebKdcPrincipal service/webkdc@stanford.edu
WebAuthSSLRedirect on
WebAuthDebug off
Nov 12 00:23:26 crc-resources servermgrd[86]: servermgr_web: In request for status, web service returned unexpected response code: 500; Server Admin Web graphs may be inaccurate.
That's it. We use WebAuth on a Snow Leopard server quite well, with different parts of the file system served to different groups. Some web roots are also AFP and CIFS shares, which permit read/write to authenticated users. Another nice feature available with the built-in Apache 2.2 service is that administration can be controlled by service access controls, allowing granular privileges to users and groups designated either web server admins or monitors. It's a more elegant solution to use Apple tools on Mac web servers without having to resort to building and managing your own Apache installation and fighting with Webmin for GUI management.
