« Hiding directories containing spaces in Samba | Main | Extended attributes, Office 2007 clients via SMB from Xsan »

Build WebAuth with Mac OS X Server 10.6 (Snow Leopard)

WebAuth (cf developer link) can be built cleanly on Mac OS X Server 10.6 with no additional flags or configuration edits. Just ./configure, make and sudo make install. Because of the changes in Snow Leopard server, you can now use WebAuth while continuing to use Apple's Server Admin.app tool to manage your web server.

This is different than with Mac OS X 10.5, which has an httpd built with 64- and 32-bit PowerPC and x86 architectures. WebAuth, like many other Apache modules, did not build properly, since each module needed to be of four architectures, too. (Instructions for Leopard Server are here. For instructions on installing WebAuth on other Unix-like operating systems, see here.)

Here's a list of things that are, I think, unique to the process of installing and using WebAuth on Mac OS X Server 10.6, after the jump.

  • To compile WebAuth you'll need both remctl and wallet (necessary if you're a Stanford affiliate, so you can create stanford.edu keytabs).
  • To compile anything, you need Apple's free Xcode developer tools.
  • Modules live in /usr/libexec/apache2. The WebAuth build process properly uses apsx to sort things in the proper location.
  • The main httpd.conf live in /etc/apache2 while virtual hosts are called sites and live in /etc/apache2/sites. There is no extras directory, so all the other conf files live in /etc/apache2 too (plus there's no man or bin directories here either — those files are in their OS locations).
  • Unlike tweaks on /etc/smbd.conf, you can make your httpd.conf edits anywhere. If your parameters conflict with what's entered via Server Admin, the entry closest to the end of the conf file wins.
  • Your WebAuth folder, then, also lives in /etc/apache2.
  • The user/group that httpd runs as is _www (aka www); this is already in the default httpd.conf, along with entries specific to the HFS filesystem and other unique Mac OS X attributes like forked files.
  • Once you install the WebAuth modules, you can use Server Admin.app to enable/disable them. This still all writes to httpd.conf. The don't appear automatically. Either add them graphically using Server Admin or write them out manually in the httpd.conf file.
  • Apache is started using a launchd item at /System/Library/LaunchDaemons/org.apache.httpd.plist.
  • The default webroot is /Library/WebServer/Documents — think of this as the htdocs directory.
  • SSL certificates live in /etc/certificates; Server Admin creates httpd.conf files with proper paths to this directory, but you need to make hand edits if you have intermediate certificates.
  • Certificates are commonly managed using Server Admin.app too.
  • Although you'll see /private/etc/apache2/servermgr_web_apache2_config.plist, don't mess with this. That's what Server Admin.app writes to; if you edit this, you'll break the internet. The thing that takes Server Admin's XML values and schmooshes it into httpd.conf is /usr/share/servermgrd/bundles/servermgr_web.bundle/Contents/MacOS/servermgr_web.
  • Don't hook stanford-webauth.conf using an include in httpd.conf. Instead, for some odd reason, you need to write out all those values in httpd.conf itself (wherever, but mine are at the end of the conf file).
  • WebAuthLdapKeytab webauth/keytab
    WebAuthLdapTktCache webauth/krb5cc_ldap
    WebAuthLdapHost ldap.stanford.edu
    WebAuthLdapBase cn=people,dc=stanford,dc=edu
    WebAuthLdapAuthorizationAttribute suPrivilegeGroup
    WebAuthKeyring "/etc/apache2/webauth/keyring"
    WebAuthKeytab "/etc/apache2/webauth/keytab"
    WebAuthServiceTokenCache webauth/service_token_cache
    WebAuthLoginURL https://weblogin.stanford.edu/login/
    WebAuthWebKdcURL https://weblogin.stanford.edu/webkdc-service/
    WebAuthWebKdcPrincipal service/webkdc@stanford.edu
    WebAuthSSLRedirect on
    WebAuthDebug off
    • Don't put WebAuth access restrictions parameters in your main httpd.conf.  Server Admin.app will complain (accurately) it can't create charts and graphs to display in that applications monitoring window. This is because it's effectively prohibited by WebAuth itself. You'll see a message like this in your system.log. 
    Nov 12 00:23:26 crc-resources servermgrd[86]: servermgr_web: In request for status, web service returned unexpected response code: 500; Server Admin Web graphs may be inaccurate.

    • You need to move your WebAuth parameters to the specific vhost file in /etc/apache2/sites instead. This needs to be a hand-edit, since Server Admin doesn't permit raw editing of the configuration files.
    • Using mod_webauthldap.so, you need to create a symlink where /usr/webauth is created to point to /etc/apache2/webauth. There is probably a flag that could be used to compile this module differently, but the symlink works just as well.
    • You can set ACLs on the web-hosted directories and on /etc/apache2/webauth using Server Admin if you create a symlink targeted to some directory otherwise visible to the Finder.

    That's it. We use WebAuth on a Snow Leopard server quite well, with different parts of the file system served to different groups. Some web roots are also AFP and CIFS shares, which permit read/write to authenticated users. Another nice feature available with the built-in Apache 2.2 service is that administration can be controlled by service access controls, allowing granular privileges to users and groups designated either web server admins or monitors.  It's a more elegant solution to use Apple tools on Mac web servers without having to resort to building and managing your own Apache installation and fighting with Webmin for GUI management.

UPDATE: Be wary that Server Admin may write over /etc/apache2/sites/yourwebsite and remove the AuthType WebAuth directive. You'll see the notices in the Apache error log.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


This page contains a single entry from the blog posted on November 12, 2009 9:44 PM.

The previous post in this blog was Hiding directories containing spaces in Samba.

The next post in this blog is Extended attributes, Office 2007 clients via SMB from Xsan.

Many more can be found on the main index page or by looking through the archives.

Creative Commons License
This weblog is licensed under a Creative Commons License.
Traffic analyzed by Google Analytics. Site powered by Movable Type 4.32-en