Build WebAuth with Mac OS X Server 10.6 (Snow Leopard)

| No Comments | No TrackBacks

WebAuth (cf developer link) can be built cleanly on Mac OS X Server 10.6 with no additional flags or configuration edits. Just ./configure, make and sudo make install. Because of the changes in Snow Leopard server, you can now use WebAuth while continuing to use Apple's Server tool to manage your web server.

This is different than with Mac OS X 10.5, which has an httpd built with 64- and 32-bit PowerPC and x86 architectures. WebAuth, like many other Apache modules, did not build properly, since each module needed to be of four architectures, too. (Instructions for Leopard Server are here. For instructions on installing WebAuth on other Unix-like operating systems, see here.)

Here's a list of things that are, I think, unique to the process of installing and using WebAuth on Mac OS X Server 10.6, after the jump.

  • To compile WebAuth you'll need both remctl and wallet (necessary if you're a Stanford affiliate, so you can create keytabs).
  • To compile anything, you need Apple's free Xcode developer tools.
  • Modules live in /usr/libexec/apache2. The WebAuth build process properly uses apsx to sort things in the proper location.
  • The main httpd.conf live in /etc/apache2 while virtual hosts are called sites and live in /etc/apache2/sites. There is no extras directory, so all the other conf files live in /etc/apache2 too (plus there's no man or bin directories here either — those files are in their OS locations).
  • Unlike tweaks on /etc/smbd.conf, you can make your httpd.conf edits anywhere. If your parameters conflict with what's entered via Server Admin, the entry closest to the end of the conf file wins.
  • Your WebAuth folder, then, also lives in /etc/apache2.
  • The user/group that httpd runs as is _www (aka www); this is already in the default httpd.conf, along with entries specific to the HFS filesystem and other unique Mac OS X attributes like forked files.
  • Once you install the WebAuth modules, you can use Server to enable/disable them. This still all writes to httpd.conf. The don't appear automatically. Either add them graphically using Server Admin or write them out manually in the httpd.conf file.
  • Apache is started using a launchd item at /System/Library/LaunchDaemons/org.apache.httpd.plist.
  • The default webroot is /Library/WebServer/Documents — think of this as the htdocs directory.
  • SSL certificates live in /etc/certificates; Server Admin creates httpd.conf files with proper paths to this directory, but you need to make hand edits if you have intermediate certificates.
  • Certificates are commonly managed using Server too.
  • Although you'll see /private/etc/apache2/servermgr_web_apache2_config.plist, don't mess with this. That's what Server writes to; if you edit this, you'll break the internet. The thing that takes Server Admin's XML values and schmooshes it into httpd.conf is /usr/share/servermgrd/bundles/servermgr_web.bundle/Contents/MacOS/servermgr_web.
  • Don't hook stanford-webauth.conf using an include in httpd.conf. Instead, for some odd reason, you need to write out all those values in httpd.conf itself (wherever, but mine are at the end of the conf file).
  • WebAuthLdapKeytab webauth/keytab
    WebAuthLdapTktCache webauth/krb5cc_ldap
    WebAuthLdapBase cn=people,dc=stanford,dc=edu
    WebAuthLdapAuthorizationAttribute suPrivilegeGroup
    WebAuthKeyring "/etc/apache2/webauth/keyring"
    WebAuthKeytab "/etc/apache2/webauth/keytab"
    WebAuthServiceTokenCache webauth/service_token_cache
    WebAuthWebKdcPrincipal service/
    WebAuthSSLRedirect on
    WebAuthDebug off
    • Don't put WebAuth access restrictions parameters in your main httpd.conf.  Server will complain (accurately) it can't create charts and graphs to display in that applications monitoring window. This is because it's effectively prohibited by WebAuth itself. You'll see a message like this in your system.log. 
    Nov 12 00:23:26 crc-resources servermgrd[86]: servermgr_web: In request for status, web service returned unexpected response code: 500; Server Admin Web graphs may be inaccurate.

    • You need to move your WebAuth parameters to the specific vhost file in /etc/apache2/sites instead. This needs to be a hand-edit, since Server Admin doesn't permit raw editing of the configuration files.
    • Using, you need to create a symlink where /usr/webauth is created to point to /etc/apache2/webauth. There is probably a flag that could be used to compile this module differently, but the symlink works just as well.
    • You can set ACLs on the web-hosted directories and on /etc/apache2/webauth using Server Admin if you create a symlink targeted to some directory otherwise visible to the Finder.

    That's it. We use WebAuth on a Snow Leopard server quite well, with different parts of the file system served to different groups. Some web roots are also AFP and CIFS shares, which permit read/write to authenticated users. Another nice feature available with the built-in Apache 2.2 service is that administration can be controlled by service access controls, allowing granular privileges to users and groups designated either web server admins or monitors.  It's a more elegant solution to use Apple tools on Mac web servers without having to resort to building and managing your own Apache installation and fighting with Webmin for GUI management.

UPDATE: Be wary that Server Admin may write over /etc/apache2/sites/yourwebsite and remove the AuthType WebAuth directive. You'll see the notices in the Apache error log.

No TrackBacks

TrackBack URL:

Leave a comment

About this Entry

This page contains a single entry by Noah Abrahamson published on November 12, 2009 9:44 PM.

Hiding directories containing spaces in Samba was the previous entry in this blog.

Extended attributes, Office 2007 clients via SMB from Xsan is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.