summaryrefslogtreecommitdiff
path: root/web/src/pubcookie/INSTALL
diff options
context:
space:
mode:
Diffstat (limited to 'web/src/pubcookie/INSTALL')
-rw-r--r--web/src/pubcookie/INSTALL90
1 files changed, 90 insertions, 0 deletions
diff --git a/web/src/pubcookie/INSTALL b/web/src/pubcookie/INSTALL
new file mode 100644
index 00000000..e4685c40
--- /dev/null
+++ b/web/src/pubcookie/INSTALL
@@ -0,0 +1,90 @@
+alpine.tar.z web/src/pubcookie/INSTALL
+$id$
+/* ========================================================================
+ * Copyright 2006-2008 University of Washington
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * ========================================================================
+ */
+
+STEPS TO ADD PUBCOOKIE SUPPORT TO WEB ALPINE
+--------------------------------------------
+
+UW Pubcookie <http://www.pubcookie.org> provides single-sign-on
+service for web-based applications. Web Alpine can be built to use UW
+Pubcookie within a Kerberos authorization framework.
+
+Building Web Alpine to use pubcookie authentication should be
+accomplished by simply adding:
+
+ --with-pubcookie
+
+and:
+
+ --with-web-bin=/usr/local/libexec/alpine/bin
+
+to the configure script's command line. Note, the value you supply in
+the second configure option is the directory where ultimately the Web
+Alpine's binary support tools will be installed. In addition,
+Kerberos 5 must be available on the Alpine web server.
+
+Installation of the extra binary components for pubcookie support
+should happen automatically. After the "make install" command typed
+in web/src directory completes successfully, verify that:
+
+ web/bin/wp_uidmapper
+ web/bin/wp_tclsh
+ web/bin/wp_gssapi_proxy
+
+all exist. Then simply follow the normal Web Alpine installation
+steps described in the web/INSTALL document.
+
+Once Web Alpine is installed, there is some additional configuration
+required. First, you'll need to change permissions on a couple of the
+binary components as they do make use of the setuid() system call. It
+should be simply a matter of:
+
+ cd /usr/local/libexec/alpine/bin
+ sudo chmod 4755 wp_gssapi_proxy wp_tclsh
+
+Next, you'll need to:
+
+ cd /usr/local/libexec/alpine/cgi/session
+
+In that directory you'll need to edit the ".htaccess" file, adding the
+lines contained in the example htaccess file in the distribution's
+"web/src/pubcookie/_htaccess_session".
+
+Then,
+
+ cd /usr/local/libexec/alpine/cgi/session
+
+and edit the ".htaccess" file therein, adding the lines contained in
+the example file "web/src/pubcookie/_htaccess_session_logout".
+
+Running Web Alpine with pubcookie requires some extra care and
+feeding. First, the service provided by "wp_uidmapper" must be
+started and maintained as long as the web server is providing Web
+Alpine service. It must be run under the same uid as the web server.
+The helper script "debug.cgi" can be used to conveniently
+start/restart the wp_uidmapper service. Make sure the path defined
+within that script is correct for your system.
+
+Finally, you'll need to create within the Kerberos 5 system the ID of
+the "IMAP Superuser". This userid is used by the web server to log
+into the UW IMAP server via SASL proxy authentication. That is, to
+establish an IMAP session, the web server logs into the IMAP server
+via Kerberos as the IMAP Superuser (which must be configured on the
+IMAP server separately) and specifies in that SASL exchange that login
+in being performed on behalf of the UW Pubcookie-provided userid.
+
+With the IMAP Superuser ID established and configured on the IMAP
+server, you'll need to acquire a Kerbero ticket on the web server.
+Typically, you'll want to install a crontab entry to periodically
+refresh the ticket. See web/src/pubcookie/README.
+