summaryrefslogtreecommitdiff
path: root/web/src/pubcookie/INSTALL
blob: e4685c40bcef929966e47911db535365a93398b7 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
alpine.tar.z web/src/pubcookie/INSTALL
$id$
/* ========================================================================
 * Copyright 2006-2008 University of Washington
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * ========================================================================
 */

STEPS TO ADD PUBCOOKIE SUPPORT TO WEB ALPINE
--------------------------------------------

UW Pubcookie <http://www.pubcookie.org> provides single-sign-on
service for web-based applications.  Web Alpine can be built to use UW
Pubcookie within a Kerberos authorization framework.

Building Web Alpine to use pubcookie authentication should be
accomplished by simply adding:

    --with-pubcookie 

and:

    --with-web-bin=/usr/local/libexec/alpine/bin

to the configure script's command line.  Note, the value you supply in
the second configure option is the directory where ultimately the Web
Alpine's binary support tools will be installed.  In addition,
Kerberos 5 must be available on the Alpine web server.

Installation of the extra binary components for pubcookie support
should happen automatically.  After the "make install" command typed
in web/src directory completes successfully, verify that:

    web/bin/wp_uidmapper
    web/bin/wp_tclsh
    web/bin/wp_gssapi_proxy

all exist.  Then simply follow the normal Web Alpine installation
steps described in the web/INSTALL document.

Once Web Alpine is installed, there is some additional configuration
required.  First, you'll need to change permissions on a couple of the
binary components as they do make use of the setuid() system call.  It
should be simply a matter of:

    cd /usr/local/libexec/alpine/bin
    sudo chmod 4755 wp_gssapi_proxy wp_tclsh

Next, you'll need to:

    cd /usr/local/libexec/alpine/cgi/session

In that directory you'll need to edit the ".htaccess" file, adding the
lines contained in the example htaccess file in the distribution's
"web/src/pubcookie/_htaccess_session".

Then, 

    cd /usr/local/libexec/alpine/cgi/session

and edit the ".htaccess" file therein, adding the lines contained in
the example file "web/src/pubcookie/_htaccess_session_logout".

Running Web Alpine with pubcookie requires some extra care and
feeding.  First, the service provided by "wp_uidmapper" must be
started and maintained as long as the web server is providing Web
Alpine service.  It must be run under the same uid as the web server.
The helper script "debug.cgi" can be used to conveniently
start/restart the wp_uidmapper service.  Make sure the path defined
within that script is correct for your system.

Finally, you'll need to create within the Kerberos 5 system the ID of
the "IMAP Superuser".  This userid is used by the web server to log
into the UW IMAP server via SASL proxy authentication.  That is, to
establish an IMAP session, the web server logs into the IMAP server
via Kerberos as the IMAP Superuser (which must be configured on the
IMAP server separately) and specifies in that SASL exchange that login
in being performed on behalf of the UW Pubcookie-provided userid.

With the IMAP Superuser ID established and configured on the IMAP
server, you'll need to acquire a Kerbero ticket on the web server.
Typically, you'll want to install a crontab entry to periodically
refresh the ticket.  See web/src/pubcookie/README.