Adding SFU's CAS support to Apache on Mac OS X Snow Leopard
These directions are directly taken from information by Ray Davison (SFU ICAT, IT Services) and extensive help from Derek Warren (Faculty of Education) but any error, confusion or ambiguity is completely my own.
You need the Developer tools (xcode) from Apple installed. Textwrangler will make changes much easier. Any mac will work as a web server- apache is built in. To turn it on, go to system preferences/sharing and check the 'Web Sharing' box. Please email cas-help@sfu.ca so they know you are using CAS and can inform you of any changes. Please email me with any corrections or suggestions.
Download a copy of mod_auth_cas which you can get from http://www.sfu.ca/itservices/publishing/enhanced_web_publishing/cas/apache_module.html. More information about CAS is at SFU's CAS pages. When you download that on your Mac, it should untar so you will end up with a mod_auth_cas_sfu-1.0.8 directory. Open terminal and type cd [space] and then drag the src folder within the mod_auth_cas_sfu-1.0.8 folder to the terminal window. Hit return which will put you in the directory with the src code which can be compiled with
sudo /usr/sbin/apxs -i -c mod_auth_cas.cIf this does not work, you can check where apxs is by using
which apxs
Create a new directory to save cached logins:
sudo mkdir /etc/apache2/cas
sudo chown -R _www /etc/apache2/cas
In terminal open the folder that the htconf.conf file is in /private/etc/apache2/ [in Tiger it is in /private/etc/httpd/ ].
open /private/etc/apache2/Then open htconf.conf in textwrangler.
Download this httpd.conf.txt and use textwrangler to do a side by side comparison to the original [Search/Compare two front Documents] and make modifications to your Apache config...
Comment out 5 lines LoadModule lines- mod_authz_groupfile.so, mod_authz_user.so, mod_authz_dbm.so, mod_auth_basic.so, mod_auth_digest.so.
Give the explicit path for mod_auth_cas.so e.g.
LoadModule auth_cas_module /usr/libexec/apache2/mod_auth_cas.soand modify the cookie path:
CASCookiePath /usr/local/apache2/cas/
Change
AllowOverride Noneto
AllowOverride AuthConfig(in several places, depending on what you are doing).
Finally, to activate your changes, go to system preferences and turn off web sharing, then turn it back on.
Go to http://www.sfu.ca/itservices/cas/htaccess.html and htaccess.html for how to control access.
Sample contents of .htaccess file (you will have to change the path of AuthUserFile /pathto/.htpasswd)
AuthType CAS AuthName "login as SFU user or webapplicant" AuthUserFile /Library/WebServer/Documents/YourPath/.htpasswd require valid-sfu-user require valid-user
contents of .htpasswd file (webapplicant is both username and password here)
webapplicant:snxXBvTU7Z8lg
Problems? check the console for error messages (Go to Applications/utilities, or just type console in spotlight. From Ray- Some things to keep in mind when testing:
- 1) CAS sets a cookie when you login so that single signon works. This means if you want to test logging in with different accounts, you need to clear the cookie. This can be done by visiting the logout page at:
https://cas.sfu.ca/cgi-bin/WebObjects/cas.woa/wa/logout
2) The mod_auth_cas module also caches logins so that if you have a web page with a bunch of images it doesn't repeatedly hit CAS to authenticate each of the images. This means that once you have logged in to a protected web page with one account, you can't test with another account even if you log out of CAS because the module has cached your login. To return things back to a clean state you need to stop Apache and empty the cache directory (/etc/apache2/cas in your case). Then restart Apache.
When I went to
fmp.biol.sfu.ca/ta_applications/
I was redirected redirected to the server name
https://cas.sfu.ca/cgi-bin/WebObjects/cas.woa/wa/login?service=http%3a%2f%2fBiology-Filemaker-Sciencess-Mac-mini.local%2fta_applications...
Console told me...
httpd: Could not reliably determine the server's fully qualified domain name, using... for ServerName
so I just went into system preferences, stopped and restarted the webserver (duh...).
It is not worth spending any more time on these instructions. Tell me of any errors so I can correct them. Feel free to ask me for help. Ray Davison is the person to ask about CAS.