...
- Install the mit-moira RPM; the daemon uses the blanche client.
- yum install perl-LDAP (This will also bring in perl-IO-Socket-SSL and perl-Net-SSLeay as dependencies)
- yum install perl-Convert-ASN1
- Unpack the cams-ldap binary tarball, from the root directory:
No Format # cd / # tar xzf /path/to/cams-ldap.tgz
- Make sure the trigger library is configured for the run-time linker (required for mysqld to be able to load it):
No Format # echo "/usr/local/cams/lib" > /etc/ld.so.conf.d/cams-ldap.conf # ldconfig
- On the slave only, disable the cron job which purges the Cams Moira list:
No Format # rm /etc/cron.d/cams-ldap
- Install a daemon keytab in /usr/local/cams/ldap/keytab. It must be owned by the mysql user. The principal must be added to the from-cams-admin list, which is the owner of the from-cams list, e.g.:
(For staging, add the daemon.idpe-staging principal to the list on ttsp)No Format # blanche from-cams-admin -a kerberos:daemon.idpe@ATHENA.MIT.EDU - Configure /etc/syslog.conf with the following patch; the daemon uses the LOCAL5 facility:
Make this change effective:No Format 40,41c40,41 < # msql apps < local5.info /var/log/db --- > # cams-ldap (originally msql apps) > local5.* /var/log/cams-ldap.logNo Format # kill -HUP `cat /var/run/syslogd.pid` - Install the configuration file /usr/local/cams/ldap/cams-ldap.conf. This file is in Perl syntax. Edit it to make sure that the usernames and passwords for DB and LDAP access are set properly ($dbuser, $dpassword, $ldap_dn, $ldap_password), and that $krb5_princ is set to the daemon principal in the keytab. Make sure that $cafile is set to point at mitCA.pem (install if not already there). Make sure the file is owned by the mysql user and only readable by the owner.
- Make sure that the camsldap user is added to the MySQL database (see above).
- Restart mysqld, to make sure that it can link in the trigger library.
- Start the cams-ldap daemon, and make sure it starts at boot time:
The daemon should run on both the slave and master servers; the daemon detects when it is running on the slave, and treats the trigger as a no-op.No Format # /etc/init.d/cams-ldap start # chkconfig --add cams-ldap - Make sure the trigger function is defined properly in the database. This should be executed on the slave first; check the slave status afterward to make sure it is still running, and restart if necessary.
No Format # mysql -u root -p cams < /path/to/cams-ldap-trigger.sql
Install Shibboleth IdP
- Run the idp application installer from our customized binary distribution, available in /mit/touchstone/builds/NIST/idp2-cams/cams-shibboleth-identityprovider-2.x.y-bin.tgz, and the install script contained therein. For example:
By default (because of one of our customizations to the stock Internet2 distribution) this will install underNo Format # cd /tmp # rm -rf shibboleth-identityprovider-2.* # tar xzf /path/to/cams-shibboleth-identityprovider-2.1.5-bin.tgz # cd shibboleth-identityprovider-2.1.5 # ./install.sh [There should be no need to override the default responses to the installer's questions.]
/usr/local/shibboleth-idp/. The installer will not overwrite the configuration files of an existing installation. For a new installation, the installer will generate a keystore, and prompt for its password; currently we do not use this keystore, so the password does not matter. This distribution contains the standard shibboleth-identityprovider binary distribution, from the Internet2 zip file (http://shibboleth.internet2.edu/downloads/shibboleth/idp/latest/
), plus the following customizations: - camslogin
This provides the custom login pages for CAMS users. It is available as a tarball (/mit/touchstone/builds/NIST/idp2-cams/camslogin.tgz) which is unpacked into the top-level directory of the binary distribution. - CamsLoginModule (cams-jaas-loginmodule-x.y.jar)
This is the JAAS login module for CAMS. It is available as a .jar file in /mit/touchstone/builds/NIST/cams-jaas-loginmodule-x.y.jar, where x.y is the version number (currently 1.0). It must be copied into the lib subdirectory of the binary distribution. - camsutil-1.0.jar
This is a helper package used by the login module to validate the username/password. It is available in /mit/touchstone/builds/NIST/camsutil-1.0.jar. It must be copied into the lib subdirectory of the binary distribution along with the login module jar file.
- camslogin
- The installer will create and populate /usr/local/shibboleth-idp; the web application (war) file will be in /usr/local/shibboleth-idp/war/idp.war, but the current version of the idp.war will be available in the locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war).
- The idp application, running under Tomcat, needs full access to the install directory, so make sure it is owned by the tomcat user, e.g.:
To ensure that we run the current version of the web application, download the latest idp.war file from the touchstone locker (/mit/touchstone/builds/NIST/idp2-mit/idp.war) and copy it into /usr/local/tomcat/webapps/:No Format # chown -R tomcat:tomcat /usr/local/shibboleth-idp
No Format # cp /path/to/idp.war /usr/local/tomcat/webapps/ # chown tomcat:tomcat /usr/local/tomcat/webapps/idp.war
- Copy the idp's endorsed jar files to tomcat's endorsed dir:
No Format # mkdir -p /usr/local/tomcat/endorsed # cp -p /usr/local/shibboleth-idp/lib/endorsed/*.jar /usr/local/tomcat/endorsed/ # chown -R tomcat:tomcat /usr/local/tomcat/endorsed
- Copy in the idp config files for the server, to the conf subdirectory; these include:
- attribute-filter.xml
- attribute-resolver.xml
- handler.xml
- internal.xml
- logging.xml
- login.config
- relying-party.xml
- service.xml
- tc-config.xml (for terracotta clustering)
...