Differences between revisions 7 and 8
Revision 7 as of 2007-01-28 14:35:54
Size: 9629
Editor: StephanWiesand
Comment:
Revision 8 as of 2008-10-30 11:40:15
Size: 9629
Editor: localhost
Comment: converted to 1.6 markup
Deletions are marked like this. Additions are marked like this.
Line 7: Line 7:
[[TableOfContents]] <<TableOfContents>>

Notes about setting up a Moin-1.5.3 Wiki Farm on SL4 with these features:

  • Apache/SSL
  • mod_python
  • multiple wikis

Contents

  1. install Apache with SSL support
  2. TODO
  3. moin basic installation (single wiki, CGI)
  4. mod_python
  5. add another Wiki
  6. Security: Force SSL
  7. Secure Wiki using Kerberos5 and automatic user creation
    1. Refinement: Allow anonymous access, login, logout

install Apache with SSL support

 rm -rf /etc/httpd
 yum -y install httpd system-config-httpd mod_python mod_ssl mod_auth_kerb
 /sbin/service httpd start

Check that http and https work. A dummy certificate is created automatically during mod_ssl installation.

TODO

  • htdocs/index.html should be adapted
  • apache config to redirect everything to http
  • share the underlay directories
  • farmconfig? or stay with one mod_python instance per wiki (safer?)

moin basic installation (single wiki, CGI)

cd /tmp
tar xvfz moin-1.5.3.tar.gz
cd moin-1.5.3
python setup.py --quiet install --prefix=/usr1/moin --record=/tmp/moin.inst.log

Create a Wiki instance: 

cd /usr1/moin/share/moin
mkdir testwiki
cp -a data underlay testwiki

mkdir testwiki/cgi-bin
cp server/moin.cgi testwiki/cgi-bin

cp config/wikiconfig.py testwiki

chown -R apache:apache testwiki
chmod -R ug+rwX testwiki
chmod -R o-rwx testwiki

Deal with SELinux: 

chcon -R system_u:object_r:httpd_sys_content_t /usr1/moin
chcon -R system_u:object_r:httpd_sys_script_exec_t testwiki/cgi-bin

chcon system_u:object_r:httpd_sys_content_t /usr1

The last one is important, or apache cannot access the wiki.

  • => better have a separate filesystem under / for that

These lines are needed in testwiki/cgi-bin/moin.cgi: 

sys.path.insert(0, '/usr1/moin/share/moin/testwiki')
sys.path.insert(0, '/usr1/moin/lib/python2.3/site-packages')

Edit wikiconfig.py: 

sitename = u'Test Wiki'
page_front_page = u"TestWiki"
data_dir = '/usr1/moin/share/moin/testwiki/data/'
data_underlay_dir = '/usr1/moin/share/moin/testwiki/underlay/'

The default of './data' for data_dir and './underlay' for data_underlay_dir doesn't work. The paths are relative to the cgi executable, hence would need to be '../data' etc.

Create /etc/httpd/conf.d/moin.conf: 

Alias /wiki/ "/usr1/moin/share/moin/htdocs/"
<Directory "/usr1/moin/share/moin/htdocs/">
   Order deny,allow
   Allow from all
</Directory>

ScriptAlias /testwiki "/usr1/moin/share/moin/testwiki/cgi-bin/moin.cgi"
<Directory "/usr1/moin/share/moin/testwiki/cgi-bin/">
    Order deny,allow
    Allow from all
</Directory>

mod_python

Simply change the Apache config to this: 

Alias /wiki/ "/usr1/moin/share/moin/htdocs/"
<Directory "/usr1/moin/share/moin/htdocs/">
   Order deny,allow
   Allow from all
</Directory>

<Location /testwiki>
    SetHandler python-program
    # Add the path of your wiki directory
    PythonPath "['/usr1/moin/share/moin/testwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path"
    PythonHandler MoinMoin.request::RequestModPy.run
    PythonInterpreter testwiki
</Location>

So instead of the ScriptAlias we define a Location and heve it handled by mod_python. The PythonInterpreter directive is not needed if just a single Wiki is set up, but it's crucial if multiple wikis are used:

add another Wiki

Simply create another directory: 

cd usr1/moin/share/moin
mkdir DVInfo
cp -a data underlay DVInfo
cp testwiki/wikiconfig.py DVInfo

chown -R apache:apache DVInfo
chmod -R ug+rwX DVInfo
chmod -R o-rwx DVInfo

The selinux context should be correct without having to chcon. Now Make the obvious changes in DVInfo/wikiconfig.py and create Apache configuration for the wiki in /etc/httpd/conf.d/moin-DVInfo.conf: 

<Location /DVInfo>
    SetHandler python-program
    # Add the path of your wiki directory
    PythonPath "['/usr1/moin/share/moin/DVInfo', '/usr1/moin/lib/python2.3/site-packages'] + sys.path"
    PythonHandler MoinMoin.request::RequestModPy.run
    PythonInterpreter DVInfo
</Location>

Don't forget the last directive, or the subinterpreters for the wikis will share a single namespace. This doesn't work well...

Security: Force SSL

Add to Apache config (in global context): 

<VirtualHost *:80>
  RewriteEngine on
  RewriteRule ^.*$  https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</VirtualHost>

Secure Wiki using Kerberos5 and automatic user creation

Surprisingly, this even works with SELinux enabled.

Make wikiconfig.py start like this: 

   1 from MoinMoin.multiconfig import DefaultConfig
   2 from MoinMoin.auth import http, moin_cookie
   3 
   4 class Config(DefaultConfig):
   5     auth = [http, moin_cookie]
   6     user_autocreate = True

Lines 1 and 4 are there by default. Lines 2,5,6 need to be added. Notice spaces are significant in python...

Add to Apache config: 

<Location /DVInfo>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms IFH.DE
  KrbVerifyKDC Off
  #Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Location>
  • only works if /etc/krb5.conf is MIT-compatible

    • and maybe we could finally roll one out that is ?!

  • for production, one should of course:
    • get a keytab file for HTTP/host.ifh.de and configure it

    • KrbVerifyKDC On

    • then also negotiate should work (krb w/o password from browsers)

Now Krb5 Authentication happens before this Wiki can be accessed. And MoinMoin will automatically create a user profile! The username is the Kerberos Principal (user@IFH.DE), which is ugly! However, with a very tiny patch 

--- MoinMoin/auth.py.orig       2006-06-05 15:54:55.000000000 +0200
+++ MoinMoin/auth.py    2006-06-05 15:55:13.000000000 +0200
@@ -183,6 +183,7 @@
         auth_type = env.get('AUTH_TYPE','')
         if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate',]:
             username = env.get('REMOTE_USER','')
+            username = username.split('@')[0]
             if auth_type in ('NTLM', 'Negotiate',):
                 # converting to standard case so the user can even enter wrong case
                 # (added since windows does not distinguish between e.g.

it works acceptably. An alias can be set in the User Preferences, which will be shown e.g. in the Recent Changes. And one could create a second homepage which just includes the first one, e.g. StephanWiesand would look like this: 

[[Include(wiesand}]]

Obviously, instead of stripping the realm, one could

  • replace it with @DESY.DE

  • fetch information from VAMOS or the registry and construct a WikiName

    • this runs for EVERY request, hence the result should be cached persistently
      • possibly: create a mapping table for all registered users (platform adapter?)

Notice that mod_auth_kerb can deal with a list of realms to try.

  • how about IFH.DE DESY.DE ?

  • or IFH.DE DESY.DE WIN.DESY.DE ?

    • verified: this works!

  • or, maybe even IFH.DE DESY.DE WIN.DESY.DE CERN.CH ... ???

It just needs a service key for all of these realms (or leaving KrbVerifyKDC off, which also inhibits Negotiate aka SPNEGO).

Refinement: Allow anonymous access, login, logout

Example: "xwiki".

/etc/httpd/conf.d/moin-xwiki.conf: 

<Location /xwiki>
    SetHandler python-program
    # Add the path of your wiki directory
    PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path"
    PythonHandler MoinMoin.request::RequestModPy.run
    PythonInterpreter xwiki
</Location>

<Location /xwiki(auth)>
    SetHandler python-program
    # Add the path of your wiki directory
    PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path"
    PythonHandler MoinMoin.request::RequestModPy.run
    PythonInterpreter xwiki

    SSLRequireSSL
    AuthType Kerberos
    AuthName "Please log in with your Kerberos (AFS) Password"
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbAuthRealms IFH.DE
    KrbVerifyKDC Off
    #Krb5KeyTab /etc/httpd/conf/keytab
    require valid-user
</Location>

And in ssl.conf, add to the virtual host (at the end): 

RewriteEngine on

RewriteCond %{QUERY_STRING} action=login$
RewriteRule ^(.+)/(.+)$  $1(auth)/$2?   [L,R]

RewriteCond %{QUERY_STRING} action=logout
RewriteRule ^(.+)\(auth\)(.+)$  $1$2?   [L,R]

It turns out this can also be combined into /etc/httpd/conf.d/moin-xwiki.conf: 

<Location /xwiki>
    Order Deny,Allow
    Allow from All

    SetHandler python-program
    # Add the path of your wiki directory
    PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.4/site-packages'] + sys.path"
    PythonHandler MoinMoin.request::RequestModPy.run
    PythonInterpreter xwiki

    RewriteEngine on
    RewriteCond %{QUERY_STRING} action=login$
    RewriteRule ^.+?/xwiki/(.+)$  /xwiki(authenticated)/$1? [L,R]
</Location>

<Location /xwiki(authenticated)>
    SetHandler python-program
    # Add the path of your wiki directory
    PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.4/site-packages'] + sys.path"
    PythonHandler MoinMoin.request::RequestModPy.run
    PythonInterpreter xwiki

    SSLRequireSSL
    AuthType Kerberos
    AuthName "Please log in with your Kerberos (AFS) Password"
    KrbMethodNegotiate On
    KrbMethodK5Passwd On
    KrbAuthRealms IFH.DE
    KrbVerifyKDC Off
    #Krb5KeyTab /etc/httpd/conf/keytab
    require valid-user

    RewriteEngine On
    RewriteCond %{QUERY_STRING} action=logout
    RewriteRule ^.+?/xwiki\(authenticated\)/(.*)$  /xwiki/$1 [L,R]
</Location>

Moin1.5_WikiFarm_Setup (last edited 2008-10-30 11:40:15 by localhost)