Differences between revisions 1 and 2
Revision 1 as of 2006-06-04 18:59:54
Size: 4023
Editor: StephanWiesand
Comment:
Revision 2 as of 2006-06-05 16:13:50
Size: 6518
Editor: StephanWiesand
Comment:
Deletions are marked like this. Additions are marked like this.
Line 14: Line 14:
Check that http and https work. A dummy certificate is ceated automatically Check that http and https work. A dummy certificate is created automatically
Line 133: Line 133:
== Security: Force SSL ==

Add to Apache config (in global context):
{{{
<VirtualHost *:80>
  RewriteEngine on
  RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</VirtualHost>
}}}

== Secure Wiki using Kerberos5 and automatic user creation ==
Make wikiconfig.py start like this:
{{{#!python
from MoinMoin.multiconfig import DefaultConfig
from MoinMoin.auth import http, moin_cookie

class Config(DefaultConfig):
   auth = [http, moin_cookie]
   user_autocreate = True;
}}}
Lines 1 and 4 are there by default. Lines 2,5,6 need to be added.

Add to Apache config:
{{{
<Location /DVInfo>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms IFH.DE
  KrbVerifyKDC Off
  #Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Location>
}}}
 * only works if /etc/krb5.conf is MIT-compatible
  * and maybe we could ''finally'' roll one out that is ?!
 * for production, one should of course:
  * get a keytab file for HTTP/host.ifh.de and configure it
  * KrbVerifyKDC ''On''
  * then also negotiate should work (krb w/o password from browsers)

Now Krb5 Authentication happens before this Wiki can be accessed. And MoinMoin
will automatically create a user profile! The username is the Kerberos
Principal (''user''@IFH.DE), which is ugly! However, with a very tiny patch
{{{
--- MoinMoin/auth.py.orig 2006-06-05 15:54:55.000000000 +0200
+++ MoinMoin/auth.py 2006-06-05 15:55:13.000000000 +0200
@@ -183,6 +183,7 @@
         auth_type = env.get('AUTH_TYPE','')
         if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate',]:
             username = env.get('REMOTE_USER','')
+ username = username.split('@')[0]
             if auth_type in ('NTLM', 'Negotiate',):
                 # converting to standard case so the user can even enter wrong case
                 # (added since windows does not distinguish between e.g.
}}}
it works acceptably. An alias can be set in the User Preferences, which will be shown
e.g. in the Recent Changes. And one could create a second homepage which just includes
the first one, e.g. Stephan``Wiesand would look like this:
{{{
[[Include(wiesand}]]
}}}
Obviously, instead of stripping the realm, one could
 * replace it with @DESY.DE
 * fetch information from VAMOS or the registry and construct a WikiName
  * this runs for EVERY request, hence the result should be cached persistently

Notes about setting up a Moin-1.5.3 Wiki Farm on SL4 with these features:

  • Apache/SSL
  • mod_python
  • multiple wikis

TableOfContents

install Apache with SSL support

 rm -rf /etc/httpd
 yum -y install httpd system-config-httpd mod_python mod_ssl mod_auth_kerb
 /sbin/service httpd start

Check that http and https work. A dummy certificate is created automatically during mod_ssl installation.

TODO

  • htdocs/index.html should be adapted
  • apache config to redirect everything to http
  • share the underlay directories
  • farmconfig? or stay with one mod_python instance per wiki (safer?)

moin basic installation (single wiki, CGI)

cd /tmp
tar xvfz moin-1.5.3.tar.gz
cd moin-1.5.3
python setup.py --quiet install --prefix=/usr1/moin --record=/tmp/moin.inst.log

Create a Wiki instance: 

cd /usr1/moin/share/moin
mkdir testwiki
cp -a data underlay testwiki

mkdir testwiki/cgi-bin
cp server/moin.cgi testwiki/cgi-bin

cp config/wikiconfig.py testwiki

chown -R apache:apache testwiki
chmod -R ug+rwX testwiki
chmod -R o-rwx testwiki

Deal with SELinux: 

chcon -R system_u:object_r:httpd_sys_content_t /usr1/moin
chcon -R system_u:object_r:httpd_sys_script_exec_t testwiki/cgi-bin

chcon system_u:object_r:httpd_sys_content_t /usr1

The last one is important, or apache cannot access the wiki.

  • => better have a separate filesystem under / for that

These lines are needed in testwiki/cgi-bin/moin.cgi: 

sys.path.insert(0, '/usr1/moin/share/moin/testwiki')
sys.path.insert(0, '/usr1/moin/lib/python2.3/site-packages')

Edit wikiconfig.py: 

sitename = u'Test Wiki'
page_front_page = u"TestWiki"
data_dir = '/usr1/moin/share/moin/testwiki/data/'
data_underlay_dir = '/usr1/moin/share/moin/testwiki/underlay/'

The default of './data' for data_dir and './underlay' for data_underlay_dir doesn't work. The paths are relative to the cgi executable, hence would need to be '../data' etc.

Create /etc/httpd/conf.d/moin.conf: 

Alias /wiki/ "/usr1/moin/share/moin/htdocs/"
<Directory "/usr1/moin/share/moin/htdocs/">
   Order deny,allow
   Allow from all
</Directory>

ScriptAlias /testwiki "/usr1/moin/share/moin/testwiki/cgi-bin/moin.cgi"
<Directory "/usr1/moin/share/moin/testwiki/cgi-bin/">
    Order deny,allow
    Allow from all
</Directory>

mod_python

Simply change the Apache config to this: 

Alias /wiki/ "/usr1/moin/share/moin/htdocs/"
<Directory "/usr1/moin/share/moin/htdocs/">
   Order deny,allow
   Allow from all
</Directory>

<Location /testwiki>
    SetHandler python-program
    # Add the path of your wiki directory
    PythonPath "['/usr1/moin/share/moin/testwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path"
    PythonHandler MoinMoin.request::RequestModPy.run
    PythonInterpreter testwiki
</Location>

So instead of the ScriptAlias we define a Location and heve it handled by mod_python. The PythonInterpreter directive is not needed if just a single Wiki is set up, but it's crucial if multiple wikis are used:

add another Wiki

Simply create another directory: 

cd usr1/moin/share/moin
mkdir DVInfo
cp -a data underlay DVInfo
cp testwiki/wikiconfig.py DVInfo

chown -R apache:apache DVInfo
chmod -R ug+rwX DVInfo
chmod -R o-rwx DVInfo

The selinux context should be correct without having to chcon. Now Make the obvious changes in DVInfo/wikiconfig.py and create Apache configuration for the wiki in /etc/httpd/conf.d/moin-DVInfo.conf: 

<Location /DVInfo>
    SetHandler python-program
    # Add the path of your wiki directory
    PythonPath "['/usr1/moin/share/moin/DVInfo', '/usr1/moin/lib/python2.3/site-packages'] + sys.path"
    PythonHandler MoinMoin.request::RequestModPy.run
    PythonInterpreter DVInfo
</Location>

Don't forget the last directive, or the subinterpreters for the wikis will share a single namespace. This doesn't work well...

Security: Force SSL

Add to Apache config (in global context): 

<VirtualHost *:80>
  RewriteEngine on
  RewriteRule ^.*$  https://%{SERVER_NAME}%{REQUEST_URI} [L,R]
</VirtualHost>

Secure Wiki using Kerberos5 and automatic user creation

Make wikiconfig.py start like this: 

   1 from MoinMoin.multiconfig import DefaultConfig
   2 from MoinMoin.auth import http, moin_cookie
   3 
   4 class Config(DefaultConfig):
   5    auth = [http, moin_cookie]
   6    user_autocreate = True;

Lines 1 and 4 are there by default. Lines 2,5,6 need to be added.

Add to Apache config: 

<Location /DVInfo>
  SSLRequireSSL
  AuthType Kerberos
  AuthName "Kerberos Login"
  KrbMethodNegotiate On
  KrbMethodK5Passwd On
  KrbAuthRealms IFH.DE
  KrbVerifyKDC Off
  #Krb5KeyTab /etc/httpd/conf/keytab
  require valid-user
</Location>
  • only works if /etc/krb5.conf is MIT-compatible

    • and maybe we could finally roll one out that is ?!

  • for production, one should of course:
    • get a keytab file for HTTP/host.ifh.de and configure it

    • KrbVerifyKDC On

    • then also negotiate should work (krb w/o password from browsers)

Now Krb5 Authentication happens before this Wiki can be accessed. And MoinMoin will automatically create a user profile! The username is the Kerberos Principal (user@IFH.DE), which is ugly! However, with a very tiny patch 

--- MoinMoin/auth.py.orig       2006-06-05 15:54:55.000000000 +0200
+++ MoinMoin/auth.py    2006-06-05 15:55:13.000000000 +0200
@@ -183,6 +183,7 @@
         auth_type = env.get('AUTH_TYPE','')
         if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate',]:
             username = env.get('REMOTE_USER','')
+            username = username.split('@')[0]
             if auth_type in ('NTLM', 'Negotiate',):
                 # converting to standard case so the user can even enter wrong case
                 # (added since windows does not distinguish between e.g.

it works acceptably. An alias can be set in the User Preferences, which will be shown e.g. in the Recent Changes. And one could create a second homepage which just includes the first one, e.g. StephanWiesand would look like this: 

[[Include(wiesand}]]

Obviously, instead of stripping the realm, one could

  • replace it with @DESY.DE

  • fetch information from VAMOS or the registry and construct a WikiName

    • this runs for EVERY request, hence the result should be cached persistently

Moin1.5_WikiFarm_Setup (last edited 2008-10-30 11:40:15 by localhost)