6518
Comment:
|
6517
|
Deletions are marked like this. | Additions are marked like this. |
Line 151: | Line 151: |
user_autocreate = True; | user_autocreate = True |
Notes about setting up a Moin-1.5.3 Wiki Farm on SL4 with these features:
- Apache/SSL
- mod_python
- multiple wikis
install Apache with SSL support
rm -rf /etc/httpd yum -y install httpd system-config-httpd mod_python mod_ssl mod_auth_kerb /sbin/service httpd start
Check that http and https work. A dummy certificate is created automatically during mod_ssl installation.
TODO
- htdocs/index.html should be adapted
- apache config to redirect everything to http
- share the underlay directories
- farmconfig? or stay with one mod_python instance per wiki (safer?)
moin basic installation (single wiki, CGI)
cd /tmp tar xvfz moin-1.5.3.tar.gz cd moin-1.5.3 python setup.py --quiet install --prefix=/usr1/moin --record=/tmp/moin.inst.log
Create a Wiki instance:
cd /usr1/moin/share/moin mkdir testwiki cp -a data underlay testwiki mkdir testwiki/cgi-bin cp server/moin.cgi testwiki/cgi-bin cp config/wikiconfig.py testwiki chown -R apache:apache testwiki chmod -R ug+rwX testwiki chmod -R o-rwx testwiki
Deal with SELinux:
chcon -R system_u:object_r:httpd_sys_content_t /usr1/moin chcon -R system_u:object_r:httpd_sys_script_exec_t testwiki/cgi-bin chcon system_u:object_r:httpd_sys_content_t /usr1
The last one is important, or apache cannot access the wiki.
=> better have a separate filesystem under / for that
These lines are needed in testwiki/cgi-bin/moin.cgi:
sys.path.insert(0, '/usr1/moin/share/moin/testwiki') sys.path.insert(0, '/usr1/moin/lib/python2.3/site-packages')
Edit wikiconfig.py:
sitename = u'Test Wiki' page_front_page = u"TestWiki" data_dir = '/usr1/moin/share/moin/testwiki/data/' data_underlay_dir = '/usr1/moin/share/moin/testwiki/underlay/'
The default of './data' for data_dir and './underlay' for data_underlay_dir doesn't work. The paths are relative to the cgi executable, hence would need to be '../data' etc.
Create /etc/httpd/conf.d/moin.conf:
Alias /wiki/ "/usr1/moin/share/moin/htdocs/" <Directory "/usr1/moin/share/moin/htdocs/"> Order deny,allow Allow from all </Directory> ScriptAlias /testwiki "/usr1/moin/share/moin/testwiki/cgi-bin/moin.cgi" <Directory "/usr1/moin/share/moin/testwiki/cgi-bin/"> Order deny,allow Allow from all </Directory>
mod_python
Simply change the Apache config to this:
Alias /wiki/ "/usr1/moin/share/moin/htdocs/" <Directory "/usr1/moin/share/moin/htdocs/"> Order deny,allow Allow from all </Directory> <Location /testwiki> SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/testwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter testwiki </Location>
So instead of the ScriptAlias we define a Location and heve it handled by mod_python. The PythonInterpreter directive is not needed if just a single Wiki is set up, but it's crucial if multiple wikis are used:
add another Wiki
Simply create another directory:
cd usr1/moin/share/moin mkdir DVInfo cp -a data underlay DVInfo cp testwiki/wikiconfig.py DVInfo chown -R apache:apache DVInfo chmod -R ug+rwX DVInfo chmod -R o-rwx DVInfo
The selinux context should be correct without having to chcon. Now Make the obvious changes in DVInfo/wikiconfig.py and create Apache configuration for the wiki in /etc/httpd/conf.d/moin-DVInfo.conf:
<Location /DVInfo> SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/DVInfo', '/usr1/moin/lib/python2.3/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter DVInfo </Location>
Don't forget the last directive, or the subinterpreters for the wikis will share a single namespace. This doesn't work well...
Security: Force SSL
Add to Apache config (in global context):
<VirtualHost *:80> RewriteEngine on RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] </VirtualHost>
Secure Wiki using Kerberos5 and automatic user creation
Make wikiconfig.py start like this:
Lines 1 and 4 are there by default. Lines 2,5,6 need to be added.
Add to Apache config:
<Location /DVInfo> SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms IFH.DE KrbVerifyKDC Off #Krb5KeyTab /etc/httpd/conf/keytab require valid-user </Location>
- only works if /etc/krb5.conf is MIT-compatible
and maybe we could finally roll one out that is ?!
- for production, one should of course:
- get a keytab file for HTTP/host.ifh.de and configure it
KrbVerifyKDC On
- then also negotiate should work (krb w/o password from browsers)
Now Krb5 Authentication happens before this Wiki can be accessed. And MoinMoin will automatically create a user profile! The username is the Kerberos Principal (user@IFH.DE), which is ugly! However, with a very tiny patch
--- MoinMoin/auth.py.orig 2006-06-05 15:54:55.000000000 +0200 +++ MoinMoin/auth.py 2006-06-05 15:55:13.000000000 +0200 @@ -183,6 +183,7 @@ auth_type = env.get('AUTH_TYPE','') if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate',]: username = env.get('REMOTE_USER','') + username = username.split('@')[0] if auth_type in ('NTLM', 'Negotiate',): # converting to standard case so the user can even enter wrong case # (added since windows does not distinguish between e.g.
it works acceptably. An alias can be set in the User Preferences, which will be shown e.g. in the Recent Changes. And one could create a second homepage which just includes the first one, e.g. StephanWiesand would look like this:
[[Include(wiesand}]]
Obviously, instead of stripping the realm, one could
- replace it with @DESY.DE
fetch information from VAMOS or the registry and construct a WikiName
- this runs for EVERY request, hence the result should be cached persistently