Notes about setting up a Moin-1.5.3 Wiki Farm on SL4 with these features: * Apache/SSL * mod_python * multiple wikis <> == install Apache with SSL support == {{{ rm -rf /etc/httpd yum -y install httpd system-config-httpd mod_python mod_ssl mod_auth_kerb /sbin/service httpd start }}} Check that http and https work. A dummy certificate is created automatically during mod_ssl installation. == TODO == * htdocs/index.html should be adapted * apache config to redirect everything to http * share the underlay directories * farmconfig? or stay with one mod_python instance per wiki (safer?) == moin basic installation (single wiki, CGI) == {{{ cd /tmp tar xvfz moin-1.5.3.tar.gz cd moin-1.5.3 python setup.py --quiet install --prefix=/usr1/moin --record=/tmp/moin.inst.log }}} Create a Wiki instance: {{{ cd /usr1/moin/share/moin mkdir testwiki cp -a data underlay testwiki mkdir testwiki/cgi-bin cp server/moin.cgi testwiki/cgi-bin cp config/wikiconfig.py testwiki chown -R apache:apache testwiki chmod -R ug+rwX testwiki chmod -R o-rwx testwiki }}} Deal with SELinux: {{{ chcon -R system_u:object_r:httpd_sys_content_t /usr1/moin chcon -R system_u:object_r:httpd_sys_script_exec_t testwiki/cgi-bin chcon system_u:object_r:httpd_sys_content_t /usr1 }}} The last one is important, or apache cannot access the wiki. * => better have a separate filesystem under / for that These lines are needed in testwiki/cgi-bin/moin.cgi: {{{ sys.path.insert(0, '/usr1/moin/share/moin/testwiki') sys.path.insert(0, '/usr1/moin/lib/python2.3/site-packages') }}} Edit wikiconfig.py: {{{ sitename = u'Test Wiki' page_front_page = u"TestWiki" data_dir = '/usr1/moin/share/moin/testwiki/data/' data_underlay_dir = '/usr1/moin/share/moin/testwiki/underlay/' }}} The default of './data' for data_dir and './underlay' for data_underlay_dir doesn't work. The paths are relative to the cgi executable, hence would need to be '../data' etc. Create /etc/httpd/conf.d/moin.conf: {{{ Alias /wiki/ "/usr1/moin/share/moin/htdocs/" Order deny,allow Allow from all ScriptAlias /testwiki "/usr1/moin/share/moin/testwiki/cgi-bin/moin.cgi" Order deny,allow Allow from all }}} == mod_python == Simply change the Apache config to this: {{{ Alias /wiki/ "/usr1/moin/share/moin/htdocs/" Order deny,allow Allow from all SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/testwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter testwiki }}} So instead of the ScriptAlias we define a Location and heve it handled by mod_python. The PythonInterpreter directive is not needed if just a single Wiki is set up, but it's crucial if multiple wikis are used: == add another Wiki == Simply create another directory: {{{ cd usr1/moin/share/moin mkdir DVInfo cp -a data underlay DVInfo cp testwiki/wikiconfig.py DVInfo chown -R apache:apache DVInfo chmod -R ug+rwX DVInfo chmod -R o-rwx DVInfo }}} The selinux context should be correct without having to chcon. Now Make the obvious changes in DVInfo/wikiconfig.py and create Apache configuration for the wiki in /etc/httpd/conf.d/moin-DVInfo.conf: {{{ SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/DVInfo', '/usr1/moin/lib/python2.3/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter DVInfo }}} Don't forget the last directive, or the subinterpreters for the wikis will share a single namespace. This doesn't work well... == Security: Force SSL == Add to Apache config (in global context): {{{ RewriteEngine on RewriteRule ^.*$ https://%{SERVER_NAME}%{REQUEST_URI} [L,R] }}} == Secure Wiki using Kerberos5 and automatic user creation == Surprisingly, this even works with SELinux enabled. Make wikiconfig.py start like this: {{{#!python from MoinMoin.multiconfig import DefaultConfig from MoinMoin.auth import http, moin_cookie class Config(DefaultConfig): auth = [http, moin_cookie] user_autocreate = True }}} Lines 1 and 4 are there by default. Lines 2,5,6 need to be added. Notice spaces are significant in python... Add to Apache config: {{{ SSLRequireSSL AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms IFH.DE KrbVerifyKDC Off #Krb5KeyTab /etc/httpd/conf/keytab require valid-user }}} * only works if /etc/krb5.conf is MIT-compatible * and maybe we could ''finally'' roll one out that is ?! * for production, one should of course: * get a keytab file for HTTP/host.ifh.de and configure it * KrbVerifyKDC ''On'' * then also negotiate should work (krb w/o password from browsers) Now Krb5 Authentication happens before this Wiki can be accessed. And MoinMoin will automatically create a user profile! The username is the Kerberos Principal (''user''@IFH.DE), which is ugly! However, with a very tiny patch {{{ --- MoinMoin/auth.py.orig 2006-06-05 15:54:55.000000000 +0200 +++ MoinMoin/auth.py 2006-06-05 15:55:13.000000000 +0200 @@ -183,6 +183,7 @@ auth_type = env.get('AUTH_TYPE','') if auth_type in ['Basic', 'Digest', 'NTLM', 'Negotiate',]: username = env.get('REMOTE_USER','') + username = username.split('@')[0] if auth_type in ('NTLM', 'Negotiate',): # converting to standard case so the user can even enter wrong case # (added since windows does not distinguish between e.g. }}} it works acceptably. An alias can be set in the User Preferences, which will be shown e.g. in the Recent Changes. And one could create a second homepage which just includes the first one, e.g. Stephan``Wiesand would look like this: {{{ [[Include(wiesand}]] }}} Obviously, instead of stripping the realm, one could * replace it with @DESY.DE * fetch information from VAMOS or the registry and construct a WikiName * this runs for EVERY request, hence the result should be cached persistently * possibly: create a mapping table for all registered users (platform adapter?) Notice that mod_auth_kerb can deal with a ''list'' of realms to try. * how about ''IFH.DE DESY.DE'' ? * or ''IFH.DE DESY.DE WIN.DESY.DE'' ? * verified: this works! * or, maybe even ''IFH.DE DESY.DE WIN.DESY.DE CERN.CH ...'' ??? It just needs a service key for all of these realms (or leaving KrbVerifyKDC off, which also inhibits Negotiate aka SPNEGO). === Refinement: Allow anonymous access, login, logout === Example: "xwiki". /etc/httpd/conf.d/moin-xwiki.conf: {{{ SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter xwiki SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.3/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter xwiki SSLRequireSSL AuthType Kerberos AuthName "Please log in with your Kerberos (AFS) Password" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms IFH.DE KrbVerifyKDC Off #Krb5KeyTab /etc/httpd/conf/keytab require valid-user }}} And in ssl.conf, add to the virtual host (at the end): {{{ RewriteEngine on RewriteCond %{QUERY_STRING} action=login$ RewriteRule ^(.+)/(.+)$ $1(auth)/$2? [L,R] RewriteCond %{QUERY_STRING} action=logout RewriteRule ^(.+)\(auth\)(.+)$ $1$2? [L,R] }}} It turns out this can also be combined into /etc/httpd/conf.d/moin-xwiki.conf: {{{ Order Deny,Allow Allow from All SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.4/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter xwiki RewriteEngine on RewriteCond %{QUERY_STRING} action=login$ RewriteRule ^.+?/xwiki/(.+)$ /xwiki(authenticated)/$1? [L,R] SetHandler python-program # Add the path of your wiki directory PythonPath "['/usr1/moin/share/moin/xwiki', '/usr1/moin/lib/python2.4/site-packages'] + sys.path" PythonHandler MoinMoin.request::RequestModPy.run PythonInterpreter xwiki SSLRequireSSL AuthType Kerberos AuthName "Please log in with your Kerberos (AFS) Password" KrbMethodNegotiate On KrbMethodK5Passwd On KrbAuthRealms IFH.DE KrbVerifyKDC Off #Krb5KeyTab /etc/httpd/conf/keytab require valid-user RewriteEngine On RewriteCond %{QUERY_STRING} action=logout RewriteRule ^.+?/xwiki\(authenticated\)/(.*)$ /xwiki/$1 [L,R] }}}