Table of Contents
Pubcookie and Windows Active Directory are a good choice of tools when wanting to provide single sign on within an institute. Many institutions will already be using the Active Directory for user authentication and Pubcookie provides a robust and flexible layer on top to provide web-based secure single sign on. Pubcookie authentication can be used for Apache httpd 1.3.* and 2.0.* authentication, and for authenticating Microsoft IIS. It is also possible to use pubcookie with Zope, Tomcat and other technologies by passing credentials from Apache httpd.
The purpose of this document is to lower the skill set required to install the Pubcookie Web based Single Sign on system and using it to authenticate against a Windows 2003 Active Directory. The guide should also work for those installing against Windows 2000 Active Directory. It will discuss the two authentication flavours that can be used against the Active Directory. It will also attempt to provide future proofing of the Kerberos flavour, in that it will allow easy upgrade to Windows 2003 without encountering problems relating to older Kerberos clients (as comes with Redhat AS3.0) and Windows 2003.
It is not the intention of this guide to give a full overview of how to install Redhat AS3.0. The Redhat installation documentation is good and should be used. However this document will outline the some of the Redhat installation steps that will enable easier setup of Pubcookie. This guide will focus on administration from the command line as most web servers run "headless" (i.e. No monitor, no windows, no graphical interface) so are only administrable by command line. Command line is available in all graphical environments.
Pubcookie is a WebISO, see http://middleware.internet2.edu/webiso/ for a full definition of WebISOs and for other WebISOs available. More information can be obtained about Pubcookie at http://www.pubcookie.org/.
In order to Install and manage a Pubcookie server you will need to be able to access the following skills
A reasonable working knowledge of the Linux (or Unix) Command Line Interface (CLI);
Knowledge of how to use the Apache web server, either the 2.0.* or 1.3.* versions;
Familiarity with the concepts of https communication (certificates, keys, etc.);
Familiarity with firewalls or access to someone who is familiar, in particular with Linux iptables style firewalls;
Familiarity with the setup of Windows Active Directory, or access to someone who has those skills;
Most importantly a willingness to read around subject areas, man pages, Google, and mailing lists.
In order to be able to install Pubcookie you will require the following:
A subscription to the Redhat network for at least one slot for Redhat AS3.0;
A standard "x86" server (i.e. a standard server with standard Intel or AMD chip set as sold by Dell etc.);
The ability to synchronise system time against a network time protocol (NTP) server;
A SSL server certificate for the web server, the certificate must be valid and be signed by Certificate Authority (CA) e.g. Thawte or Verisign;
Root user access to the server;
A preexisting windows 2003 active directory as a user name password store with either kerberos or LDAP access enabled.
It is possible to install Pubcookie against any
kerberised login, or against LDAP, or Unix passwd
(/etc/shadow) and
most of this guide would still be valid for these.
However the guide will concentrate on Windows LDAP
or kerberised login as that is likely to be the
most common scenario encountered in UK Higher and
Further Education establishments.
The following assumptions have been made:
The Pubcookie login server is going to be a standalone web server that only serves Pubcookie login requests, i.e. it is not used for other secure web serving or for other tasks. As it will form the main gateway for web based logins it is imperative that it is secure as possible. The server should therefore have as few applications running as possible in order to reduce the number of potential exploits;
The shell that you are using is bourne-shell compatible: if you are using a different shell (e.g. csh, tcsh, ksh) then you will need to substitute various commands for their equivalents (e.g. 'export' becomes 'setenv', etc.). The default shell for Redhat AS3.0 is bash, which is bourne-shell compatible.
Code listings are provided within boxes like this:
$ echo hello world
File contents are provided within boxes like this:
The contents of a file
Some commands can be executed as a normal user, others are required to be executed with super user privileges. You can follow this guide entirely as the super-user, or you could use a normal user for a number of steps. For the latter case, switching between users and managing resulting permission issues is an exercise left to the reader.
To indicate which category a given command falls into, the standard bourne-shell delimiters are used, '$' for normal user, '#' for superuser:
$ echo normal user command # echo super user command