Configuring www User Authentication

Follow these procedures to configure the www no-login user account so that it can run the appropriate authentication services for the Apache web server.


Background

The Apache web server runs as the www user and is configured to make a socket based request to a custom mod_auth_sok module.

The C code that implements the mod_auth_sok module is compiled into the authApacheDaemon which as you might guess runs as a daemon process with two instances. The daemon utilizes two semaphores and a chunk of shared memory to store all user credentials that have already been authenticated against the database. This shared memory is protected with read/write permissions for the owning user. The owning user is the user that initially creates the shared memory. In this case it will be the www user. It is necessary for the www user to create the shared memory so that the Apache daemon which also runs as the www user can invoke the logout.cgi script as www which will then modify the shared memory.

Cron is configured under the www user to run every 15 minutes and invoke the authCleanCron.sh script which in turn invokes the cleanAuthApache C program to scan the shared memory segment looking for any user credentials that have 'expired'. All expired entries are removed from shared memory.

When a user accesses the members section of the GNW website the Apache webserver responds with an authentication challenge. Once the user enters his/her credentials they are passed along to the authApacheDaemon via a socket call. The authApacheDaemon then looks up the user in the shared memory. If not found, then the daemon queries the database and verifies the password. If the user has been verified then the user entry is stored into shared memory and the last accessed time is updated.

When a user attempts to logout the web server invokes the logout.cgi program. This program finds the user entry in shared memory and modifies its last accessed time to sometime far enough in the past to be considered expired. Then one of two things will occur. Either the cron job wil l remove the expired user entry or the user will attempt to log back in again.


Configuration

As root execute the visudo command and create the following entries.

# Host alias specification 
Host_Alias XXHOST=testserver

# User alias specification
User_Alias XXUSER=vwpoint

# Cmnd alias specification
Cmnd_Alias XXCMD=/home/www/viewPoint/bin/authCleanCron.sh, /home/www/viewPoint/bin/startAuthApacheDaemon.sh, /home/www/viewPoint/bin/removeSemaphores.sh, /usr/bin/ipcs, /usr/bin/ipcrm, /bin/bash

# Runas alias specification
Runas_Alias XXRUNAS=www

# Defaults specification
Defaults env_reset

# User privilege specification
root    ALL=(ALL) ALL

XXUSER XXHOST=(XXRUNAS) NOPASSWD: XXCMD

As root setup the www user so it is a no-login user.

Configure /usr/local/apache/conf/httpd.conf file so that the server runs as user of www and group of www.

Login as the www user.

Edit the .bash_profile and add the following environment variables.

# GNW specific environment and startup programs 
. /usr/i386-glibc21-linux/bin/i386-glibc21-linux-env.sh
export LD_ASSUME_KERNEL=2.2.5
export ORACLE_BASE=/raid/oracle
export ORACLE_HOME=$ORACLE_BASE/product/8.1.7
export ORA_NLS33=$ORACLE_HOME/ocommon/nls/admin/data
export ORACLE_SID=dvpointp
export VIEWPOINT=${HOME}/viewPoint
export LOGNAME=vwpoint
export GNW_DBTZ=CST6CDT
export GNW_DBSERVER=10.199.199.120
export GNW_SERVERLEVEL=main
export EDITOR=vi
export PATH=$ORACLE_HOME/bin:$ORACLE_HOME/ctx/lib:/usr/bin:/bin:/usr/local/bin:$VIEWPOINT/bin:$PATH
export LD_LIBRARY_PATH=$ORACLE_HOME/lib:/usr/lib:/lib:/usr/local/lib:$LD_LIBRARY_PATH

Create the viewPoint and viewPoint/bin subfolders. Copy the following executables and scripts from the appropriate production (or test or dev) environments $VIEWPOINT/bin directory.

authApacheDaemon   
authCleanCron.sh  
cleanAuthApache  
removeSemaphores.sh  
startAuthApacheDaemon.sh

Create the following entry in cron. Type the command crontab -e.

# cleans the login info 
# Machine: S, HS, B
5,20,35,50 * * * * . /home/www/.bash_profile; /home/www/viewPoint/bin/authCleanCron.sh

Login as the vwpoint user and change your working directory to /cdrive/web/netwatch/html/members. In this folder you need to update the following files from the latest production (or test or dev) environment.

logout.cgi 
gnwhome.part
member2.htm
images/x/nav7up.gif
images/x/nav7over.gif

Likewise, change directory to $VIEWPOINT/bin and update the following scripts

stopNetWatchServer.sh 
startNetWatchServer.sh

Configuring www User Authentication (last edited 2006-03-09 17:10:07 by mark)