For details about Blackboard Academic Suite, please visit:
http://www.blackboard.com For details about Vintela mod_auth_vas, please visit:
http://rc.quest.com/topics/mod_auth_vas/ I’ve been posting blog articles regarding various Blackboard Academic Suite and Single Sign-On (SSO) issues, for details please visit:
http://blog.cokee.org/?cat=11
Hardware/Software Specification:
- Server: Sun Fire v240
- Operating System: Sun Solaris 9 (SunOS 5.9)
- Blackboard Academic Suite 7.1: 7.1.467.28
- Mod_auth_vas: 3.4.0 (r233)
1. VAS 3.0 (or later)
2. The VAS developer kit ‘vasdev’
2. The VAS developer kit ‘vasdev’
Please check whether ‘vasdev’ has been installed using following command:
# pkginfo | grep vasdev
application vasdev Vintela Authentication Services – SDK
3. C compiler (e.g. GCC)
This package includes the GNU C, C++, and f77 suites and support files. These GCC packages require the installation of libiconv, which could be downloaded from:
Once downloaded, please use the following command to unzip the libiconv package first:
gunzip libiconv-1.11-sol9-sparc-local.gz
The unzipped file will have a name called:
libiconv-1.11-sol9-sparc-local
Install this package first by using the following command:
# pkgadd -d libiconv-1.11-sol9-sparc-local
The package will be installed using name SMCliconv. Please use the following command to verify the installation:
# pkginfo | grep libiconv
application SMCliconv libiconv
Please use this command to unzip the gcc package:
gunzip gcc-3.4.6-sol9-sparc-local.gz
The unzipped file will have a name called:
gcc-3.4.6-sol9-sparc-local
Install this package using the following command:
# pkgadd -d gcc-3.4.6-sol9-sparc-local
The package will be installed using name SMCgcc. Please use the following command to verify the installation:
# pkginfo | grep gcc application SMCgcc gcc
4. GNU Make
Once downloaded, please use the following command to unzip the package:
gunzip make-3.81-sol9-sparc-local.gz
The unzipped file will have a name called;
make-3.81-sol9-sparc-local
Please use the following command to install Solaris GNU make package:
# pkgadd -d make-3.81-sol9-sparc-local
The package will be installed using name SMCmake. Please use the following command to verify the installation:
# pkginfo | grep make
application SMCmake make
system
SUNWsprox Sun WorkShop Bundled 64-bit make library
system SUNWxcu4t XCU4 make and sccs utilities
The first line of the output indicates that the package has been installed successfully.
5. Apache HTTP Server (1.3.x)
Blackboard Academic Suite 7.1 release comes with a bundled Apache HTTP server 1.3.37, but the APache eXtenSion tool (APXS) is compiled using Sun Solaris C Compiler which is not compatible with mod_auth_vas. So it’s necessary to install a fresh copy of Apache HTTP Server 1.3.x for building the VAS module.
It will install a copy of Apache HTTP Server 1.3.27 in /usr/local/apache.
Once downloaded, please use the following command to unzip the file:
gunzip apache-1.3.27-sol9-sparc-local.gz
The unzipped file will have a name called:
apache-1.3.27-sol9-sparc-local
Install the Apache HTTP server by using the following command:
# pkgadd -d apache-1.3.27-sol9-sparc-local
Please use the following command to verify the installation of Apache HTTP server 1.3.27:
# pkginfo | grep apache
application SMCapache apache
Part 2: Install mod_auth_vas
1. Download the source package (the latest production release is 3.4.0 as the time of writing) from:
2. Unpack the source package using following command:
gunzip mod_auth_vas-3.4.0.186.tar.gz
tar xvf mod_auth_vas-3.4.0.186.tar
A folder called mod_auth_vas-3.4.0.186 will be created.
3. Change your PATH environment variable:
The mod_auth_vas installer script is not compatible with Sun Solaris 9 bash. So please put /usr/xpg4/bin in front of your PATH using the following command (I’m assuming you’re using Bash, if not, please type ‘bash’ and press ‘enter’ first):
export PATH=/usr/xpg4/bin:$PATH
Please add the newly installed GNU Make and GCC into your PATH as well by using the following command:
export PATH=/usr/local/bin:$PATH
Please add the newly installed APXS into your PATH by using the following command:
export PATH=/usr/local/apache/bin:$PATH
In order to build the module successfully, you have to put Sun’s ld to PATH as well, the following command will make sure that you have the correct PATH variable set up:
export PATH=/usr/xpg4/bin:/usr/local/apache/bin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/css/bin
After this, your PATH environment variable should look like:
PATH=/usr/local/apache/bin:/usr/local/blackboard/apps/openssl/bin:/usr/local/bin:/usr/xpg4/bin:/usr/ccs/bin/:/usr/sbin:/usr/bin
4. Get the latest patch (r233)
The revision 233 of the mod_auth_vas.c has several bugs fixed: (bug #317, #319, #337, etc.). It could be downloaded from:
Please use mod_auth_vas.c (r233) to replace the original file in release 3.4.0.
Revision 233 introduced a new option AuthVasRemoteUserAttr to replace the original AuthVasLocalizeRemoteUser. So please use ‘AuthVasRemoteUserAttr sAMAccountName’ instead of ‘AuthVasLocalizeRemoteUser On’. This solution has not been finalised until the next production release.
5. Build the module
Use the following command to change your working directory to the module directory:
cd mod_auth_vas-3.4.0.186
The APXS bundled with the Apache HTTP server 1.3.27 installed previously is written in Perl, it is set to locate ‘perl’ at /usr/local/bin/perl. However, perl is located in /usr/bin/perl on Sun Solaris 9. So please modify the APXS script by changing the first line:
#!/usr/local/bin/perl
To
#!/usr/bin/perl
After this, apxs command should give you the following results:
# apxs
Usage: apxs -g [-S <var>=<val>] -n <modname>
apxs -q [-S <var>=<val>] <query> …
apxs -c [-S <var>=<val>] [-o <dsofile>] [-D <name>[=<value>]]
[-I <incdir>] [-L <libdir>] [-l <libname>] [-Wc,<flags>]
[-Wl,<flags>] <files> …
apxs -i [-S <var>=<val>] [-a] [-A] [-n <modname>] <dsofile> …
apxs -e [-S <var>=<val>] [-a] [-A] [-n <modname>] <dsofile> …
Please use the following command to run the pre-build configuration:
# ./configure
Once the pre-build configuration is done, please use the following command to build the module:
# make
The ‘make’ process should produce the Apache module called:
mod_auth_vas.so
6. Copy the newly built mod_auth_vas.so to
/usr/local/blackboard/apps/httpd/libexec/
Using the following command:
# pwd
/usr/local/blackboard/apps/httpd/libexec
# cp ~/bb71/modvas/mod_auth_vas.so ./
7. Change the group ownership of mod_auth_vas.so
# chown -R bbuser:other mod_auth_vas.so
8. Copy the newly generated setup-mod_auth_vas script to /opt/quest/bin.
# cp setup-mod_auth_vas /opt/quest/sbin/
Part 3: Blackboard configuration
1. Modify bb-config.properties in /usr/local/blackboard/config
Change bbconfig.auth.type from ‘ldap’ or ‘rdbms’ to ‘webserver’.
bbconfig.auth.type=webserver
2. Modify authentication.properties in /usr/local/blackboard/config
In Web-Server Delegation Authentication Properties section, change:
auth.type.webserver.impl=blackboard.platform.security.authentication.WindowsAuthModule
To
auth.type.webserver.impl=blackboard.platform.security.authentication.ExternalAuthModule
Change:
auth.type.webserver.def_key=UserRegistry
To
auth.type.webserver.def_key=BatchUid
3. Create HTTP service account
The HTTP service account could be created using the script provided by mod_auth_vas: setup-mod_auth_vas. By now, you should have already copied the script to /opt/quest/sbin.
Using the following command to create the new HTTP service account (Please note, you need AD admin access):
Using the following command to create the new HTTP service account (Please note, you need AD admin access):
sh ./setup-mod_auth_vas
Please follow the on-screen instructions, a new file called HTTP.keytab should be created in /etc/opt/quest/vas if everything is OK.
You may get error at the end saying ‘Module not loaded’. Please ignore that.
Scripts output:
This script checks your local configuration for properly using mod_auth_vas.
It will prompt you to create a web service object in Active Directory
if one is needed, and it will correct permissions on certain files.
Commands executed will be recorded in /tmp/mod_auth_vas-setup.log.12522
checking privileges ……………….. root looking for Apache extension tool …… /usr/local/apache/bin//apxs looking for Apache configuration file .. /usr/local/apache/conf/httpd.conf looking for Apache daemon group …….. nobody looking for HTTP/ keytab …………… This step creates a service object in Active Directory so that browsers can authenticate with this web server. You will need to know an account password that has sufficient privileges to create the new service object. Contact your systems administration staff if you do not.
Create the HTTP/ service account? [y]:
Please specify the container DN in which to create the service: Service container DN [default]: Please ask your own AD admin for details. Credentials required to create the service account
Please login with a sufficiently privileged domain account. Username [xxx]: Password for xxx: Service HTTP/ created successfully, keytab located at /etc/opt/quest/vas/HTTP.keytab. checking new service keytab ………… found
looking for HTTP/ keytab …………… /etc/opt/quest/vas/HTTP.keytab checking keytab is readable by nobody .. no
Change group of /etc/opt/quest/vas/HTTP.keytab to nobody? [y]:
-> fixing file mode and ownership …… fixed checking keytab can authenticate ……. yes
If you have clients using Internet Explorer, a known issue (KB899417) can see them suddenly being unable to authenticate after only 30 minutes. A workaround is to create SPN aliases with all the possible ’short-names’ that the client could use to access this server (i.e http://short-name/). SPN aliases can also be useful for servers with multiple DNS identities.
The HTTP/ service is currently known by these SPNs (service principal names):
HTTP/xxxx
Enter a new SPN alias, or ‘none’ to finish [none]: Testing whether service password expires no (good) checking mod_auth_vas is loaded …….. no
It doesn’t appear that the Apache web server is loading the VAS authentication module. This could be a problem in the configuration file (missing LoadModule or a syntax error), a mis-installation of mod_auth_vas or VAS, or perhaps this script is simply invoking the web server in the wrong way.
The command I used to detect what modules were loaded was:
/usr/local/apache/bin/httpd -f “/usr/local/apache/conf/httpd.conf” -t -e debug
-> Failed: Module not loaded. (Log written to /tmp/mod_auth_vas-setup.log.12522) 4. Change HTTP.keytab group ownership.
The Apache httpd process is running using bbuser/nobody. So please use the following command to change the group ownership of the keytab file:
# chown -R bbuser:nobody HTTP.keytab After this, the group ownership of host.keytab should look like:
-rw——- 1 bbuser nobody 289 Jul 17 16:23 HTTP.keytab
checking privileges ……………….. root looking for Apache extension tool …… /usr/local/apache/bin//apxs looking for Apache configuration file .. /usr/local/apache/conf/httpd.conf looking for Apache daemon group …….. nobody looking for HTTP/ keytab …………… This step creates a service object in Active Directory so that browsers can authenticate with this web server. You will need to know an account password that has sufficient privileges to create the new service object. Contact your systems administration staff if you do not.
Create the HTTP/ service account? [y]:
Please specify the container DN in which to create the service: Service container DN [default]: Please ask your own AD admin for details. Credentials required to create the service account
Please login with a sufficiently privileged domain account. Username [xxx]: Password for xxx: Service HTTP/ created successfully, keytab located at /etc/opt/quest/vas/HTTP.keytab. checking new service keytab ………… found
looking for HTTP/ keytab …………… /etc/opt/quest/vas/HTTP.keytab checking keytab is readable by nobody .. no
Change group of /etc/opt/quest/vas/HTTP.keytab to nobody? [y]:
-> fixing file mode and ownership …… fixed checking keytab can authenticate ……. yes
If you have clients using Internet Explorer, a known issue (KB899417) can see them suddenly being unable to authenticate after only 30 minutes. A workaround is to create SPN aliases with all the possible ’short-names’ that the client could use to access this server (i.e http://short-name/). SPN aliases can also be useful for servers with multiple DNS identities.
The HTTP/ service is currently known by these SPNs (service principal names):
HTTP/xxxx
Enter a new SPN alias, or ‘none’ to finish [none]: Testing whether service password expires no (good) checking mod_auth_vas is loaded …….. no
It doesn’t appear that the Apache web server is loading the VAS authentication module. This could be a problem in the configuration file (missing LoadModule or a syntax error), a mis-installation of mod_auth_vas or VAS, or perhaps this script is simply invoking the web server in the wrong way.
The command I used to detect what modules were loaded was:
/usr/local/apache/bin/httpd -f “/usr/local/apache/conf/httpd.conf” -t -e debug
-> Failed: Module not loaded. (Log written to /tmp/mod_auth_vas-setup.log.12522) 4. Change HTTP.keytab group ownership.
The Apache httpd process is running using bbuser/nobody. So please use the following command to change the group ownership of the keytab file:
# chown -R bbuser:nobody HTTP.keytab After this, the group ownership of host.keytab should look like:
-rw——- 1 bbuser nobody 289 Jul 17 16:23 HTTP.keytab
5. Change HTTP.keytab permission
The HTTP.keytab should only be readable by bbuser:
# chmod 400 HTTP.keytab
After this, the permission of HTTP.keytab should look like:
-r——– 1 bbuser nobody 135 Aug 9 11:29 HTTP.keytab
You may want to double check the settings by using the following command to print out your service account AD attributes:
# /opt/quest/bin/vastool -u xxx attrs -s HTTP/xxxx
5. Modify Apache httpd.conf.bb in /usr/local/blackboard/apps/httpd/conf:
Please note you should never modify httpd.conf directly.
Please add the following line in Dynamic Shared Object (DSO) Support section:
LoadModule auth_vas_module libexec/mod_auth_vas.so
AuthVasServicePrincipal HTTP/xxx
Please add the following section to the end of the httpd.conf.bb just before Apache-Tomcat Configuration section:
#mod_auth_vas
<Location “/”>
AuthType VAS
Require valid-user
AuthVasRemoteUserMap ldap-attr sAMAccountName
AuthVasUseBasic On
AuthVasUseNegotiate On
#actually, specific network can be added here to enable optional Negotiate Auth. Format: Network/Subnet masks
</Location>
Posts
No comments:
Post a Comment