Simon Fraser University
Engaging the World

Faculty of Science

PHP icalendar Google Calendar and PHP icalendar MRBS Room booking Calendar  Feed2JS (RSS Feed to JavaScript)

Adding SFU's CAS support to Apache on Mac OS X Snow Leopard / Mountain Lion

These directions are directly taken from information by Ray Davison (SFU ICAT, IT Services) and extensive help from Derek Warren (IT Services) but any error, confusion or ambiguity is completely my own.  They are also getting out of date...

You need the Developer tools (Xcode) from Apple installed (with Mountain Lion & Lion you need to go to Xcode preferences and install the command line tools). Textwrangler will make changes much easier. Any mac will work as a web server- apache is built in. To turn it on, go to system preferences/sharing and check the 'Web Sharing' box. Please email cas-help@sfu.ca so they know you are using CAS and can inform you of any changes. Please email me with any corrections or suggestions.

Download a copy of mod_auth_cas which you can get from http://www.sfu.ca/itservices/publishing/enhanced_web_publishing/cas/apache_module.html. More information about CAS is at SFU's CAS pages. When you download that on your Mac, it should untar so you will end up with a mod_auth_cas_sfu-1.0.8 directory. Open terminal and type cd [space] and then drag the src folder within the mod_auth_cas_sfu-1.0.8 folder to the terminal window. Hit return which will put you in the directory with the src code which can be compiled with 

sudo /usr/sbin/apxs -i -c mod_auth_cas.c
If this does not work, you can check where apxs is by using 
which apxs

Create a new directory to save cached logins: 

sudo mkdir /etc/apache2/cas

sudo chown -R _www /etc/apache2/cas

In terminal open the folder that the htconf.conf file is in /private/etc/apache2/ [in Tiger it is in /private/etc/httpd/ ]. 

open /private/etc/apache2/
Then backup and open htconf.conf in textwrangler.

Download this httpd.conf.txt (from Snow Leopard) and use textwrangler to do a side by side comparison to the original [Search/Compare two front Documents] and make modifications to your Apache config...
Comment out 5 lines LoadModule lines- mod_authz_groupfile.so, mod_authz_user.so, mod_authz_dbm.so, mod_auth_basic.so, mod_auth_digest.so. (In Mountain Lion I also commented out mod_authn_default.so)

Give the explicit path for mod_auth_cas.so e.g. 

LoadModule auth_cas_module  /usr/libexec/apache2/mod_auth_cas.so
and modify the cookie path: 
CASCookiePath /usr/local/apache2/cas/

Change 

AllowOverride None
to 
AllowOverride AuthConfig
(in several places, depending on what you are doing).

Finally, to activate your changes, go to system preferences and turn off web sharing, then turn it back on.

Go to http://www.sfu.ca/itservices/cas/htaccess.html and htaccess.html for how to control access.

Sample contents of .htaccess file (you will have to change the path of AuthUserFile /pathto/.htpasswd) 

AuthType CAS
AuthName "login as SFU user or webapplicant"
AuthUserFile /Library/WebServer/Documents/YourPath/.htpasswd
require valid-sfu-user
require valid-user

contents of .htpasswd file (webapplicant is both username and password here) 

webapplicant:snxXBvTU7Z8lg

Problems? check the console for error messages (Go to Applications/utilities, or just type console in spotlight. From Ray- Some things to keep in mind when testing:

    1) CAS sets a cookie when you login so that single signon works. This means if you want to test logging in with different accounts, you need to clear the cookie. This can be done by visiting the logout page at: 
    	https://cas.sfu.ca/cgi-bin/WebObjects/cas.woa/wa/logout

    2) The mod_auth_cas module also caches logins so that if you have a web page with a bunch of images it doesn't repeatedly hit CAS to authenticate each of the images. This means that once you have logged in to a protected web page with one account, you can't test with another account even if you log out of CAS because the module has cached your login. To return things back to a clean state you need to stop Apache and empty the cache directory (/etc/apache2/cas in your case). Then restart Apache.

When I went to the server website (e.g. fmp.biol.sfu.ca/ta_applications/) I was redirected to the server name https://cas.sfu.ca/cgi-bin/WebObjects/cas.woa/wa/login?service=http%3a%2f%2fBiology-Filemaker-Sciencess-Mac-mini.local%2fta_applications...

Console told me...
httpd: Could not reliably determine the server's fully qualified domain name, using... for ServerName
so I just went into system preferences, stopped and restarted the webserver (duh...). (This can also done in Terminal, and must be done in Terminal in Lion & Mountain Lion. The command for restarting (stopping/restarting) the webserver is: 

 sudo apachectl graceful

It is not worth spending any more time on these instructions. Tell me of any errors so I can correct them. Feel free to ask me for help. Ray Davison is the person to ask about CAS.