A student team wants to use CAS (Central Authorization System) for their mobile web app. Installation isn’t trivial:
1. The correct version of the Apache module needs to be installed and some configuration files/directories modified.
2. Before that, we have to enable the EPEL repo, where the Apache module can be found. That seems like a good thing to do in any case. To do that, I found the RPM that holds the definition of the repo. Namely epel-release-6-7.noarch.rpm. Unfortunately, when I tried to install that, it failed:
[root@puma ~] yum -y localinstall /tmp/epel-release-6-7.noarch.rpm Loaded plugins: downloadonly, fastestmirror, security Setting up Local Package Process Examining /tmp/epel-release-6-7.noarch.rpm: epel-release-6-7.noarch Marking /tmp/epel-release-6-7.noarch.rpm to be installed Loading mirror speeds from cached hostfile * base: mirror.metrocast.net * extras: centos.mirror.nac.net * updates: mirror.7x24web.net Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:6-7 set to be updated --> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================== Package Arch Version Repository Size ========================================================================================================================================== Installing: epel-release noarch 6-7 /epel-release-6-7.noarch 22 k
Transaction Summary ========================================================================================================================================== Install 1 Package(s) Upgrade 0 Package(s)
Total size: 22 k Downloading Packages: warning: rpmts_HdrFromFdno: Header V3 RSA/SHA256 signature: NOKEY, key ID 0608b895
Public key for epel-release-6-7.noarch.rpm is not installed [root@puma ~] rpm -ivh /tmp/epel-release-6-7.noarch.rpm warning: /tmp/epel-release-6-7.noarch.rpm: Header V3 RSA/SHA256 signature: NOKEY, key ID 0608b895 error: Failed dependencies: rpmlib(FileDigests) <= 4.6.0-1 is needed by epel-release-6-7.noarch rpmlib(PayloadIsXz) <= 5.2-1 is needed by epel-release-6-7.noarch [root@puma ~] rpm --checksig /tmp/epel-release-6-7.noarch.rpm /tmp/epel-release-6-7.noarch.rpm: RSA sha1 (MD5) (PGP) md5 NOT OK (MISSING KEYS: PGP#0608b895) [root@puma ~]
So, the problem seems to be in verifying the signature. So, let’s try to do that. I went to https://fedoraproject.org/keys and downloaded a text file for EPEL-6, which fortunately has the “0608b895” number associated with it that the rpm –checksig command indicated. I downloaded that as a text file and put it in /tmp:
[root@puma ~] rpm --import /tmp/0608B895.txt
No complaints yet! Let’s try the –checksig:
[root@puma ~] rpm --checksig /tmp/epel-release-6-7.noarch.rpm /tmp/epel-release-6-7.noarch.rpm: rsa sha1 (md5) pgp md5 OK
That’s good. Now the installation. Shall we try yum?
[root@puma ~] yum -y localinstall /tmp/epel-release-6-7.noarch.rpm
...
Running rpm_check_debug ERROR with rpm_check_debug vs depsolve: rpmlib(FileDigests) is needed by epel-release-6-7.noarch rpmlib(PayloadIsXz) is needed by epel-release-6-7.noarch Complete! (1, [u'Please report this error in http://bugs.centos.org/yum5bug']) [root@puma ~]
Okay, so that’s no good. Investigating further, I found explanation. Ah, I forgot that Puma is still at CentOS 5 (we eventually want it to be at CentOS 6.3, to match Tempest).
[root@puma tmp] rpm -Uvh http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm Retrieving http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm error: skipping http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm - transfer failed - Unknown or unexpected error warning: u 0x12f9fb00 ctrl 0x12fa2890 nrefs != 0 (download.fedoraproject.org http) [root@puma tmp]
Well, that stinks. Let’s try wget:
[root@puma tmp] wget http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm --2012-07-19 11:36:07-- http://download.fedoraproject.org/pub/epel/5/x86_64/epel-release-5-4.noarch.rpm Resolving download.fedoraproject.org... 152.19.134.146, 140.211.169.197, 209.132.181.16, ... Connecting to download.fedoraproject.org|152.19.134.146|:80... connected. HTTP request sent, awaiting response... 302 FOUND Location: http://mirrors.einstein.yu.edu/epel/5/x86_64/epel-release-5-4.noarch.rpm [following] --2012-07-19 11:36:08-- http://mirrors.einstein.yu.edu/epel/5/x86_64/epel-release-5-4.noarch.rpm Resolving mirrors.einstein.yu.edu... 129.98.1.19, 129.98.1.27 Connecting to mirrors.einstein.yu.edu|129.98.1.19|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 12232 (12K) [application/x-rpm] Saving to: `epel-release-5-4.noarch.rpm'
2012-07-19 11:36:08 (437 KB/s) - `epel-release-5-4.noarch.rpm' saved [12232/12232]
[root@puma tmp] ls -l epel-release-5-4.noarch.rpm -rw-rw---- 1 root root 12232 Aug 12 2010 epel-release-5-4.noarch.rpm
Okay, that’s better. Let’s try yum install again:
[root@puma tmp] yum -y localinstall epel-release-5-4.noarch.rpm
… failed
Could it be the keys problem again? Yes:
[root@puma tmp] rpm --checksig /tmp/epel-release-5-4.noarch.rpm /tmp/epel-release-5-4.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#217521f6)
Okay, let’s get that one:
[root@puma tmp] wget http://fedoraproject.org/static/217521F6.txt --2012-07-19 11:41:47-- http://fedoraproject.org/static/217521F6.txt Resolving fedoraproject.org... 152.19.134.146, 140.211.169.197, 209.132.181.16, ... Connecting to fedoraproject.org|152.19.134.146|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 1820 (1.8K) [text/plain] Saving to: `217521F6.txt'
100%[===============================================================================================>] 1,820 --.-K/s in 0s
2012-07-19 11:41:47 (59.9 MB/s) - `217521F6.txt' saved [1820/1820]
[root@puma tmp] rpm --import 217521F6.txt [root@puma tmp]
Okay, does the signature verify now?
rpm --checksig /tmp/epel-release-5-4.noarch.rpm /tmp/epel-release-5-4.noarch.rpm: (sha1) dsa sha1 md5 gpg OK [root@puma tmp]
Whew! Let’s see if we can install it.
[root@puma tmp] yum -y localinstall epel-release-5-4.noarch.rpm Loaded plugins: downloadonly, fastestmirror, security Setting up Local Package Process Examining epel-release-5-4.noarch.rpm: epel-release-5-4.noarch Marking epel-release-5-4.noarch.rpm to be installed Loading mirror speeds from cached hostfile * base: mirror.metrocast.net * extras: centos.mirror.nac.net * updates: mirror.7x24web.net Resolving Dependencies --> Running transaction check ---> Package epel-release.noarch 0:5-4 set to be updated --> Finished Dependency Resolution
Dependencies Resolved
========================================================================================================================================= Package Arch Version Repository Size ========================================================================================================================================= Installing: epel-release noarch 5-4 /epel-release-5-4.noarch 0.0
Transaction Summary ========================================================================================================================================= Install 1 Package(s) Upgrade 0 Package(s)
Downloading Packages: Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Installing : epel-release 1/1
Installed: epel-release.noarch 0:5-4
Complete! [root@puma tmp]
Amazing. Just to confirm:
ls /etc/yum.repos.d/ CentOS-Base.repo CentOS-Vault.repo mirrors-rpmforge rpmforge.repo rpmforge.repo.~2~ utterramblings.repo CentOS-Debuginfo.repo epel.repo mirrors-rpmforge-extras rpmforge.repo~ rpmforge.repo.~3~ utterramblings.repo~ CentOS-Media.repo epel-testing.repo mirrors-rpmforge-testing rpmforge.repo.~1~ rpmforge.repo.old [root@puma tmp]
I’m going to go ahead and update using EPEL, since it’s updating stuff we use, like denyhosts and R.
[root@puma tmp] yum -y update
Hmm. The update of R-devel failed, which makes me unhappy. I’m going to disable this repo by default. (Edit the file /etc/yum.repos.d/epel.repo and set enabled=0 where it says enabled=1).
Now, let’s get back to the task at hand. Can we now install mod_auth_cas?
[root@puma tmp] yum -y install --enablerepo=epel mod_auth_cas
...
Installed: mod_auth_cas.x86_64 0:1.0.8.1-2.el5
Complete! [root@puma tmp]
Whew!
On the advice of that installation guide above, I also installed the ldap authorization module, though I think we won’t be using it:
yum install mod_authz_ldap
Next, I’m happy to do the renaming the instructions suggested, though I think the default order will still work. I did that, and I also created the /var/lib/cas directory as they directed. However, the latter step caused Apache to fail. The error message in the log was:
[Thu Jul 19 12:04:15 2012] [notice] SELinux policy enabled; httpd running as context user_u:system_r:httpd_t:s0 [Thu Jul 19 12:04:15 2012] [notice] suEXEC mechanism enabled (wrapper: /usr/sbin/suexec) [Thu Jul 19 12:04:16 2012] [error] MOD_AUTH_CAS: CASCookiePath '/dev/null' is not a directory or does not end in a trailing '/'! Configuration Failed [root@puma lib] cd /etc/httpd/conf.d/
I’m assuming this is due to the missing lines in the mod_auth_cas.conf file. The file as installed from EPEL is only the first 6 lines of the contents described in those directions, and the CASCookiePath mentioned in the error message and in the missing lines of the file suggested that that was the trouble. Indeed it was. Still, I think the “example.com” URLs will have to be edited, presumably with the URL of some CAS server that LTS maintains.
So much still to learn!
One Response to Installing Apache module mod_auth_cas