Article

(View Disclaimer)

Introduction

Note: This article builds on NAM Open Lab, Part 1:
http://www.novell.com/coolsolutions/feature/18441.html

In this Novell Access Manager Open Lab (Part 2) we will:

1. Add Apache and PHP.

2. Set up some of the Digital Airlines websites that have been made available by Novell.

We will do this on top of the Access Manager "all on one" installation from the previous lab. Next, we will configure apache to authenticate users against eDirectory. We will use the embedded eDirectory of Novell Access Manager, so we won't need any additional servers or vm's for this setup.

What You Need

• A working "all on one" Novell Access Manager installation from the previous Open Lab
  (http://www.novell.com/coolsolutions/feature/18441....)
• The test/demo websites from:
  http://developer.novell.com/wiki/index.php/Nam-demos
• SLES 9 cd's (or a source for apache2-2.0.49-27.8.i586.rpm and other files). If you are a Novell partner, you should be able to download them from: http://support.novell.com/subscriptions/portal/spc

Recommended Reading

Example Protected Web Site (we will use these examples):
http://www.novell.com/documentation/novellaccessmanager/pdfdoc/digiairexample/
digiairexample.pdf

Step 1: Adding Apache2 and PHP to the image

Note: Adding RPMs to an image-install will break the support conditions. This is only a sandbox setup for testing/demo purposes.

1. Verify the SUSE version that has been installed by Access Manager:

cat /etc/SuSE-release
	SUSE LINUX Enterprise Server 9 (i586)
	VERSION = 9
	PATCHLEVEL = 3

This is SLES 9 SP3.

2. On a virtual machine, set the CD to a physical CD and insert the SLES9 CD2 (or use another source for the required files).

3. From a terminal command line, start Yast (in text mode).

4. Enter the following commands:

Software
Change Source of Installation
Edit
refresh
Finish

5. Enter these commands:

Install and Remove Software
Ignore All dependencies (we want to interfere as little as possible with the image install of Access Manager)
Search: apache2

6. Select the following files:

apache2 2.0.49
apache2-prefork 2.0.49
apache2-worker 2.0.49
apache2-mod_php4 4.3.4

7. Enter "Accept".

8. Enter "Automatic Changes" and specify:

php4 4.3.4

9. Enter "OK".

10. As the files are being installed, change the CD at the appropriate time. When the installation finishes, enter the Quit command.

11. To copy the test/demo websites to the VM from the host, download htdocs.tar.gz from: http://developer.novell.com/wiki/index.php/Nam-demos, then copy the tar file to the VM:
scp /home/jdoe/download/htdocs.tar.gz novlwww@172.17.2.111:/srv/www/

12. Go to the VM.

13. Expand the tar as follows:

cd /srv/www
tar -xvzf /tmp/htdocs.tar.gz

14. Set ownership and rights: "chown novlwww.novlwww /srv/www/htdocs -R"

15. Modify Apache2:
vi /etc/apache2/listen.conf (?:wq? to save and quit, ?:q!? to quit w/o save)
and change "Listen 80" to "Listen 81"

16. Start Apache2: /etc/init.d/apache2 start

17. Make Apache autostart: chkconfig apache2 on

18. On the host, modify the hosts file:
vi /etc/hosts or notepad C:\WINDOWS\system32\drivers\etc\hosts
In Open Lab 1 add the following line :
172.17.2.111 www.digiair.com NAMbox1 NAMbox1.digiair.com
(or adjust as needed)

19. Test the web pages (from a browser, from the host):

Click to view.

Figure 1 - http://www.utopia.com:81

Click to view.

Figure 2 - http://www.utopia.com:81/medical.html

Click to view.

Figure 3 - http://www.utopia.com:81/sales.php (http://www.utopia.com:81/sales.php/index)

Troubleshooting Step 1

1. Is apache2 installed?

# rpm -qa | grep -i apache
  	apache2-prefork-2.0.49-27.8
	apache2-2.0.49-27.8
	apache2-worker-2.0.49-27.8
	apache2-mod_php4-4.3.4-43.8

2. Is PHP installed ?

# rpm -qa | grep -i php4
 	php4-4.3.4-43.8
	apache2-mod_php4-4.3.4-43.8

3. Is apache2 running?

ps -ef | grep -i apach
......

4. Is apache2 listening on port 81?

netstat -nl | grep -i 81
tcp        0      0 :::81          :::*           LISTEN

5. Check the Apache Error logfiles. The error logfile is defined in /etc/apache2/httpd.conf.
The default file is: /var/log/apache2/error_log

Step 2: Adding Basic Authentication for the Sales page

In order to have some more material to work with, we will setup apache to request basic authentication for the web pages under /srv/www/htdocs/sales. For the LDAP user store, we will use the embedded eDirectory of Novell Access Manager (this is not supported for a production environment).

1. Edit /srv/www/htdocs/default-server.conf and add the following:

LoadModule ldap_module /usr/lib/apache2/mod_ldap.so
LoadModule auth_ldap_module /usr/lib/apache2/mod_auth_ldap.so
<Directory "/srv/www/htdocs/sales">
	AllowOverride None
	Allow from all
	Options None
	AuthType basic
	Order allow,deny
	AuthName "Login to get access to Sales "
	AuthLDAPAuthoritative   on
	AuthLDAPEnabled on
	AuthLDAPURL ldap://172.17.2.111/o=novell?uid?sub 
	require valid-user
</Directory>

This paragraph will instruct apache to request authentication from the user. Apache will verify the username and password against its embedded eDirectory. This eDirectory is an internal part of the Device Manager and should not be used in a production environment.

2. Because by default the embedded eDirectory is only accessible over Secure LDAP, you need to run the following commands on the NAM image (only once) to allow non-SSL-LDAP authentication (required for our simple Apache LDAP authentication):

/opt/novell/eDirectory/bin/ldapconfig set 'Require TLS for Simple Binds with Password=no' -a admin.novell -w novell
/opt/novell/eDirectory/bin/ldapconfig set 'ldapBindRestrictions=0' -a admin.novell -w novell

Click to view.

Figure 4 - x

3. Restart apache : /etc/init.d/apache2 restart

4. Test: http://www.utopia.com:81/sales/index.php. You should be prompted with a basic authentication window. Create some users in eDirectory and log in with these users.

Note: There is also a sales.php under /srv/www/htdocs. This page does not require basic authentication, since it is in the document-root, and our apache is only protecting the entries below /srv/www/htdocs/sales.

Click to view.

Figure 5 - x

Troubleshooting Step 2

1. Check the apache errorlog file.

2. You can trace eDirectory using iMonitor or command line ndstrace.

Click to view.

Figure 6 - x

3. Browse to: http://172.17.2.91:8028

4. In DSTrace, log in as: admin.system / n0v3ll

5. Go to Clear All > Check LDAP > Trace on > Trace history > Trace life. Click Update from time to time or change the parameters for auto-update.

If you don't see anything in the trace, then activate the trace items in iManager:
LDAP > LDAP options > "+" to see the LDAP Server; > Tracing and activate Connection Information (and anything else you like).

Do not forget to disable tracing after the test, as it slows down the system.

You can also start ndstrace from the command line (or with an ssh command from a remote terminal on the host):

# start ndstrace in the background
ndstrace -l&
# clear all trace settings
ndstrace -c 'set ndstrace=nodebug'
# set ndstrace to trace DirXML engine + drivers
#(remember to set the trace level on the drivers with iManager)
ndstrace -c 'dstrace +DXML +DVRS'

# set ndstrace to write logging to a file
ndstrace -c 'ndstrace file on'
# display the changes in the ndstrace log file
tail  -f /var/opt/novell/eDirectory/log/ndstrace.log

Note: Do not mix both methods (command line and iMonitor), as they will interfere with each other.

Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).

It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.