Note: This article builds on NAM Open Lab, Part 1:
In this Novell Access Manager Open Lab (Part 2) we will:
1. Add Apache and PHP.
2. Set up some of the Digital Airlines websites that have been made available by Novell.
We will do this on top of the Access Manager "all on one" installation from the previous lab. Next, we will configure apache to authenticate users against eDirectory. We will use the embedded eDirectory of Novell Access Manager, so we won't need any additional servers or vm's for this setup.
What You Need
Example Protected Web Site (we will use these examples):
Step 1: Adding Apache2 and PHP to the image
Note: Adding RPMs to an image-install will break the support conditions. This is only a sandbox setup for testing/demo purposes.
1. Verify the SUSE version that has been installed by Access Manager:
SUSE LINUX Enterprise Server 9 (i586)
VERSION = 9
PATCHLEVEL = 3
This is SLES 9 SP3.
2. On a virtual machine, set the CD to a physical CD and insert the SLES9 CD2 (or use another source for the required files).
3. From a terminal command line, start Yast (in text mode).
4. Enter the following commands:
Change Source of Installation
5. Enter these commands:
Install and Remove Software
Ignore All dependencies (we want to interfere as little as possible with the image install of Access Manager)
6. Select the following files:
7. Enter "Accept".
8. Enter "Automatic Changes" and specify:
9. Enter "OK".
10. As the files are being installed, change the CD at the appropriate time. When the installation finishes, enter the Quit command.
11. To copy the test/demo websites to the VM from the host, download htdocs.tar.gz from: http://developer.novell.com/wiki/index.php/Nam-demos, then copy the tar file to the VM:
scp /home/jdoe/download/htdocs.tar.gz firstname.lastname@example.org:/srv/www/
12. Go to the VM.
13. Expand the tar as follows:
tar -xvzf /tmp/htdocs.tar.gz
14. Set ownership and rights: "chown novlwww.novlwww /srv/www/htdocs -R"
15. Modify Apache2:
vi /etc/apache2/listen.conf (?:wq? to save and quit, ?:q!? to quit w/o save)
and change "Listen 80" to "Listen 81"
16. Start Apache2: /etc/init.d/apache2 start
17. Make Apache autostart: chkconfig apache2 on
18. On the host, modify the hosts file:
vi /etc/hosts or notepad C:\WINDOWS\system32\drivers\etc\hosts
In Open Lab 1 add the following line :
172.17.2.111 www.digiair.com NAMbox1 NAMbox1.digiair.com
(or adjust as needed)
19. Test the web pages (from a browser, from the host):
Figure 1 - http://www.utopia.com:81
Figure 2 - http://www.utopia.com:81/medical.html
Figure 3 - http://www.utopia.com:81/sales.php (http://www.utopia.com:81/sales.php/index)
Troubleshooting Step 1
1. Is apache2 installed?
# rpm -qa | grep -i apache
2. Is PHP installed ?
# rpm -qa | grep -i php4
3. Is apache2 running?
ps -ef | grep -i apach
4. Is apache2 listening on port 81?
netstat -nl | grep -i 81
tcp 0 0 :::81 :::* LISTEN
5. Check the Apache Error logfiles. The error logfile is defined in /etc/apache2/httpd.conf.
The default file is: /var/log/apache2/error_log
Step 2: Adding Basic Authentication for the Sales page
In order to have some more material to work with, we will setup apache to request basic authentication for the web pages under /srv/www/htdocs/sales. For the LDAP user store, we will use the embedded eDirectory of Novell Access Manager (this is not supported for a production environment).
1. Edit /srv/www/htdocs/default-server.conf and add the following:
LoadModule ldap_module /usr/lib/apache2/mod_ldap.so
LoadModule auth_ldap_module /usr/lib/apache2/mod_auth_ldap.so
Allow from all
AuthName "Login to get access to Sales "
This paragraph will instruct apache to request authentication from the user. Apache will verify the username and password against its embedded eDirectory. This eDirectory is an internal part of the Device Manager and should not be used in a production environment.
2. Because by default the embedded eDirectory is only accessible over Secure LDAP, you need to run the following commands on the NAM image (only once) to allow non-SSL-LDAP authentication (required for our simple Apache LDAP authentication):
/opt/novell/eDirectory/bin/ldapconfig set 'Require TLS for Simple Binds with Password=no' -a admin.novell -w novell
/opt/novell/eDirectory/bin/ldapconfig set 'ldapBindRestrictions=0' -a admin.novell -w novell
Figure 4 - x
3. Restart apache : /etc/init.d/apache2 restart
4. Test: http://www.utopia.com:81/sales/index.php. You should be prompted with a basic authentication window. Create some users in eDirectory and log in with these users.
Note: There is also a sales.php under /srv/www/htdocs. This page does not require basic authentication, since it is in the document-root, and our apache is only protecting the entries below /srv/www/htdocs/sales.
Figure 5 - x
Troubleshooting Step 2
1. Check the apache errorlog file.
2. You can trace eDirectory using iMonitor or command line ndstrace.
Figure 6 - x
3. Browse to: http://172.17.2.91:8028
4. In DSTrace, log in as: admin.system / n0v3ll
5. Go to Clear All > Check LDAP > Trace on > Trace history > Trace life. Click Update from time to time or change the parameters for auto-update.
If you don't see anything in the trace, then activate the trace items in iManager:
LDAP > LDAP options > "+" to see the LDAP Server; > Tracing and activate Connection Information (and anything else you like).
Do not forget to disable tracing after the test, as it slows down the system.
You can also start ndstrace from the command line (or with an ssh command from a remote terminal on the host):
# start ndstrace in the background
# clear all trace settings
ndstrace -c 'set ndstrace=nodebug'
# set ndstrace to trace DirXML engine + drivers
#(remember to set the trace level on the drivers with iManager)
ndstrace -c 'dstrace +DXML +DVRS'
# set ndstrace to write logging to a file
ndstrace -c 'ndstrace file on'
# display the changes in the ndstrace log file
tail -f /var/opt/novell/eDirectory/log/ndstrace.log
Note: Do not mix both methods (command line and iMonitor), as they will interfere with each other.
Disclaimer: As with everything else at Cool Solutions, this content is definitely not supported by Novell (so don't even think of calling Support if you try something and it blows up).
It was contributed by a community member and is published "as is." It seems to have worked for at least one person, and might work for you. But please be sure to test, test, test before you do anything drastic with it.