NAM Open Lab 2: Setting Up Test/Demo Websites
Novell Cool Solutions: AppNote
By Chris Van Den Abbeele
Digg This -
Posted: 14 Feb 2007
Note: This article builds on NAM Open Lab, Part 1:
In this Novell Access Manager Open Lab (Part 2) we will:
1. Add Apache and PHP.
2. Set up some of the Digital Airlines websites that have been made available by Novell.
We will do this on top of the Access Manager "all on one" installation from the previous lab. Next, we will configure apache to authenticate users against eDirectory. We will use the embedded eDirectory of Novell Access Manager, so we won't need any additional servers or vm's for this setup.
What You Need
- A working "all on one" Novell Access Manager installation from the previous Open Lab (http://www.novell.com/coolsolutions/feature/18441.html)
- The test/demo websites from: http://developer.novell.com/wiki/index.php/Nam-demos
- SLES 9 cd's (or a source for apache2-2.0.49-27.8.i586.rpm and other files). If you are a Novell partner, you should be able to download them from:
Example Protected Web Site (we will use these examples):
Step 1: Adding Apache2 and PHP to the imageNote: Adding RPMs to an image-install will break the support conditions. This is only a sandbox setup for testing/demo purposes.
1. Verify the SUSE version that has been installed by Access Manager:
cat /etc/SuSE-release SUSE LINUX Enterprise Server 9 (i586) VERSION = 9 PATCHLEVEL = 3
This is SLES 9 SP3.
2. On a virtual machine, set the CD to a physical CD and insert the SLES9 CD2 (or use another source for the required files).
3. From a terminal command line, start Yast (in text mode).
4. Enter the following commands:
Change Source of Installation
5. Enter these commands:
Install and Remove Software
Ignore All dependencies (we want to interfere as little as possible with the image install of Access Manager)
6. Select the following files:
7. Enter "Accept".
8. Enter "Automatic Changes" and specify:
9. Enter "OK".
10. As the files are being installed, change the CD at the appropriate time. When the installation finishes, enter the Quit command.
11. To copy the test/demo websites to the VM from the host, download htdocs.tar.gz from:
http://developer.novell.com/wiki/index.php/Nam-demos, then copy the tar file to the VM:
scp /home/jdoe/download/htdocs.tar.gz firstname.lastname@example.org:/srv/www/
12. Go to the VM.
13. Expand the tar as follows:
cd /srv/www tar -xvzf /tmp/htdocs.tar.gz
14. Set ownership and rights: "chown novlwww.novlwww /srv/www/htdocs -R"
15. Modify Apache2:
vi /etc/apache2/listen.conf (?:wq? to save and quit, ?:q!? to quit w/o save)
and change "Listen 80" to "Listen 81"
16. Start Apache2: /etc/init.d/apache2 start
17. Make Apache autostart: chkconfig apache2 on
18. On the host, modify the hosts file:
vi /etc/hosts or notepad C:\WINDOWS\system32\drivers\etc\hosts
In Open Lab 1 add the following line :
172.17.2.111 www.digiair.com NAMbox1 NAMbox1.digiair.com
(or adjust as needed)
19. Test the web pages (from a browser, from the host):
Figure 1 - http://www.utopia.com:81
Figure 2 - http://www.utopia.com:81/medical.html
Troubleshooting Step 1
1. Is apache2 installed?
# rpm -qa | grep -i apache apache2-prefork-2.0.49-27.8 apache2-2.0.49-27.8 apache2-worker-2.0.49-27.8 apache2-mod_php4-4.3.4-43.8
2. Is PHP installed ?
# rpm -qa | grep -i php4 php4-4.3.4-43.8 apache2-mod_php4-4.3.4-43.8
3. Is apache2 running?
ps -ef | grep -i apach ......
4. Is apache2 listening on port 81?
netstat -nl | grep -i 81 tcp 0 0 :::81 :::* LISTEN
5. Check the Apache Error logfiles. The error logfile is defined in /etc/apache2/httpd.conf. The default file is: /var/log/apache2/error_log
Step 2: Adding Basic Authentication for the Sales page
In order to have some more material to work with, we will setup apache to request basic authentication for the web pages under /srv/www/htdocs/sales. For the LDAP user store, we will use the embedded eDirectory of Novell Access Manager (this is not supported for a production environment).
1. Edit /srv/www/htdocs/default-server.conf and add the following:
LoadModule ldap_module /usr/lib/apache2/mod_ldap.so LoadModule auth_ldap_module /usr/lib/apache2/mod_auth_ldap.so <Directory "/srv/www/htdocs/sales"> AllowOverride None Allow from all Options None AuthType basic Order allow,deny AuthName "Login to get access to Sales " AuthLDAPAuthoritative on AuthLDAPEnabled on AuthLDAPURL ldap://172.17.2.111/o=novell?uid?sub require valid-user </Directory>
This paragraph will instruct apache to request authentication from the user. Apache will verify the username and password against its embedded eDirectory. This eDirectory is an internal part of the Device Manager and should not be used in a production environment.
2. Because by default the embedded eDirectory is only accessible over Secure LDAP, you need to run the following commands on the NAM image (only once) to allow non-SSL-LDAP authentication (required for our simple Apache LDAP authentication):
/opt/novell/eDirectory/bin/ldapconfig set 'Require TLS for Simple Binds with Password=no' -a admin.novell -w novell /opt/novell/eDirectory/bin/ldapconfig set 'ldapBindRestrictions=0' -a admin.novell -w novell
Figure 4 - x
3. Restart apache : /etc/init.d/apache2 restart
4. Test: http://www.utopia.com:81/sales/index.php. You should be prompted with a basic authentication window. Create some users in eDirectory and log in with these users.
Note: There is also a sales.php under /srv/www/htdocs. This page does not require basic authentication, since it is in the document-root, and our apache is only protecting the entries below /srv/www/htdocs/sales.
Figure 5 - x
Troubleshooting Step 2
1. Check the apache errorlog file.
2. You can trace eDirectory using iMonitor or command line ndstrace.
Figure 6 - x
3. Browse to: http://172.17.2.91:8028
4. In DSTrace, log in as: admin.system / n0v3ll
5. Go to Clear All > Check LDAP > Trace on > Trace history > Trace life. Click Update from time to time or change the parameters for auto-update.
If you don't see anything in the trace, then activate the trace items in iManager:
LDAP > LDAP options > "+" to see the LDAP Server; > Tracing and activate Connection Information (and anything else you like).
Do not forget to disable tracing after the test, as it slows down the system.
You can also start ndstrace from the command line (or with an ssh command from a remote terminal on the host):
# start ndstrace in the background ndstrace -l& # clear all trace settings ndstrace -c 'set ndstrace=nodebug' # set ndstrace to trace DirXML engine + drivers #(remember to set the trace level on the drivers with iManager) ndstrace -c 'dstrace +DXML +DVRS' # set ndstrace to write logging to a file ndstrace -c 'ndstrace file on' # display the changes in the ndstrace log file tail -f /var/opt/novell/eDirectory/log/ndstrace.log
Note: Do not mix both methods (command line and iMonitor), as they will interfere with each other.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com