1# NOTE: THIS CONFIGURATION IS FOR APACHE 2 ONLY.
2#
3# Modify this to your liking and include it in httpd.conf.
4# -----------------------------------------------------------------------------
5
6PerlModule ModPerl::Util
7PerlModule Apache2::Request
8PerlModule Apache2::RequestRec
9PerlModule Apache2::RequestIO
10PerlModule Apache2::RequestUtil
11PerlModule Apache2::ServerUtil
12PerlModule Apache2::Connection
13PerlModule Apache2::Log
14PerlModule Apache::Session
15PerlModule APR::Table
16PerlModule ModPerl::Registry
17PerlModule "Apache2::Const => ':common'"
18PerlModule "APR::Const => ':common'"
19
20PerlModule Apache2::SiteControl
21PerlModule HTML::Mason::ApacheHandler
22
23# Uncomment this next line if you get errors from libapreq2
24# about an 'undefined symbol'
25LoadModule apreq_module /usr/lib/apache2/modules/mod_apreq2.so
26
27# Add Netdot's libraries to @INC
28PerlSwitches -I<<Make:PREFIX>>/lib
29
30<Perl>
31# Set up the Mason handler and global variables and import modules.
32use Netdot::Mason;
33
34# Override SiteControl's login method 
35use Netdot::SiteControlLoginWrapper;
36</Perl>
37
38
39# If you would like to put netdot somewhere other than ``/netdot''
40# just change this alias, the location of the login target
41# (i.e. /netdot/NetdotLogin), and the variable NetdotPath below.  
42Alias /netdot "<<Make:PREFIX>>/htdocs/"
43
44# Force UTF-8
45PerlSetVar MasonPreamble "use utf8;"
46AddDefaultCharset utf-8 
47
48# Set the path that will be protected.
49#
50# *NOTE* This variable is used to determine absolute paths where
51# needed in the netdot pages.  The Netdot corresponds to AuthName
52# Netdot below.  If you want to change the AuthName you will still
53# need this variable as the Mason code assumes you didn't change the
54# AuthName.
55PerlSetVar NetdotPath "/netdot/"
56
57# Indicate the path to the login page. Be careful, HTML::Mason can 
58# interfere with proper handling...make sure you know your dependencies.
59# See samples and Apache::AuthCookie for more information.
60PerlSetVar NetdotLoginScript /netdot/login.html
61
62# See Apache::AuthCookie for descriptions of these.  
63#
64# A general note about these Netdot variables: Some are accessed when
65# a user requests a page and others are accessed when a user attempts
66# to login.  In our setup the login target (NetdotLogin) is in the
67# same apache scope as the netdot pages (/netdot) and these variables
68# are specified at the global scope so there isn't an issue, but if
69# you decide to move them inside a Directory, Files, or Location block
70# and move the login target be sure that you put the right variables
71# in the right places (hint: you will probably have to read the
72# AuthCookie code as it is not clear from the docs, if you don't want
73# any duplicates).  The same probably goes for the SiteControl and
74# other non prefixed variables, but since they don't have prefixes it
75# would be inconsiderate to put them at the top level (pollute the
76# global name space), and so if you move the login target be sure to
77# duplicate any relevant variables (again, it might not be obvious
78# which).
79PerlSetVar NetdotSatisfy All
80# If this is set you wont be able to use unqualified hostnames and
81# rely on DNS to supply the domain.  DNS will supply the domain no
82# doubt, but the browser doesn't see it so the cookie will be invalid.
83# Also, a hostname isn't valid here.
84#PerlSetVar NetdotDomain .uoregon.edu
85PerlSetVar NetdotCache 1
86
87# We change the value of NetdotExpires dynamically to implement both
88# temporary and permanent sessions.  NetdotTemporySessionExpires
89# specifies the length of the tempory sessions, i.e. it corresponds to
90# NetdotExpires in a typical AuthCookie setup.
91PerlSetVar NetdotTemporarySessionExpires +2h
92
93<Directory <<Make:PREFIX>>/htdocs/>
94   Order Deny,Allow
95   Allow from all
96
97   # Other applications may have attempted to override how .html files are
98   # interpreted.  We need to reset this so that HTML::Mason can work 
99   # correctly.
100   AddType text/html .html
101
102   # This is hackish but it works.  It is preferred over handling all
103   # files in /netdot as this causes requests for /netdot or /netdot/
104   # to fail (DirectoryIndex doesn't get handled correctly).  The
105   # "proper" way to handle this is with rewrite rules or
106   # fixuphandlers I think, but this works: Handle everything which
107   # isn't /netdot or /netdot/, i.e. which has atleast one non / char
108   # in its name relative /netdot/, with mason.
109   <FilesMatch .>
110       SetHandler perl-script
111       PerlHandler Netdot::Mason
112   </FilesMatch>
113
114   # Prevent mason from handling css and javascript
115   <FilesMatch (\.css|\.js)$>
116       SetHandler default-handler
117   </FilesMatch>
118
119   AuthType Apache2::SiteControl
120   AuthName Netdot
121   # Choose a name for the instance of the authenticator. This name is
122   # used as part of the remaining variable names.
123   PerlSetVar AuthName Netdot
124   require valid-user
125
126   # Allow access to the css and and title image so the login page
127   # displays correctly.  The anonymous sub is somehow equiv to the
128   # specification of the constant explicitly.  The point is that you
129   # can't simply turn off authentication for particular files, you
130   # must provide a new handler which allows all requests instead.    
131   <FilesMatch (\.css|title\.png)$>
132        PerlAuthenHandler Apache2::Const::OK #'sub { return OK }'
133        PerlAuthzHandler Apache2::Const::OK #'sub { return OK }'
134   </FilesMatch>
135
136   # LDAP parameters are set in the login target Location directive
137   # below.
138   PerlSetVar SiteControlMethod Netdot::LDAP
139
140   # Turn on debugging
141   PerlSetVar AccessControllerDebug 1
142   PerlSetVar AuthCookieDebug 1
143   PerlSetVar SiteControlDebug 1
144
145   # Configure the factories. See SiteControl::UserFactory and
146   # SiteControl::ManagerFactory
147   PerlSetVar SiteControlManagerFactory Netdot::NetdotPermissionFactory
148
149   # Configure the location of the session data on server disks
150   # NOTE: apache should have read/write access to these locations. 
151   PerlSetVar SiteControlSessions <<Make:PREFIX>>/tmp/sessions
152   PerlSetVar SiteControlLocks <<Make:PREFIX>>/tmp/sessions/locks
153
154   # Tell mod_perl that you want this module to control access:
155   PerlAuthenHandler Apache2::SiteControl->authenticate
156   PerlAuthzHandler Apache2::SiteControl->authorize
157
158   # See Apache2::SiteControl::UserFactory.  There are more variables,
159   # but this seems to be the only one which makess SiteControl insult
160   # you in the logs :P
161   PerlSetVar UserObjectPasswordKey "Netdot gets the last laugh"
162</Directory>
163
164<Location /netdot/NetdotLogin>
165   SetHandler perl-script
166   PerlHandler Netdot::SiteControlLoginWrapper->login
167
168   # Stop AuthCookie from preventing access to NetdotLogin
169   # (which would create an authen loop).
170   PerlAuthenHandler Apache2::Const::OK
171   PerlAuthzHandler Apache2::Const::OK
172
173   PerlSetVar NetdotLDAPServer  "ldaps://localhost.localdomain:636"
174   PerlSetVar NetdotLDAPServer2 "ldaps://otherhost.localdomain:636"
175   PerlSetVar NetdotLDAPRequireTLS "no"
176   PerlSetVar NetdotLDAPUserDN "uid=<username>"
177   PerlSetVar NetdotLDAPSearchBase "ou=people,dc=domain,dc=local"
178   PerlSetVar NetdotLDAPFailToLocal "yes"
179</Location>
180