iPlanet Server Configuration (with LDAP) |
 |
| (Last revised 31 July 2001) |
This section describes the precise details of configuring the iPlanet (formerly Netscape) version 4.x (or higher) web server to work with Caucus. It assumes that you have already installed your web server and are generally familiar with the server configuration process.
Start by "logging in" to the iPlanet administration server web interface, typically running on the same host but on a different port number (e.g. http://yourhost.com:8041.) Then under "Manage Servers", select the Caucus server and click on "Manage".
Note that iPlanet typically uses an LDAP server (the "Netscape Directory Server") to maintain its lists of userids and passwords. This replaces (and in many ways improves on) Caucus' default manner of handling userids and passwords. (If you've read the General Server Configuration page, it also means that you do not configure the "REG" registration directory, since userid registration is also handled by LDAP.)
- Allow access to Caucus program directory
From the "Preferences" tab, click on "Restrict Access". Under the "Pick a Resource" section, click on "Wildcard", and enter the full pathname to the Caucus "SWEB" directory, including a terminating "/*". For example:
/home/caucus/SWEB/*
(replacing /home/caucus with the home directory of the Caucus userid on your system).
Then click on "Edit Access Control" for that (new) entry. This should display an empty "Access Control Rules" box. In general, you can use this box to create very sophisticated sets of rules that control who, and under what conditions, how users may access files and programs on your web server.
For Caucus, you will create a "deny" rule that initially denies everyone, then an "allow" rule that allows users in your LDAP database. Start by clicking on "New Line" -- this should automatically creates the first "deny" entry that covers everyone.
To create the "allow" rule, click on "New Line" again to create a second "Deny" entry. Click on "Deny" in the second line, and change it to "Allow" (and click "Update").
Figure 1: Deny & Allow rules Click on "anyone" in the 2nd line, and set it to:
- "All in the authentication database".
(If you have a specific LDAP group that you intend to use,
select "Only the following people" and type in the group name.)
- Under "Prompt for Authentication", enter "Caucus".
(Note: if you wish to run different applications against the
same LDAP list of users, and only want those users to login once --
sometimes called "single signon" --
all of your applications must use the same "Prompt for Authentication".
This is sometimes called the "realm".
It doesn't have to be "Caucus", it can be anything, as long as it
is the same for all applications that you want to share the same signon
or login.)
- Under authentication methods, select "Basic", unless you
already are using some other method.
Figure 2: Select User/Group Authentication
Click on "Update".
Click on "Submit", and then "Save and Apply".
- "All in the authentication database".
(If you have a specific LDAP group that you intend to use,
select "Only the following people" and type in the group name.)
- Define Caucus CGI directory
From the top-level tabs, chose "Programs" and click on "CGI directory". In the "URL prefix" box, type the name of the "sweb" parameter that you chose when you ran the Caucus cinstall installation script. The default value for this parameter is just "sweb".
In the "CGI directory" box, type the full pathname of the Caucus SWEB directory, e.g.
/home/caucus/SWEB
and click "OK". - Add Caucus public directory
The Caucus "public_html" directory must be made readable via the standard "~user" format. (This means that, in general, any Unix userid "user" has a subdirectory called public_html that can be reached on the web as http://yourhost.com/~user. Caucus requires that this format work, at least for the Caucus public_html directory and files.)
If you have not already configured your iPlanet server to do this for all users, you can specifically add this as an alias just for the Caucus public_html directory. If you're not certain, it will not hurt to add this alias.
From the top level tab menu, click on "Content Management", and then "Additional Document Directories". In "URL Prefix", enter "~caucus" (replacing "caucus" with the actual unix userid where you installed Caucus). In "Map to directory", enter the full pathname of the Caucus public_html directory, e.g.
/home/caucus/public_html
Click "OK", and "Save and Apply". You are now finished with the iPlanet administration server and may close the browser window.
- Turn off Caucus password features
To complete the configuration process, you must turn off the Caucus features that normally handle userid/password features, such as registering new userids or changing passwords.
Login (via telnet or ssh) to your Caucus host, using the unix userid and password for the id that owns the Caucus files. Edit the file SWEB/swebd.conf, and look for the section that says:
PW_Can_Add on PW_Can_Change on PW_Can_Delete on PW_Can_Verify on
Change all of the "on"s to "off", and save the file.
You will need to restart Caucus (if it is already running) for these changes to take affect. (Fully priviledged managers can stop Caucus from within the Caucus manager menu.) See the instructions on Starting the Caucus daemon to restart Caucus.