iPlanet Server Configuration (with LDAP)

Revised 30 October 2002

This section describes the precise details of configuring the iPlanet (formerly Netscape) version 4.x (or higher) web server to work with Caucus.  It assumes that you have already installed your web server and are generally familiar with the server configuration process.

Start by "logging in" to the iPlanet administration server web interface, typically running on the same host but on a different port number (e.g. http://yourhost.com:8041.)  Then under "Manage Servers", select the Caucus server and click on "Manage".

Note that iPlanet typically uses an LDAP server (the "Netscape Directory Server") to maintain its lists of userids and passwords. 

  1. Allow access to Caucus program directory
    From the "Preferences" tab, click on "Restrict Access".  Under the "Pick a Resource" section, click on "Wildcard", and enter the full pathname to the Caucus "SWEB" directory, including a terminating "/*".  For example:
       /home/caucus/SWEB/*
    

    (replacing /home/caucus with the home directory of the Caucus userid on your system).

    Then click on "Edit Access Control" for that (new) entry.  This should display an empty "Access Control Rules" box.  In general, you can use this box to create very sophisticated sets of rules that control who, and under what conditions, how users may access files and programs on your web server.

    For Caucus, you will create a "deny" rule that initially denies everyone, then an "allow" rule that allows users in your LDAP database.  Start by clicking on "New Line" -- this should automatically creates the first "deny" entry that covers everyone. 

    To create the "allow" rule, click on "New Line" again to create a second "Deny" entry.  Click on "Deny" in the second line, and change it to "Allow" (and click "Update"). 

      Figure 1: Deny & Allow rules

    Click on "anyone" in the 2nd line, and set it to:

    • "All in the authentication database".  (If you have a specific LDAP group that you intend to use, select "Only the following people" and type in the group name.)

    • Under "Prompt for Authentication", enter "Caucus".  (Note: if you wish to run different applications against the same LDAP list of users, and only want those users to login once -- sometimes called "single signon" -- all of your applications must use the same "Prompt for Authentication".  This is sometimes called the "realm".  It doesn't have to be "Caucus", it can be anything, as long as it is the same for all applications that you want to share the same signon or login.)

    • Under authentication methods, select "Basic", unless you already are using some other method.

      Figure 2: Select User/Group Authentication

    Click on "Update".

    Click on "Submit", and then "Save and Apply". 

  2. Define Caucus CGI directory
    From the top-level tabs, chose "Programs" and click on "CGI directory".  In the "URL prefix" box, type the name of the "sweb" parameter that you chose when you ran the Caucus cinstall installation script.  The default value for this parameter is just "sweb".

    In the "CGI directory" box, type the full pathname of the Caucus SWEB directory, e.g.

       /home/caucus/SWEB
    
    and click "OK".

    Repeat these steps to create a CGI directory for /home/caucus/REG.

  3. Add Caucus public directory
    The Caucus "public_html" directory must be made readable via the standard "~user" format.  (This means that, in general, any Unix userid "user" has a subdirectory called public_html that can be reached on the web as http://yourhost.com/~user.  Caucus requires that this format work, at least for the Caucus public_html directory and files.)

    If you have not already configured your iPlanet server to do this for all users, you can specifically add this as an alias just for the Caucus public_html directory.  If you're not certain, it will not hurt to add this alias.

    From the top level tab menu, click on "Content Management", and then "Additional Document Directories".  In "URL Prefix", enter "~caucus" (replacing "caucus" with the actual unix userid where you installed Caucus).  In "Map to directory", enter the full pathname of the Caucus public_html directory, e.g.

       /home/caucus/public_html
    

    Click "OK", and "Save and Apply".  You are now finished with the iPlanet administration server and may close the browser window.

  4. Turn off Caucus password features
    To complete the configuration process, you must turn off the Caucus features that normally handle userid/password features, such as registering new userids or changing passwords.

    Login (via telnet or ssh) to your Caucus host, using the unix userid and password for the id that owns the Caucus files.  Edit the file SWEB/swebd.conf, and look for the section that says:

       PW_Can_Add     on
       PW_Can_Change  on
       PW_Can_Delete  on
       PW_Can_Verify  on
    

    Change all of the "on"s to "off", and save the file.

    You will need to restart Caucus (if it is already running) for these changes to take affect.  (Fully privileged managers can stop Caucus from within the Caucus manager menu.)  See the instructions on Starting the Caucus daemon to restart Caucus.

[Continue with installation]