Adding Centrify for Apache software to the Apache server

In this section you add the Centrify for Apache authentication module and sample application directives load instructions. The sample configuration files load the authentication modules for both Active Directory and Active Directory Federation Services. For testing purposes only, load both modules. After you are done testing with the sample applications, configure the load instructions for your environment.

To load the Centrify for Apache authentication modules:

  1. Verify that the Apache server supports dynamically loaded objects.

    You can perform this check by running either the ./httpd -l or ./apache2 -l—depending upon your platform—command and verifying mod_so.c has been compiled into the Web server.

    If the server supports dynamically loaded objects, you should see mod_so.c in the list of compiled in modules.

    If you are building a new server, specify --enable-module=so on the command line before doing the make and make install of your Apache service. For example, your configure command might look like this:

    ./configure --enable-module=so

    Note that the default Apache source code build does not support dynamically loaded objects. For detailed information about building Apache servers, see the appropriate Apache documentation.

  2. Edit the Apache server configuration file httpd.conf or apache2.conf—depending upon your platform—to include the Centrify for Apache authentication module and sample applications directives.

    The simplest way to load the files is to use the Include directive and specify the location of the Centrify for Apache sample configuration file; for example,

    include /usr/share/centrifydc/apache/samples/conf/centrifyxx.conf

    where xx is the Apache version.

    For example:

    • For Apache 2.2 on a 32-bit system:

      Include /usr/share/centrifydc/apache/samples/conf/
      centrify22.conf
    • For the Apache 2.4 64-bit version:
      Include /usr/share/centrifydc/apache/samples/conf/
      centrify24_64.conf

    The configuration script loads both of the authentication modules (mod_auth_centrifydc_... and mod_adfs_centrifydc...) and the centrify.conf (or centrify-new.conf for Apache 2.4) file. Alternatively, you can use the LoadModule and Include directives and to load the files individually. For example,

    • Add the following line to load the authentication module for Apache 2.2 on a Solaris SPARC-based system.

      LoadModule centrifydc_auth_module /usr/share/centrifydc/apache/lib/sparcv9/
      mod_auth_centrifydc_22.so
    • Add the following line to load the AD FS authentication module for Apache 2.4 on a 64-bit Linux-based system.

      LoadModule centrifydc_adfs_module /usr/share/centrifydc/apache/lib64/
      mod_adfs_centrifydc_24.so 

    Next, add the following line for the sample application directives:

    • For Apache 2.0 and 2.2:

      Include /usr/share/centrifydc/apache/samples/conf/centrify.conf

    • For Apache 2.4:

      Include /usr/share/centrifydc/apache/samples/conf/centrify-new.conf

  3. Optional: Use the following instructions to enable Secure Socket Layer (SSL) support for the Apache server. SSL is required if you are using AD FS but optional if you are using Active Directory (use it if you want to encrypt the user’s credentials when using BASIC authentication).

    Configuring the Apache server to use SSL varies depending on the Apache version of Apache. For example, on Apache 2.0, you start SSL using the apachectl startssl command; however, in Apache 2.2, you configure SSL using directives in the main server configuration file. (See Modifying Apache directives for authentication for more about the directives.)

    • For Apache 2.0, which includes the mod_ssl module, you must enable SSL support; for example, your configure command might look like this:

      ./configure --enable-ssl

      You can start the Apache 2.0 server with SSL by running the apachectl startssl command.

    • For Apache 2.x, you can enable and configure SSL settings in directives in the main Apache server configuration file, httpd.conf (or apache2.conf on some platforms).Once configured, you can start the Apache server with SSL by running the standard apachectl start command.

    You can verify whether you have configured support for SSL by opening a browser and trying to access the default web page using https://localhost/ or https://servername/. You should always perform this test if you intend to use authentication service with Active Directory Federation Services.

    Note:   In an evaluation or lab environment, you can use a local self-signed certificate for testing purposes. In a production environment, however, you should ensure that the security certificates you accept provide an appropriate level of protection.

  4. Restart the Apache server to load the new module. For example, if you have installed Apache in the /usr/local/apache2 directory:

    /usr/local/apache2/bin/apachectl restart

This concludes the installation of the Centrify for Apache authentication module and sample application.

The sample configuration file centrify.conf you loaded includes the directives you need to run the Active Directory and AD FS sample applications. You can run the sample applications that use Active Directory right away; see the instruction in Testing authentication using the sample applications which follow immediately below.

However, you cannot run the sample applications that use AD FS for authentication. If you are using AD FS for authentication, run the Active Directory sample applications now and then proceed to the Active Directory Federation Services Configuration Guide for the next round of instructions.

Centrify for Apache includes extensions to the standard Apache directives that appear in the Apache httpd.conf or apache2.conf on some platforms and .htaccess files. (The centrify.conf file demonstrates the use of some of these directives.) In addition, Centrify for Apache uses the environment variables or HTTP header names to set values for authenticated user information. See Configuring the Apache server for authentication for descriptions of the directives and variables/headers used.