FreeBSD 用 Web Policy Agents は提供されていませんが、 ソースコードは公開されていますので、 ソースコードから認証モジュールを構築して動かします。
gcc は 4.4 以上が必要です。
# pkg install gcc48 # pkg install gmake # pkg install nss # pkg install libxml2
登録済のユーザIDとパスワードを使って、ソースコードを入手します。
% svn checkout https://svn.forgerock.org/openam/tags/Agents-3.3.4
--- arch/components.mk.orig 2016-10-16 00:29:24.120631000 +0900 +++ arch/components.mk 2016-10-16 06:57:54.457608000 +0900 @@ -83,8 +83,8 @@ ########################################## # Apache 2.4 defines ########################################## -APACHE24_DIR = $(EXTERNAL_DIR)/apache24 -APACHE24_INC_DIR = $(APACHE24_DIR)/include +APACHE24_DIR = /usr/local +APACHE24_INC_DIR = $(APACHE24_DIR)/include/apache24 APACHE24_LIB_DIR = $(APACHE24_DIR)/lib ###################################################### @@ -115,7 +115,7 @@ ########################################## # LIBXML defines ########################################## -LIBXML_DIR := $(EXTERNAL_DIR)/libxml2 +LIBXML_DIR := /usr/local ifeq ($(BUILD_TYPE), 64) LIBXML_DIR := $(EXTERNAL_DIR)/libxml2_64 endif @@ -135,7 +135,7 @@ LIBXML_LIBS := -llibxml2 endif else -LIBXML_LIBS := -lxml2 +LIBXML_LIBS := -lxml2 -liconv endif endif @@ -143,11 +143,12 @@ # PCRE defines ########################################## -PCRE_DIR := $(EXTERNAL_DIR)/pcre +PCRE_DIR := /usr/local +PCRE_LIBS := -lpcre ifeq ($(BUILD_TYPE), 64) PCRE_DIR := $(EXTERNAL_DIR)/pcre_64 endif -PCRE_INC_DIR := $(PCRE_DIR)/include +PCRE_INC_DIR := $(PCRE_DIR)/include/pcre PCRE_LIB_DIR := $(PCRE_DIR)/lib ifndef PCRE_LIBS PCRE_LIBS := $(PCRE_LIB_DIR)/libpcre.a @@ -157,7 +158,7 @@ # NSPR defines ########################################## -NSPR_DIR := $(EXTERNAL_DIR)/nspr +NSPR_DIR := /usr/local ifeq ($(BUILD_TYPE), 64) NSPR_DIR := $(EXTERNAL_DIR)/nspr_64 endif @@ -166,7 +167,7 @@ NSPR_DIR := $(EXTERNAL_DIR)/nspr_64 endif endif -NSPR_INC_DIR := $(NSPR_DIR)/include +NSPR_INC_DIR := $(NSPR_DIR)/include/nspr NSPR_LIB_DIR := $(NSPR_DIR)/lib ifndef NSPR_LIBS @@ -185,7 +186,7 @@ # NSS defines ########################################## -NSS_DIR := $(EXTERNAL_DIR)/nss +NSS_DIR := /usr/local ifeq ($(BUILD_TYPE), 64) NSS_DIR := $(EXTERNAL_DIR)/nss_64 endif @@ -195,8 +196,8 @@ endif endif NSS_BIN_DIR := $(NSS_DIR)/bin -NSS_INC_DIR := $(NSS_DIR)/include -NSS_LIB_DIR := $(NSS_DIR)/lib +NSS_INC_DIR := $(NSS_DIR)/include/nss/nss +NSS_LIB_DIR := $(NSS_DIR)/lib/nss ifeq ($(OS_ARCH), WINNT) ifdef OS_IS_CYGWIN --- /dev/null 2016-10-16 22:55:00.000000000 +0900 +++ arch/defines_FreeBSD.mk 2016-10-16 22:31:34.606752000 +0900 @@ -0,0 +1,116 @@ +# +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. +# +# Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved +# +# The contents of this file are subject to the terms +# of the Common Development and Distribution License +# (the License). You may not use this file except in +# +# The contents of this file are subject to the terms +# of the Common Development and Distribution License +# (the License). You may not use this file except in +# compliance with the License. +# +# You can obtain a copy of the License at +# https://opensso.dev.java.net/public/CDDLv1.0.html or +# opensso/legal/CDDLv1.0.txt +# See the License for the specific language governing +# permission and limitations under the License. +# +# When distributing Covered Code, include this CDDL +# Header Notice in each file and include the License file +# at opensso/legal/CDDLv1.0.txt. +# If applicable, add the following below the CDDL Header, +# with the fields enclosed by brackets [] replaced by +# your own identifying information: +# "Portions Copyrighted [year] [name of copyright owner]" +# +# $Id: openam-agent.shtml,v 1.2 2016/11/02 22:32:36 hiraga Exp hiraga $ +# +# + +# "Portions Copyrighted [2010] [ForgeRock AS]" + +# +# This makefile defines a number of standard OS-dependent symbols +# used in by the makefiles that build the Agent Pack. +# + +PATH_SEP := : + +ECHO := echo -e +NM := nm +RMDIR := rmdir -p --ignore-fail-on-non-empty + +# +# C/C++ Compiler related symbols +# +COMPILERS_DIR := +GCC_WARNING_FLAGS := -Wall -Wshadow -gdwarf-2 +CC := gcc +CXX := g++ +GCC_33 := $(shell $(CC) -v 2>&1 | grep version | /usr/bin/awk '{print $$3}') + +CFLAGS += -DFREEBSD -pthread $(GCC_WARNING_FLAGS) -fexceptions +CXXFLAGS += -DFREEBSD -pthread $(GCC_WARNING_FLAGS) -Woverloaded-virtual -fexceptions +CXX_STD_LIBS := -lstdc++ +LDFLAGS += -pthread -lrt +LD_ORIGIN_FLAG := -Xlinker '-R$$ORIGIN' +LD_COMMON_ORIGIN_FLAG := -Xlinker '-R$$ORIGIN/../../lib' +# NOTE: '-z defs' should probably be added to the following definition. +LD_FILTER_SYMS_FLAG = -Xlinker --version-script -Xlinker $(filter %.mapfile, $^) +LD_MAKE_SHARED_LIB_FLAG := -fPIC -shared -rdynamic +LD_SHARED_FLAG := -Wl,-Bdynamic +LD_STATIC_FLAG := -Wl,-Bstatic +LD_VERSION_LIB_FLAG = -Xlinker -h$@ +PIC_FLAG := -fPIC + +INSTALL_DIR := opt/agents +RPM_DIR := $(DEST_PACKAGE_SCRATCH_DIR)/RPMS/$(MC_ARCH) +BUILDROOT := /tmp/$(USER)/agent-buildroot +BUILDROOT_LIB_DIR := $(BUILDROOT)/$(INSTALL_DIR)/lib +BUILDROOT_CONF_DIR := $(BUILDROOT)/$(INSTALL_DIR)/config +BUILDROOT_BIN_DIR:= $(BUILDROOT)/$(INSTALL_DIR)/bin +BUILDROOT_INC_DIR:= $(BUILDROOT)/$(INSTALL_DIR)/include +BUILDROOT_SAMPLES_DIR:= $(BUILDROOT)/$(INSTALL_DIR)/samples +BUILDROOT_RPM_DIR:= $(BUILDROOT)/RPMS/$(MC_ARCH) + + +BUILD_DEBUG := full + + +# +# Give DEBUG_FLAGS a default setting based on the build type +# +ifeq ($(BUILD_DEBUG), full) + DEBUG_FLAGS := -g3 -DDEBUG -fno-inline -O0 -Wall +endif +ifeq ($(BUILD_DEBUG), optimize) + DEBUG_FLAGS := -O2 -DNDEBUG +endif +ifndef DEBUG_FLAGS + DEBUG_FLAGS := -g -O1 -DDEBUG +endif + +SHELL_EXEC_EXTENSION := + +LN_s := ln -s + +ifeq ($(BUILD_TYPE), 64) +CFLAGS += -fPIC +CXXFLAGS += -m64 +endif + +ifeq ($(BUILD_TYPE), 32) +CFLAGS += -fPIC -m32 +CXXFLAGS += -m32 +endif + + +# +# the following is the name of the tar ball for dsame drop,. +# +DSAME_DROP_FILE_NAME := common_3_0_$(OS_ARCH)_$(MC_ARCH) + +MAKE_STATIC_LIB = $(AR) $(ARFLAGS) $@ $(filter %.o, $^) --- /dev/null 2016-10-16 22:55:00.000000000 +0900 +++ arch/rules_FreeBSD.mk 2016-10-16 00:33:20.379170000 +0900 @@ -0,0 +1,62 @@ +# +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. +# +# Copyright (c) 2006 Sun Microsystems Inc. All Rights Reserved +# +# The contents of this file are subject to the terms +# of the Common Development and Distribution License +# (the License). You may not use this file except in +# +# The contents of this file are subject to the terms +# of the Common Development and Distribution License +# (the License). You may not use this file except in +# compliance with the License. +# +# You can obtain a copy of the License at +# https://opensso.dev.java.net/public/CDDLv1.0.html or +# opensso/legal/CDDLv1.0.txt +# See the License for the specific language governing +# permission and limitations under the License. +# +# When distributing Covered Code, include this CDDL +# Header Notice in each file and include the License file +# at opensso/legal/CDDLv1.0.txt. +# If applicable, add the following below the CDDL Header, +# with the fields enclosed by brackets [] replaced by +# your own identifying information: +# "Portions Copyrighted [year] [name of copyright owner]" +# +# $Id: openam-agent.shtml,v 1.2 2016/11/02 22:32:36 hiraga Exp hiraga $ +# +# + +# +# This makefile defines the Solaris-specific rules needed to build +# the Agent Pack. +# + +%.cpp %.cxx %.d: + +%.o: %.cpp + $(COMPILE.cc) $< $(OUTPUT_OPTION) + +%.o: %.cxx + $(COMPILE.cc) $< $(OUTPUT_OPTION) + +%.d: %.c + set -e; $(filter-out -g3,$(COMPILE.c)) -MM $< \ + | sed 's;\($*\.o\)[ :]*;\1 $@ : ;' > $@; [ -s $@ ] || $(RM) $@ + +%.d: %.cpp + set -e; $(filter-out -g3,$(COMPILE.cc)) -MM $< \ + | sed 's;\($*\.o\)[ :]*;\1 $@ : ;' > $@; [ -s $@ ] || $(RM) $@ + +%.d: %.cxx + set -e; $(filter-out -g3,$(COMPILE.cc)) -MM $< \ + | sed 's;\($*\.o\)[ :]*;\1 $@ : ;' > $@; [ -s $@ ] || $(RM) $@ + +# +# Clean up OS/compiler specific junk. +# +clean_objs: + $(RM) $(OBJS) $(DEPENDS)
--- ./agents/source/apache24/Makefile.orig 2016-10-16 00:29:10.152122000 +0900 +++ ./agents/source/apache24/Makefile 2016-10-16 17:33:33.843027000 +0900 @@ -38,7 +38,7 @@ APACHE24_LIB := $(APACHE24_LIB_NAME)$(SO_EXT) -APACHE24_INCLUDE_FLAGS := -I$(DEST_INC_DIR) -I../common +APACHE24_INCLUDE_FLAGS := -I$(DEST_INC_DIR) -I../common -I$(USERX_ROOT)/am/source -I/usr/local/include/apr-1 ifeq ($(OS_ARCH), Linux) ifeq ($(OS_ARCH_VER), 2.2.20-compact) @@ -49,6 +49,10 @@ APACHE24_CFLAGS += -DAPACHE2 -DAPACHE24 -DEAPI -DMOD_PERL -DUSE_EXPAT -DXP_UNIX $(PIC_FLAG) -DCORE_PRIVATE $(APACHE24_INCLUDE_FLAGS) -I$(APACHE24_INC_DIR) +ifeq ($(OS_ARCH), FreeBSD) +APACHE24_CFLAGS += -D_LARGEFILE64_SOURCE +endif + ifeq ($(OS_ARCH), Linux) APACHE24_CFLAGS += -D_LARGEFILE64_SOURCE endif @@ -66,6 +70,9 @@ ifeq ($(OS_ARCH), SunOS) SYSTEM_LIBS := -lc +endif +ifeq ($(OS_ARCH), FreeBSD) +SYSTEM_LIBS := -lpthread -lc -lm else SYSTEM_LIBS := -lpthread -ldl -lc -lm endif --- ./agents/source/Makefile.orig 2016-10-16 00:29:11.430484000 +0900 +++ ./agents/source/Makefile 2016-10-16 19:54:15.152513000 +0900 @@ -86,6 +86,10 @@ SUBDIRS += $(BUILD_AGENT) endif +ifeq ($(OS_ARCH), FreeBSD) +SUBDIRS += apache24 +endif + all: all_subdirs clean: clean_subdirs
--- ./am/source/xml_utilities.h.orig 2016-10-16 00:29:17.067982000 +0900 +++ ./am/source/xml_utilities.h 2016-10-16 06:13:56.594916000 +0900 @@ -35,7 +35,7 @@ #include <string> -#if defined(SOLARIS) || defined(LINUX) +#if defined(SOLARIS) || defined(LINUX) || defined(FREEBSD) #include <strings.h> #elif (defined(WINNT) || defined(_AMD64_)) #endif @@ -46,7 +46,7 @@ inline bool matchesXMLString(const std::string& str1, const xmlChar *str2) { -#if defined(SOLARIS) || defined(LINUX) || defined(HPUX) || defined(AIX) +#if defined(SOLARIS) || defined(LINUX) || defined(HPUX) || defined(AIX) || defined(FREEBSD) return (0 == strcasecmp(str1.c_str(), reinterpret_cast<const char *>(str2))); #elif (defined(WINNT) || defined(_AMD64_)) --- ./am/source/am_types.h.orig 2016-10-16 00:29:17.061495000 +0900 +++ ./am/source/am_types.h 2016-10-16 05:37:47.826649000 +0900 @@ -63,7 +63,7 @@ AM_BEGIN_EXTERN_C -#if defined(WINNT) || defined(_AMD64_) || defined(LINUX) || defined(HPUX) +#if defined(WINNT) || defined(_AMD64_) || defined(LINUX) || defined(HPUX) || defined(FREEBSD) #include <sys/stat.h> /* for time_t */ typedef enum { B_FALSE, --- ./am/source/am_web.cpp.orig 2016-10-16 00:29:17.453856000 +0900 +++ ./am/source/am_web.cpp 2016-10-16 06:20:56.827193000 +0900 @@ -422,7 +422,7 @@ #else void mbyte_to_wchar(const char * orig_str,char *dest_str,int dest_len) { -#if defined(LINUX) || defined(HPUX) || defined(AIX) +#if defined(LINUX) || defined(HPUX) || defined(AIX) || defined(FREEBSD) char *origstr = const_cast<char *>(orig_str); #else const char *origstr = orig_str; @@ -452,7 +452,7 @@ /* Perform iconv conversion */ Log::log(boot_info.log_module, Log::LOG_MAX_DEBUG, "i18n b4 convlen = %d size = %d", len, size); -#if defined(LINUX_64) || defined(LINUX) +#if defined(LINUX_64) || defined(LINUX) || defined(FREEBSD) int ret = iconv(encoder, &origstr, (size_t*)&len, &dest_str, (size_t*)&size); #else int ret = iconv(encoder, &origstr, &len, &dest_str, &size); --- ./am/source/thread_pool.cpp.orig 2016-10-16 00:29:17.069942000 +0900 +++ ./am/source/thread_pool.cpp 2016-10-16 06:22:29.818029000 +0900 @@ -245,7 +245,7 @@ "ThreadPool::~ThreadPool(): ThreadPool destroyed."); } -#if defined(HPUX) || defined(LINUX) +#if defined(HPUX) || defined(LINUX) || defined(FREEBSD) void spin(void *args) { #else --- ./am/source/hash_table.h.orig 2016-10-16 00:29:17.462753000 +0900 +++ ./am/source/hash_table.h 2016-10-16 06:23:17.353717000 +0900 @@ -347,7 +347,7 @@ const EntryType &entry = buckets[bucketNumber].find(key); if (entry && entry->getExpirationTime() < PR_Now()) { - #if defined(LINUX) + #if defined(LINUX) || defined(FREEBSD) return (typename HashTable<Element>::EntryType)NULL; #else return (HashTable<Element>::EntryType)NULL;
パッケージ作成でエラーになりますが、 気にせずにモジュールのみ構築します。
% cd Agents-3.3.4/opensso/products/webagents % gmake % cd Agents-3.3.4/opensso/products/webagents/agents/source % gmake
# cp Agents-3.3.4/opensso/products/webagents/agents/source/apache24/libamapc24.so /usr/local/libexec/apache24
# mkdir /compat/linux/etc/httpd # mkdir /compat/linux/etc/httpd/conf # touch /compat/linux/etc/httpd/conf/httpd.conf
ForgeRockの
OpenAMプロジェクトページ
から Apache 2.4 for Linux 用 Web Policy Agents パッケージ
Apache-v2.4-Linux-32-Agent-3.3.4.zip をダウンロードします。
FreeBSD 11 以降であれば 64 bit 版
Apache-v2.4-Linux-64-Agent-3.3.4.zip
でもいいでしょう。
なお、ダウンロードには OpenAM のダウンロードと同じくユーザ登録(無料)が必要です。
入手したパッケージを展開して実行します。
# echo password > /tmp/pw.txt # chmod 600 /tmp/pw.txt # cd /compat/linux/opt # unzip Apache-v2.4-Linux-32-Agent-3.3.4.zip # service apache24 stop # web_agents/apache24_agent/bin/agentadmin --install Please read the following License Agreement carefully: [Press <Enter> to continue...] or [Enter n To Finish] n Do you completely agree with all the terms and conditions of this License Agreement (yes/no): [no]: yes ************************************************************************ Welcome to the OpenAM Policy Agent for Apache Server. ************************************************************************ Enter the complete path to the directory which is used by Apache Server to store its configuration Files. This directory uniquely identifies the Apache Server instance that is secured by this Agent. [ ? : Help, ! : Exit ] Enter the Apache Server Config Directory Path [/opt/apache24/conf]: /compat/linux/etc/httpd/conf Enter the URL where the OpenAM server is running. Please include the deployment URI also as shown below: (http://openam.sample.com:58080/openam) [ ? : Help, < : Back, ! : Exit ] OpenAM server URL: https://openam.next-hop.net:8443/openam Enter the Agent URL as shown below: (http://agent1.sample.com:1234) [ ? : Help, < : Back, ! : Exit ] Agent URL: http://www.next-hop.net:80 Enter the Agent profile name [ ? : Help, < : Back, ! : Exit ] Enter the Agent Profile name: ApacheAgent Enter the path to a file that contains the password to be used for identifying the Agent. [ ? : Help, < : Back, ! : Exit ] Enter the path to the password file: /tmp/pw.txt WARNING: Password validation cannot be done as OpenAM server is not running. ----------------------------------------------- SUMMARY OF YOUR RESPONSES ----------------------------------------------- Apache Server Config Directory : /compat/linux/etc/httpd/conf OpenAM server URL : https://openam.next-hop.net:8443/openam Agent URL : http://www.next-hop.net:80 Agent Profile name : ApacheAgent Agent Profile Password file name : /tmp/pw.txt Verify your settings above and decide from the choices below. 1. Continue with Installation 2. Back to the last interaction 3. Start Over 4. Exit Please make your selection [1]: 1 Creating directory layout and configuring Agent file for Agent_001 instance ...DONE. Reading data from file /tmp/pw.txt and encrypting it ...DONE. Generating audit log file name ...DONE. Creating tag swapped OpenSSOAgentBootstrap.properties file for instance Agent_001 ...DONE. Creating a backup for file /compat/linux/etc/httpd/conf/httpd.conf ...DONE. Adding Agent parameters to /compat/linux/opt/web_agents/apache24_agent/Agent_001/config/dsame.conf file ...DONE. Adding Agent parameters to /compat/linux/etc/httpd/conf/httpd.conf file ...DONE. SUMMARY OF AGENT INSTALLATION ----------------------------- Agent instance name: Agent_001 Agent Bootstrap file location: /compat/linux/opt/web_agents/apache24_agent/Agent_001/config/OpenSSOAgentBootstrap.properties Agent Configuration Tag file location /compat/linux/opt/web_agents/apache24_agent/Agent_001/config/OpenSSOAgentConfiguration.properties Agent Audit directory location: /compat/linux/opt/web_agents/apache24_agent/Agent_001/logs/audit Agent Debug directory location: /compat/linux/opt/web_agents/apache24_agent/Agent_001/logs/debug Install log file location: /compat/linux/opt/web_agents/apache24_agent/installer-logs/audit/install.log Thank you for using OpenAM Policy Agent
# rm /tmp/pw.txt
まず新しくポリシーを設定します。
Name | Authenticated users can get Apache HTTP home page |
Description | This policy lets users who have authenticated to OpenAM access the Apache home page. |
Resource Type | URL |
Resources | *://*:*/* |
続いてエージェントを追加します。
適用されない URL の反転を有効にし、認証が適用される URL を列挙します。
LoadModule dsame_module libexec/apache24/libamapc24.so Agent_Config_File /compat/linux/opt/web_agents/apache24_agent/Agent_001/config/OpenSSOAgentConfiguration.properties Agent_Bootstrap_File /compat/linux/opt/web_agents/apache24_agent/Agent_001/config/OpenSSOAgentBootstrap.properties
httpd を再起動します。
# service apache24 restart
httpd が起動したら認証エージェントが読み込まれているか HTTP ヘッダを確認します。
Server: Apache/2.4.23 (FreeBSD) OpenAM WPA/3.3.4 OpenSSL/1.0.1s-freebsd
Copyright ©2000-2018 T.Hiraga <hiraga@next-hop.net> All Rights Reserved. Last modified: $Date: 2016/11/02 22:32:36 $ |