From cosign wiki

Contents 1 Overview 2 Building and Installing 2.1 Requirements 2.2 Get the Source 2.3 Configure the Build 2.4 Build the Apache Filter 2.5 Build All Weblogin Components (Optional) 2.6 Install 3 Create Support Directories 4 Next Steps

[edit] Overview

This page will guide you through building and installing Cosign on Mac OS X. For additional notes regarding an installation on Mac OS X Server, please see Leopard Server Install.

[edit] Building and Installing

[edit] Requirements

You will need to have the current Xcode Tools installed. Download them from Apple's developer site or the Mac App Store. These notes also assume you have Apache 1.x or Apache2 installed. Recent Mac OS X releases include Apache2.

NOTE: if you haven't installed Xcode previously, be sure to run Xcode so it installs the components and agree to the license before continuing. Also, if you want to install all the parts without doing a lot of extra work, you will need to manually download and install the xCode command line tools from the Apple AppStore. Once Xcode has been installed and run (to agree to the licensing), then install the command line tools by running:

xcode-select -- install

[edit] Get the Source

Download the latest release of Cosign from weblogin.org.

[edit] Configure the Build

In Terminal, decompress the archive and change to the Cosign source directory:

tar zxf cosign-VERSION.tar.gz
cd cosign-VERSION

If building for Apache 1.x, use --enable-apache1=/path/to/apxs. If building for Apache2, use --enable-apache2=/path/to/apxs2. If building for Mac OS X Server, you'll probably want to add --enable-universal-binaries, which will give you four-architecture (i386, x86_64, ppc, and ppc64) binaries of the daemon, CGIs, and the Apache filters.

./configure --enable-apache2=/usr/sbin/apxs --enable-universal-binaries --enable-krb --with-gss

NOTE: For Mac OS X 10.7 through 10.10, you can not build universal binaries, so the command would be:

./configure --enable-apache2=/usr/sbin/apxs --enable-krb --with-gss

NOTE: For 10.11 and up, the openssl headers are no longer part of Xcode, so you will need to manually install them first. One of the easier ways to do this is to install "homebrew" from http://brew.sh. If you choose this method, you can then run these commands AFTER you install homebrew:

brew install openssl

to install openssl and then link to the headers by running:

cd /usr/local/include
ln -s ../opt/openssl/include/openssl .

Then you can run the ./configure command above.

[edit] Build the Apache Filter

If you are not running OSX Server, you just run:

make

NOTE 1: FOR OSX SERVER: xCode has an issue where a compiler path is missing. BEFORE running "make", you will need to do this:

cd /Applications/Xcode.app/Contents/Developer/Toolchains

sudo ln -s XcodeDefault.xctoolchain OSX<OSVERSION>.xctoolchain (REPLACE <OSVERSION> with your operating system version!)

Example:

sudo ln -s XcodeDefault.xctoolchain OSX10.10.xctoolchain

NOTE 2: For systems running Apache 2.4 (Mac OS X 10.10 and beyond) -- you must modify a file *BEFORE* running "make".

1) in your "cosign-<version>" directory, go to filters/apache2 (not filters/apache!)

2) Edit mod_cosign.c to replace *TWO* instances of "remote_ip" with "client_ip":

   cv = cosign_cookie_valid( cfg, cookie, &rekey, &si,
               r->connection->remote_ip, r->server );

and

   cv = cosign_cookie_valid( cfg, my_cookie, NULL, &si,
               r->connection->remote_ip, r->server );

NOTE 3: Running "make" at this point will generate a lot of "deprecated" warning messages on Mac OS X Server 10.7 and later -- these can be ignored when installing cosign 3.2.0 (as of August 2012)

[edit] Build All Weblogin Components (Optional)

If you intend to set up a weblogin environment, you'll need to build the daemon and CGIs:

sudo make everything

[edit] Install

sudo make install

or

sudo make install-all

NOTE: On Mac OSX 10.11 and greater --- "make install" will appear to fail. This is because mod_cosign.so can not be written directly to /usr/libexec/apache2 due to System Integrity Protection being enabled. (If you have it disabled -- which is not recommended -- then this command will work.)

However, mod_cosign.so is compiled and should be in this location:

cosign-<VERSION>/filters/apache2/.libs

and can be manually moved to a directory that is writeable (such as /opt/local or /usr/local).

if you're setting up a central weblogin server.

[edit] Create Support Directories

The cosign filter, [mod_cosign], by default stores service cookies in /var/cosign/filter. You can override the location of the service cookie directory using the [CosignFilterDB] directive, but the default location is fine for most uses. The directory must exist, and the Apache user, www, must be the owner of the directory:

 sudo mkdir -p -m 0750 /var/cosign/filter
 sudo chown www:www /var/cosign/filter

[edit] Next Steps

At this point, you should have all the pieces in place. For instructions on configuring Cosign with Apache, please see these instructions. The Leopard Server Install, Lion Server Install, and Mountain Lion Server install notes (now updated for Yosemite and El Capitan server!), although focused on the University of Michigan's environment, should help get you up and running on Mac OS X Server. This page describes setting up a complete weblogin environment.

Questions and discussion are always welcomed on the cosign-discuss mailing list.