Building and Installing on Mac OS X
From cosign wiki
Contents |
Overview
This page will guide you through building and installing Cosign on Mac OS X. For additional notes regarding an installation on Mac OS X Server, please see Leopard Server Install.
Building and Installing
Requirements
You will need to have the current Xcode Tools installed. Download them from Apple's developer site or the Mac App Store. These notes also assume you have Apache 1.x or Apache2 installed. Recent Mac OS X releases include Apache2.
NOTE: if you haven't installed Xcode previously, be sure to run Xcode so it installs the components and agree to the license before continuing. Also, if you want to install all the parts without doing a lot of extra work, you will need to manually download and install the xCode command line tools from the Apple AppStore. Once Xcode has been installed and run (to agree to the licensing), then install the command line tools by running:
xcode-select -- install
Get the Source
Download the latest release of Cosign from weblogin.org.
Configure the Build
In Terminal, decompress the archive and change to the Cosign source directory:
tar zxf cosign-VERSION.tar.gz cd cosign-VERSION
If building for Apache 1.x, use --enable-apache1=/path/to/apxs. If building for Apache2, use --enable-apache2=/path/to/apxs2. If building for Mac OS X Server, you'll probably want to add --enable-universal-binaries, which will give you four-architecture (i386, x86_64, ppc, and ppc64) binaries of the daemon, CGIs, and the Apache filters.
./configure --enable-apache2=/usr/sbin/apxs --enable-universal-binaries --enable-krb --with-gss
NOTE: For Mac OS X 10.7 through 10.10, you can not build universal binaries, so the command would be:
./configure --enable-apache2=/usr/sbin/apxs --enable-krb --with-gss
NOTE: For 10.11 and up, the openssl headers are no longer part of Xcode, so you will need to manually install them. One of the easier ways to do this is to install "homebrew" from http://brew.sh. If you choose this method, you can then run these commands AFTER you install homebrew:
brew install openssl
to install it and then link to the headers by running:
cd /usr/local/include ln -s ../opt/openssl/include/openssl .
Build the Apache Filter
If you are not running OSX Server, you just run:
make
NOTE 1: FOR OSX SERVER: xCode has an issue where a compiler path is missing. BEFORE running "make", you will need to do this:
cd /Applications/Xcode.app/Contents/Developer/Toolchains
sudo ln -s XcodeDefault.xctoolchain OSX<OSVERSION>.xctoolchain (REPLACE <OSVERSION> with your operating system version!)
Example:
sudo ln -s XcodeDefault.xctoolchain OSX10.10.xctoolchain
NOTE 2: For systems running Apache 2.4 (Mac OS X 10.10 and beyond) -- you must modify a file *BEFORE* running "make".
1) in your "cosign-<version>" directory, go to filters/apache2 (not filters/apache!)
2) Edit mod_cosign.c to replace *TWO* instances of "remote_ip" with "client_ip":
cv = cosign_cookie_valid( cfg, cookie, &rekey, &si, r->connection->remote_ip, r->server );
and
cv = cosign_cookie_valid( cfg, my_cookie, NULL, &si, r->connection->remote_ip, r->server );
NOTE 3: Running "make" at this point will generate a lot of "deprecated" warning messages on Mac OS X Server 10.7 and later -- these can be ignored when installing cosign 3.2.0 (as of August 2012)
Build All Weblogin Components (Optional)
If you intend to set up a weblogin environment, you'll need to build the daemon and CGIs:
sudo make everything
Install
sudo make install
or
sudo make install-all
NOTE: On Mac OSX 10.11 and greater --- "make install" will appear to fail. This is because mod_cosign.so can not be written directly to /usr/libexec/apache2.
However, mod_cosign.so is compiled and should be in this location:
cosign-<VERSION>/filters/apache2/.libs
and can be manually moved to a directory that is writeable (such as /opt/local or /usr/local).
if you're setting up a central weblogin server.
Create Support Directories
The cosign filter, [mod_cosign], by default stores service cookies in /var/cosign/filter. You can override the location of the service cookie directory using the [CosignFilterDB] directive, but the default location is fine for most uses. The directory must exist, and the Apache user, www, must be the owner of the directory:
sudo mkdir -p -m 0750 /var/cosign/filter sudo chown www:www /var/cosign/filter
Next Steps
At this point, you should have all the pieces in place. For instructions on configuring Cosign with Apache, please see these instructions. The Leopard Server Install, Lion Server Install, and Mountain Lion Server install notes (now updated for Yosemite server!), although focused on the University of Michigan's environment, should help get you up and running on Mac OS X Server. This page describes setting up a complete weblogin environment.
Questions and discussion are always welcomed on the cosign-discuss mailing list.