You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

 

This is probably my longest standing action item in TERENA (wink): implement a federated version of Confluence.

Below is the recipe for getting this to work with Ubuntu 12.04, Confluence 5.1, Apache, and modmellon.

I choose modmellon because it seemed like a cleaner solution than mod_shib, requiring no additional daemons and much simpler configuration.

 

Prerequisites

Before you start, make sure you have these bits:


  • A correctly configured apache web server that is serving an HTTPS web site.
  • A SAML Identity Provider (IdP).
  • An account on that IdP.
  • An attribute that can be used as username in Confluence (for example eduPersonPrincipalName). Attributes for full name and e-mail are optional but recommended.
  • The user name of the to-be administrator account. So, if you choose eduPersonPrincipalName as the attribute for username, you need to know your own value (for instance 'dvisser@surfnet.nl'.

Modmellon

Modmellon is an apache module. To get this working I recompiled the Debian source packages from the University of Tilburg for Ubuntu 12.04 and made them available in our own APT repository.

Once that is done, the needed packages can be installed:

apt-get install libapache2-mod-auth-mellon
a2enmod auth_mellon

Create a directory /etc/apache/mellon, and store the Identity Provider metadata in XML format to a file called idp.xml.

Create the cryptographic material for the mellon SP:

openssl req -new -newkey rsa:2048 -days 3650 -nodes -x509 -keyout sp.key -out sp.crt

Now add this to the configuration of the vhost:

 

ProxyRequests Off
<Proxy http://localhost:8090>
        Order deny,allow
        Allow from all
</Proxy>


ProxyPass /mellon/ !
ProxyPass / http://localhost:8090/
ProxyPassReverse / http://localhost:8090/


# Mobile theme does not honour new seraph values, so we have to redirect that
RewriteEngine on
RewriteCond     %{QUERY_STRING} ^originalUrl=(.*)$      [NC]
Rewriterule     ^/plugins/servlet/mobile/login          /mellon/login?ReturnTo=%1 [R,NE]

<Location />
        MellonEnable "info"
        MellonSecureCookie On
        MellonSessionDump Off
        MellonSamlResponseDump Off
        MellonEndpointPath "/mellon"
        MellonSPPrivateKeyFile /etc/apache2/mellon/sp.key
        MellonSPCertFile /etc/apache2/mellon/sp.crt
        MellonIdPMetadataFile /etc/apache2/mellon/idp.xml


        # First unset to avoid security holes
        RequestHeader unset REMOTE_USER
        RequestHeader set REMOTE_USER "%{MELLON_username}e" env=MELLON_username


        RequestHeader unset FULLNAME
        RequestHeader set FULLNAME "%{MELLON_fullname}e" env=MELLON_fullname


        RequestHeader unset MAIL
        RequestHeader set MAIL "%{MELLON_email}e" env=MELLON_email
</Location>

 

 

PostgreSQL

apt-get install postgresql

Create a dedicated database user, and a database:

sudo su - postgres
createuser -S -d -r -P -E confuser
createdb -O confuser confluence

 

 

Confluence 

Install OpenJDK:

apt-get --no-install-recommends install openjdk-7-jdk

 

Download the source http://www.atlassian.com/software/confluence/downloads/binary/atlassian-confluence-5.1.tar.gz and unpack it to /opt/confluence.

Edit /opt/confluence/conflue

Once installed, use this upstart script to have start on boot:

 

# Upstart script for confluence
description     "Atlassian Confluence"
start on runlevel [2345]
stop on runlevel [!2345]
kill timeout 30
env RUN_AS_USER=root
env BASEDIR=/opt/confluence
script
    LOGFILE=$BASEDIR/logs/catalina.out
    exec su - $RUN_AS_USER -c "$BASEDIR/bin/catalina.sh run" >> $LOGFILE 2>&1
end script

Once this is there, you can simply issue "start confluence", "stop confluence", "restart confluence".

 

 

  • No labels