Enabling mod_wsgi with LDAP access under Fedora 17

Posted on Wed 11 July 2012 in misc

Continuing my path of new problem to solve = opportunity to try something new, I opted to give web.py a shot as a Web front-end for an existing script I had put together to provision users in our Evergreen library system based on their LDAP entry. The goal was to provide access to the functionality of the script, without having me as a single point of failure... something I have intended to put in place for a long time, but which jumped up in priority once I went on vacation and received a few requests (surprise, surprise).

Creating a web.py front end was easy enough. It was a bit more challenging to put it into production, because my production box for this task runs Fedora 17, and that means SELinux. In the past, my knee-jerk reaction during development would be to setenforce 0 and be done with it, but exposing it to more than just me at the terminal means taking some care. So, fortunately, it was pretty easy to sort out (thanks largely to the assistance gleaned from this Packtpub.com article, minus the compiling mod_wsgi from source bits).

The pertinent bits for my case were:

  1. Install mod_wsgi and web.py: yum install mod_wsgi python-webpy
  2. Configure /etc/httpd/conf/httpd.conf to include the appropriate WSGIScriptAlias line
  3. Fix the SELinux label on the WSGI files: chcon -R httpd_user_content_t patron-load
  4. Allow Apache to connect to an LDAP server: setsebool -P httpd_can_connect_ldap=1

And poof: my server still has the protection of SELinux, and my desired functionality works. Yay!