______________________________________________________________________________
INTRO
mod_waklog is an Apache module that provides aklog-like semantics
for the web. mod_waklog will acquire (and store in the kernel) an
AFS credential when a connection is opened, use the credential for
the duration of the connection, and will remove the credential when
the connection is closed.
mod_waklog allows you to permit directories using AFS ACLs, and access
them via a web browser. An ACL of "umweb:servers rl" is required for
each mod_waklog-protected directory.
mod_waklog allows scripts to run as you. Programs which use AFS
credentials to authenticate themselves do so as you.
mod_waklog often is used with mod_cosign, and uses the cosign-provided
krbtgt to acquire an AFS credential; this extends single signon to AFS
via the web.
______________________________________________________________________________
CONFIGURATION
Mod_waklog understands these directives. Of these, only WaklogAFSCell
is mandatory:
WaklogAFSCell
Use the supplied AFS cell (required)
WaklogEnabled
Enable waklog on a server, location, or directory basis
WaklogDefaultPrincipal
Set the default principal that the server runs as; this principal
must have "l" access to every path that is served, regardless of
user credentials or WaklogLocationPrincipal directives.
WaklogLocationPrincipal
Set the principal on a <Location>-specific basis
WaklogDisableTokenCache (NOT YET IMPLEMENTED)
Ignore the token cache (<Location>-specific). This is useful for
scripts that need kerberos tickets; for example, a perl script that
uses kerberos authentication to contact a database. By supplying a
WaklogLocationPrincipal directive, mod_waklog can obtain the tickets
and tokens for the principal, but by not using the token cache the
script is assured that it will have tickets when it runs.
WaklogUseUserTokens
Use the requesting user tokens (from webauth)
______________________________________________________________________________
PHASES
Apache processes a request in multiple phases.
mod_waklog runs at phase 0 to acquire credentials via a keytab, and
runs at phase 2 to remove the credentials.
mod_waklog runs at phase 7 to acquire credentials of whatever krbtgt
is referenced via KRB5CCNAME (e.g., set by mod_cosign).
mod_waklog runs at connection termination to remove the credentials
it acquired at phase 0 or phase 7.
Apache calls stat() between phase 1 and phase 2 to determine if it
has access to the directory; if it doesn't have read access at that
point, it won't try to read it again, even if later phases would
acquire credentials which would allow it to do so. mod_waklog
acquires an afs credential for a principal in the pts group
umweb:servers at phase 0, and removes this credential at phase 2;
directories permitted "umweb:servers rl" will allow the stat() call
to succeed.
______________________________________________________________________________
BUILD
make
Be sure the paths to apxs, include files, and libraries are correct.
If you compiled Apache 2 with large file support, be sure to have:
#define _LARGEFILE64_SOURCE
in mod_waklog.c. If you run make and receive many errors about apr_off_t
being undefined, you may need to add or comment out the above line.
______________________________________________________________________________
INSTALL
Copy the ./.libs/mod_waklog.so to somewhere Apache can read and execute it.
Add the following lines to your httpd.conf file:
LoadModule waklog_module /path/to/mod_waklog.so
<IfModule mod_waklog.c>
WaklogProtected On
</IfModule>