cc810c13 |
1 | INTRO |
2 | |
3 | mod_waklog is an Apache module that provides aklog-like semantics |
4 | for the web. mod_waklog will acquire (and store in the kernel) an |
5 | AFS credential when a connection is opened, use the credential for |
6 | the duration of the connection, and will remove the credential when |
7 | the connection is closed. |
8 | |
9 | mod_waklog allows you to permit directories using AFS ACLs, and access |
10 | them via a web browser. An ACL of "umweb:servers rl" is required for |
11 | each mod_waklog-protected directory. |
12 | |
13 | mod_waklog allows scripts to run as you. Programs which use AFS |
14 | credentials to authenticate themselves do so as you. |
15 | |
16 | mod_waklog often is used with mod_cosign, and uses the cosign-provided |
17 | krbtgt to acquire an AFS credential; this extends single signon to AFS |
18 | via the web. |
19 | |
20 | PHASES |
21 | |
22 | Apache processes a request in multiple phases. |
23 | |
24 | mod_waklog runs at phase 0 to acquire credentials via a keytab, and |
25 | runs at phase 2 to remove the credentials. |
26 | |
27 | mod_waklog runs at phase 7 to acquire credentials of whatever krbtgt |
28 | is referenced via KRB5CCNAME (e.g., set by mod_cosign). |
29 | |
30 | mod_waklog runs at connection termination to remove the credentials |
31 | it acquired at phase 0 or phase 7. |
32 | |
33 | Apache calls stat() between phase 1 and phase 2 to determine if it |
34 | has access to the directory; if it doesn't have read access at that |
35 | point, it won't try to read it again, even if later phases would |
36 | acquire credentials which would allow it to do so. mod_waklog |
37 | acquires an afs credential for a principal in the pts group |
38 | umweb:servers at phase 0, and removes this credential at phase 2; |
39 | directories permitted "umweb:servers rl" will allow the stat() call |
40 | to succeed. |
87822447 |
41 | |
42 | BUILD |
43 | |
44 | make |
45 | |
46 | Be sure the paths to apxs, include files, and libraries are correct. |
47 | |
48 | If you compiled Apache 2 with large file support, be sure to have: |
49 | |
50 | #define _LARGEFILE64_SOURCE |
51 | |
52 | in mod_waklog.c. If you run make and receive many errors about apr_off_t |
53 | being undefined, you may need to add or comment out the above line. |
54 | |
55 | |
56 | INSTALL |
57 | |
58 | Copy the mod_waklog.so to somewhere Apache can read and execute it. |
59 | |
60 | Add the following lines to your httpd.conf file: |
61 | |
62 | LoadModule waklog_module /path/to/mod_waklog.so |
63 | |
64 | <IfModule mod_waklog.c> |
65 | WaklogProtected On |
66 | </IfModule> |
67 | |