update for stretch

[hcoop/debian/libapache-mod-waklog.git] / README

______________________________________________________________________________        
INTRO

mod_waklog is an Apache module that provides aklog-like semantics
for the web.  mod_waklog will acquire (and store in the kernel) an
AFS credential when a connection is opened, use the credential for
the duration of the connection, and will remove the credential when
the connection is closed.

mod_waklog allows you to permit directories using AFS ACLs, and access
them via a web browser.  An ACL of "umweb:servers rl" is required for
each mod_waklog-protected directory.

mod_waklog allows scripts to run as you.  Programs which use AFS
credentials to authenticate themselves do so as you.

mod_waklog often is used with mod_cosign, and uses the cosign-provided
krbtgt to acquire an AFS credential; this extends single signon to AFS
via the web.

______________________________________________________________________________        
CONFIGURATION

Mod_waklog understands these directives.  Of these, only WaklogAFSCell
is mandatory:

WaklogAFSCell

  Use the supplied AFS cell (required)

WaklogEnabled 

  Enable waklog on a server, location, or directory basis

WaklogDefaultPrincipal

  Set the default principal that the server runs as; this principal
  must have "l" access to every path that is served, regardless of
  user credentials or WaklogLocationPrincipal directives.

WaklogLocationPrincipal

  Set the principal on a <Location>-specific basis

WaklogDisableTokenCache (NOT YET IMPLEMENTED)

  Ignore the token cache (<Location>-specific).  This is useful for
  scripts that need kerberos tickets; for example, a perl script that
  uses kerberos authentication to contact a database.  By supplying a
  WaklogLocationPrincipal directive, mod_waklog can obtain the tickets
  and tokens for the principal, but by not using the token cache the
  script is assured that it will have tickets when it runs.
  
WaklogUseUserTokens 

  Use the requesting user tokens (from webauth)

______________________________________________________________________________        
PHASES

Apache processes a request in multiple phases.

mod_waklog runs at phase 0 to acquire credentials via a keytab, and
runs at phase 2 to remove the credentials.

mod_waklog runs at phase 7 to acquire credentials of whatever krbtgt
is referenced via KRB5CCNAME (e.g., set by mod_cosign).

mod_waklog runs at connection termination to remove the credentials
it acquired at phase 0 or phase 7.

Apache calls stat() between phase 1 and phase 2 to determine if it
has access to the directory; if it doesn't have read access at that
point, it won't try to read it again, even if later phases would
acquire credentials which would allow it to do so.  mod_waklog
acquires an afs credential for a principal in the pts group
umweb:servers at phase 0, and removes this credential at phase 2;
directories permitted "umweb:servers rl" will allow the stat() call
to succeed.

______________________________________________________________________________        
BUILD 

make

Be sure the paths to apxs, include files, and libraries are correct.

If you compiled Apache 2 with large file support, be sure to have:

   #define _LARGEFILE64_SOURCE

in mod_waklog.c.  If you run make and receive many errors about apr_off_t
being undefined, you may need to add or comment out the above line.


______________________________________________________________________________        
INSTALL

Copy the ./.libs/mod_waklog.so to somewhere Apache can read and execute it.

Add the following lines to your httpd.conf file:

    LoadModule waklog_module        /path/to/mod_waklog.so

    <IfModule mod_waklog.c>
        WaklogProtected                 On
    </IfModule>