______________________________________________________________________________ INTRO mod_waklog is an Apache module that provides aklog-like semantics for the web. mod_waklog will acquire (and store in the kernel) an AFS credential when a connection is opened, use the credential for the duration of the connection, and will remove the credential when the connection is closed. mod_waklog allows you to permit directories using AFS ACLs, and access them via a web browser. An ACL of "umweb:servers rl" is required for each mod_waklog-protected directory. mod_waklog allows scripts to run as you. Programs which use AFS credentials to authenticate themselves do so as you. mod_waklog often is used with mod_cosign, and uses the cosign-provided krbtgt to acquire an AFS credential; this extends single signon to AFS via the web. ______________________________________________________________________________ CONFIGURATION Mod_waklog understands these directives. Of these, only WaklogAFSCell is mandatory: WaklogAFSCell Use the supplied AFS cell (required) WaklogEnabled Enable waklog on a server, location, or directory basis WaklogDefaultPrincipal Set the default principal that the server runs as; this principal must have "l" access to every path that is served, regardless of user credentials or WaklogLocationPrincipal directives. WaklogLocationPrincipal Set the principal on a -specific basis WaklogDisableTokenCache (NOT YET IMPLEMENTED) Ignore the token cache (-specific). This is useful for scripts that need kerberos tickets; for example, a perl script that uses kerberos authentication to contact a database. By supplying a WaklogLocationPrincipal directive, mod_waklog can obtain the tickets and tokens for the principal, but by not using the token cache the script is assured that it will have tickets when it runs. WaklogUseUserTokens Use the requesting user tokens (from webauth) ______________________________________________________________________________ PHASES Apache processes a request in multiple phases. mod_waklog runs at phase 0 to acquire credentials via a keytab, and runs at phase 2 to remove the credentials. mod_waklog runs at phase 7 to acquire credentials of whatever krbtgt is referenced via KRB5CCNAME (e.g., set by mod_cosign). mod_waklog runs at connection termination to remove the credentials it acquired at phase 0 or phase 7. Apache calls stat() between phase 1 and phase 2 to determine if it has access to the directory; if it doesn't have read access at that point, it won't try to read it again, even if later phases would acquire credentials which would allow it to do so. mod_waklog acquires an afs credential for a principal in the pts group umweb:servers at phase 0, and removes this credential at phase 2; directories permitted "umweb:servers rl" will allow the stat() call to succeed. ______________________________________________________________________________ BUILD make Be sure the paths to apxs, include files, and libraries are correct. If you compiled Apache 2 with large file support, be sure to have: #define _LARGEFILE64_SOURCE in mod_waklog.c. If you run make and receive many errors about apr_off_t being undefined, you may need to add or comment out the above line. ______________________________________________________________________________ INSTALL Copy the mod_waklog.so to somewhere Apache can read and execute it. Add the following lines to your httpd.conf file: LoadModule waklog_module /path/to/mod_waklog.so WaklogProtected On