"Fossies" - the Fresh Open Source Software Archive

Member "README" (9 May 2005, 7290 Bytes) of package /linux/www/apache_httpd_modules/old/modgssapache-0.0.5.tar.gz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file.

    1 
    2 This is a modeule based on http://meta.cesnet.cz/software/heimdal/negotiate.en.html.
    3 
    4 It uses Microsofts example code from http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-3.asp
    5 
    6 The Browser setup is described at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnsecure/html/http-sso-1.asp.
    7 
    8 The configure  with MIT Kerberos installed in /usr/kerberos can look like:
    9 
   10 with apxs and libspnegohelp.so in /usr/lib
   11 
   12 /usr/sbin/apxs -i -a -c -DEAPI_MM -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -I/usr/kerberos/include -L/usr/kerberos/lib -L/usr/lib -Wl,-R/usr/kerberos/lib -Wl,-R/usr/lib -lspnegohelp -lgssapi_krb5 -ldes425 -lkrb5 -lk5crypto -lcom_err mod_auth_gss_krb5.c
   13 
   14 or on Suse Linux 8.0
   15 
   16 CFLAGS="-g" \
   17 LDFLAGS="-g" \
   18 INCLUDES="-I/usr/kerberos/include" \
   19 OPTIM="-O2 -march=i586 -mcpu=i686 -fmessage-length=0 \$(OPTIM_ARCH) -DEAPI_MM -fPIC -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64 -DHARD_SERVER_LIMIT=2048 -DDYNAMIC_MODULE_LIMIT=128 " \
   20 LIBS="-L/usr/X11R6/lib/ -lmm -Wl,-R/usr/kerberos/lib `pwd`/spnegohelp/libspnegohelp.a -L/usr/kerberos/lib -lgssapi_krb5 -ldes425 -lkrb5 -lk5crypto -lcom_err" \
   21 SSL_BASE="SYSTEM" \
   22 ./configure \
   23 "--with-layout=Apache" \
   24 "--prefix=/srv/www" \
   25 "--bindir=/usr/bin" \
   26 "--sbindir=/usr/sbin" \
   27 "--datadir=/srv/www" \
   28 "--sysconfdir=/etc/httpd" \
   29 "--mandir=/usr/share/man" \
   30 "--logfiledir=/var/log/httpd" \
   31 "--localstatedir=/var/lib" \
   32 "--runtimedir=/var/run" \
   33 "--libexecdir=/usr/lib/apache" \
   34 "--proxycachedir=/var/cache/http" \
   35 "--includedir=/usr/include/apache" \
   36 "--enable-module=all" \
   37 "--disable-module=example" \
   38 "--enable-module=ssl" \
   39 "--enable-shared=max" \
   40 "--with-perl=/usr/bin/perl" \
   41 "--disable-rule=WANTHSREGEX" \
   42 "--enable-rule=EAPI" \
   43 "--server-uid=wwwrun" \
   44 "--server-gid=nogroup" \
   45 "--enable-suexec" \
   46 "--suexec-caller=wwwrun" \
   47 "--suexec-userdir=public_html" \
   48 "--suexec-uidmin=96" \
   49 "--suexec-gidmin=96" \
   50 "--suexec-safepath=/bin:/usr/bin" \
   51 "--suexec-logfile=/var/log/httpd/suexec.log" \
   52 "--without-confadjust" \
   53 "--activate-module=src/modules/extra/mod_auth_gss_krb5.c"
   54 
   55 
   56 or on Solaris 2.8
   57 
   58 CFLAGS="-g" \
   59 LDFLAGS="-g" \
   60 INCLUDES="-I/usr/kerberos/include" \
   61 OPTIM="-O2 -DEAPI -fPIC -D_LARGEFILE_SOURCE -DHARD_SERVER_LIMIT=2048 -DDYNAMIC_MODULE_LIMIT=128 " \
   62 LIBS="-R/usr/kerberos/lib `pwd`/spnegohelp/libspnegohelp.a -L/usr/kerberos/lib -lgssapi_krb5 -ldes425 -lkrb5 -lk5crypto -lcom_err" \
   63 SSL_BASE="SYSTEM" \
   64 ./configure \
   65 "--with-layout=Apache" \
   66 "--prefix=/usr/apache" \
   67 "--bindir=/usr/bin" \
   68 "--sbindir=/usr/sbin" \
   69 "--datadir=/usr/apache" \
   70 "--sysconfdir=/etc/apache" \
   71 "--mandir=/usr/share/man" \
   72 "--logfiledir=/var/apache/logs" \
   73 "--localstatedir=/var/apache/lib" \
   74 "--runtimedir=/var/run" \
   75 "--libexecdir=/usr/apache/libexec" \
   76 "--proxycachedir=/var/apache/cache" \
   77 "--includedir=/usr/apache/include" \
   78 "--enable-module=all" \
   79 "--disable-module=example" \
   80 "--enable-module=ssl" \
   81 "--enable-shared=max" \
   82 "--with-perl=/usr/bin/perl" \
   83 "--disable-rule=WANTHSREGEX" \
   84 "--enable-rule=EAPI" \
   85 "--server-uid=wwwrun" \
   86 "--server-gid=nogroup" \
   87 "--enable-suexec" \
   88 "--suexec-caller=wwwrun" \
   89 "--suexec-userdir=public_html" \
   90 "--suexec-uidmin=96" \
   91 "--suexec-gidmin=96" \
   92 "--suexec-safepath=/bin:/usr/bin" \
   93 "--suexec-logfile=/var/apache/logs/suexec.log" \
   94 "--without-confadjust" \
   95 "--activate-module=src/modules/extra/mod_auth_gss_krb5.c"
   96 
   97 The httpd.conf should contain something like:
   98 .
   99 .
  100 .
  101 AddModule mod_auth_gss_krb5.c
  102 #
  103 # This should be changed to whatever you set DocumentRoot to.
  104 #
  105 <Directory "/srv/www/htdocs">
  106 
  107           GssKrb5Keytab "/etc/httpd/HTTP.keytab"
  108            Krb5Keytab "/etc/httpd/HTTP.keytab"
  109            GssKrb5ServicePrincipals http HTTP khttp
  110            GssKrb5AuthRealms REALM.COM
  111            KrbAuthRealm REALM.COM
  112            Krb5SaveCredentials Off
  113            AuthType KerberosV5
  114            GssAuth On
  115            AuthName "KRB5 REALM.COM"
  116            require valid-user
  117 
  118 .
  119 .
  120 . 
  121 
  122 
  123 
  124 with HTTP.keytab containing a service key HTTP/hostname@REALM (readable by apache run user .e.g. wwwrun) and/or http/hostname@REALM.COM and/or khttp/hostname@REALM.COM for different Browser support.
  125 Since MS doesn't in some cases check the case a lowercase http entry can be send by Browser like the Mac Browser. To create a http/hostname@REALM.COM service principal you have to copy the HTTP/hostname@REALM.COM entry in the keytab (As far as I know you cannot have a HTTP and http service principal in AD for the same server)
  126 
  127 First do a list of the keytab file (I am assuming you use MIT Kerberos): 
  128  
  129 # klist -k -e -K -t /etc/httpd/HTTP.keytab 
  130 Keytab name: FILE:/etc/httpd/HTTP.keytab 
  131 KVNO Timestamp Principal 
  132 ---- ----------------- -------------------------------------------------------- 
  133 1 11/29/04 11:42:25 HTTP/moelma.test.com@TEST.COM (ArcFour with HMAC/md5) (0x0d41ede68082fc5b8611dc5da75b5d4f) 
  134  
  135 Then do a ktutil with the following commands: 
  136 #ktutil 
  137 ktutil: addent -key -p http/moelma.test.com@TEST.COM -k 1 -e rc4-hmac 
  138 Key for http/moelma.test.com@TEST.COM (hex): 0d41ede68082fc5b8611dc5da75b5d4f 
  139 ktutil: wkt /etc/httpd/HTTP.keytab 
  140 ktutil: quit 
  141  
  142 Use the same kvno and enc-type as the HTTP entry. This should create a second entry (with the service name http) to the keytab with the same key as for the HTTP service. 
  143 
  144 
  145 It was tested with IE 6.0, Firefox 1.0.x on Windows XP, Firefox 1.0.x on Linux, Apache 1.3.26 on Suse Linux 8.x and Solaris 2.8, MIT Kerberos 1.2.4 and Windows 2000 kdc. 
  146 
  147 Version 0.0.4 allows Firefox/Mozilla without SPNEGO wrapping to connect. 
  148 
  149 A virtual server setup could look like:
  150 #
  151 # Use name-based virtual hosting.
  152 #
  153 NameVirtualHost *
  154 
  155 #
  156 # VirtualHost example:
  157 # Almost any Apache directive may go into a VirtualHost container.
  158 # The first VirtualHost section is used for requests without a known
  159 # server name.
  160 #
  161 <VirtualHost *>
  162     ServerAdmin webmaster@www.realm1.com
  163     DocumentRoot "/srv/www/htdocs/domain1"
  164     ServerName www.realm1.com
  165     ErrorLog /var/log/httpd/error_log_realm1
  166     LogFormat "%h %l %u %t \"%r\" %>s %b" common
  167     CustomLog /var/log/httpd/access_log_realm1 common
  168 </VirtualHost>
  169 <VirtualHost *>
  170     ServerAdmin webmaster@www.realm2.com
  171     DocumentRoot "/srv/www/htdocs/domain2"
  172     ServerName www.realm2.com
  173     ErrorLog /var/log/httpd/error_log_realm2
  174     LogFormat "%h %l %u %t \"%r\" %>s %b" common
  175     CustomLog /var/log/httpd/access_log_realm2 common
  176 </VirtualHost>
  177 
  178 <Directory "/srv/www/htdocs/domain1">
  179            GssKrb5Keytab "/etc/httpd/HTTP-REALM1.keytab"
  180            Krb5Keytab "/etc/httpd/HTTP-REALM1.keytab"
  181            GssKrb5AuthRealms REALM1.COM
  182            KrbAuthRealm REALM1.COM
  183            Krb5SaveCredentials Off
  184            GssAuth On
  185            AuthType KerberosV5
  186            GssKrb5ServicePrincipals http HTTP khttp
  187            AuthName "KRB5 REALM1.COM"
  188            require valid-user
  189 .
  190 .
  191 .
  192 .
  193 .
  194 </Directory>
  195 <Directory "/srv/www/htdocs/domain2">
  196 
  197            GssKrb5Keytab "/etc/httpd/HTTP-REALM2.keytab"
  198            Krb5Keytab "/etc/httpd/HTTP-REALM2.keytab"
  199            GssKrb5AuthRealms REALM2.COM
  200            KrbAuthRealm REALM2.COM
  201            Krb5SaveCredentials Off
  202            GssAuth On
  203            AuthType KerberosV5
  204            GssKrb5ServicePrincipals http HTTP khttp
  205            AuthName "KRB5 REALM2.COM"
  206            require valid-user
  207 
  208 .
  209 .
  210 .
  211 .
  212 .
  213 </Directory>
  214 
  215 
  216 Markus