[OpenAFS] AFS and Apache

Leif Johansson leifj@it.su.se
Fri, 04 Jun 2004 16:42:34 +0200

lbramos wrote:
> Hi,
> After fix the problems with qmail, ldap and login in, now i'm trying apache! 
> I follow a few instructions i found on the net, like http://archiv.tu-chemnitz.de/cgi-monarch/search/direct.pl?id=20000092&print=1
> But i keep getting the error code 403: Forbiden access...
> Can anyone tell me a good online manual for this? I don't want to use krb5...
> Thanks again,

We use PubCookie (http://www.pubcookie.org) with the krb5 auth mech.
PubCookie is a "web initial sign-on" system based on encrypted cookies.
It seems reasonably secure. It has the ability to forward credentials to
application servers. For instance our enterprise portal has a
filemanager webapp which talks to AFS with proper tokens using
pubcookie. Access to credentials is controlled by a configuration file
in the login web application server (basically a cgi).

Another alternative is to use https-spnego (you need ssl to protect
against mitm attacks). There are various spnego implementations for
apache and both IE and Mozilla (at least 1.7) support it.

The good thing about pubcookie is that all browsers can use it. The
downside is that the webserver needs to be apache or iis - tomcat and
resin can be handled using an apache frontend - since pubcookie is
implemented using a server-side module. This is also a good thing since
your applications can be completely unaware of the fact that pubcookie
is happening.

	Cheers leifj