[OpenAFS] Combined AFS/Kerberos Apache 2 module
Thu, 3 Sep 2009 10:24:54 -0400 (EDT)
There's been a lot of discussion on the list about getting mod_auth_kerb,
mod_waklog, filedrawers and CoSign all working together harmoniously under
Apache 2. I also struggled with this for a while, and eventually decided
to do a major modification/rewrite to mod_auth_kerb so that it can address
some of these concerns.
The new module I've called 'mod_afs_kerb' for the time being, anyway. It
is available here:
This module will:
1) do the initial kerberos authentication, via
a) HTTP Basic Auth (over SSL)
2) use existing credentials provided by an external module (CoSign)
3) obtain AFS tokens for the authenticating user as desired
4) cache credentials based on SSL session ID to limit AS traffic
5) work with Apache 2.
In addition, when obtaining AFS tokens, it's possible to do so before the
Apache directory walk phase, which is a current limitation of mod_waklog.
This removes the requirement that the server itself must run with
credentials, and doesn't require special directory ACLs.
When using this module, the use of mod_waklog is not required.
One caveat: because we use Heimdal Kerberos, the AFS parts of this were
written to use the Heimdal functions. Someone will need to write a bit of
code to make this work with MIT kerberos. (See the afslog functions
inside #ifdef HEIMDAL) If there's enough interest, and no one else steps
up, I can look at doing it.
Also note: As part of the rewrite, for simplicity and improved
functionality, the existing Kerberos 4 and Apache 1 parts of the module
have been removed.
University of Maryland, College Park
Office of Information Technology