libapache2-mod-webkdc 4.6.1-1+b1 / usr / share / doc / libapache2-mod-webkdc / README.Debian

This file is indexed.

/usr/share/doc/libapache2-mod-webkdc/README.Debian is in libapache2-mod-webkdc 4.6.1-1+b1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
WebAuth WebKDC for Debian
-------------------------

This package contains the Apache module for the central WebAuth WebKDC.
Only one server (or one pool of load-balanced servers) at a given site
need to run this module.  On the server that you install this module, you
should also install the webauth-weblogin package and follow its
installation instructions.  The documentation for it has additional
information about what site configuration documentation you will probably
want to publish for WebAuth users at your site.

mod_webkdc.html.en is the formatted manuals, but it expects to be part of
the Apache documentation tree.  If you wish, you can install the
apache2-doc package and then copy this file into:

    /usr/share/doc/apache2-doc/manual/mod/

and you will then be able to read it as intended.

See:

    <http://webauth.stanford.edu/>

for more information about WebAuth, including copies of the module manuals
and places to contact to get help with the installation.


Installing the WebKDC
---------------------

After installing this package, you must also do the following to make the
WebKDC available:

 1. Decide what the URL will be for your WebKDC service.  I recommend
    <https://weblogin.example.com/webkdc-service/>, where example.com is
    your domain, but you can use anything that you wish.  It should,
    however, be on the same server as the weblogin server.

 2. Decide what Kerberos principal to use for the WebKDC service.  I
    recommend service/webkdc (in your local realm), but you can use
    anything that you wish.

 3. Obtain a Kerberos keytab for the WebKDC.  How to obtain a keytab
    varies greatly from one Kerberos site to the next; contact your local
    Kerberos administrator for more information.

    However you get this keytab, install it in /etc/webkdc/keytab and
    then make sure that it is readable by the web server:

        chgrp www-data /etc/webkdc/keytab
        chmod 640 /etc/webkdc/keytab

 4. In the configuration for your SSL virtual host, or your main server
    configuration if you don't configure SSL separately, add a block like:

        <Location /webkdc-service>
            SSLRequireSSL
            SetHandler webkdc
        </Location>

    You will also have to have a working SSL configuration, which includes
    a valid SSL certificate that your WebAuth servers will be able to
    validate.  See the Apache documentation for information on setting up
    SSL.

 5. Edit /etc/webkdc/token.acl and configure which Kerberos principals
    will be allowed to get tokens from the WebKDC.  I recommend starting
    with a line like:

        krb5:webauth/*@EXAMPLE.COM id

    which will allow any webauth/* principal in the EXAMPLE.COM realm
    (replace that with your own realm) to get an "id" token, which is the
    token for basic authentication.  You can allow particular servers to
    get additional Kerberos credentials on behalf of the user; for more
    information, see the manual.

 6. Enable the WebKDC module:

        a2enmod webkdc

    The WebKDC module will now be loaded the next time you restart your
    Apache server.

 9. Restart Apache:

        apache2ctl graceful

    The WebKDC should now be available, and you can start testing with
    WebAuth servers.

 -- Russ Allbery <rra@debian.org>, Mon, 22 Apr 2013 13:47:30 -0700

APT Browse - Built by Thomas Orozco.