Introduction ------------ This package contains the Apache module for user authentication using the WebAuth authentication system. It is not useful by itself; your site also needs to be running a WebAuth infrastructure including a separate WebKDC and weblogin server. See the libapache2-mod-webkdc and webauth-weblogin packages for the WebKDC server and weblogin server. There is always a closely-related module to do attribute lookup in LDAP after a successful WebAuth authentication and put that information in the environment or use it for authorization. For that module, mod_webauthldap, install the libapache2-mod-webauthldap package. You can install the webauth-tests package to get a test suite that you can use to verify that your installation is working. See the documentation of that package for more information. mod_webauth.html.en has the formatted manual, but it expects to be viewed as part of the Apache documentation tree. If you wish, you can install the apache2-doc package and copy this file to: /usr/share/doc/apache2-doc/manual/mod and you will then be able to read it as intended. See: for more information about WebAuth, including copies of the module manuals and places to contact to get help with the installation. Configuring WebAuth ------------------- There are several steps in configuring WebAuth that cannot (easily) be automated, so this module is not active and available immediately after installing this package. You must also do the following: 1. Determine your local site WebAuth configuration. You need to know three pieces of information: the URL of the WebKDC service, the URL of the WebLogin service, and the Kerberos principal used by the WebKDC. These should be part of your local WebAuth documentation. If you are setting up a new WebAuth installation from scratch, install the libapache2-mod-webkdc and webauth-weblogin packages on the system that will serve as the WebKDC and weblogin server, follow their installation instructions, and then return to here. 2. Obtain a Kerberos keytab for your WebAuth server. How to obtain a keytab varies greatly from one Kerberos site to the next; contact your local Kerberos administrator for more information. Normally, the principal for the WebAuth service on www.example.com would be named webauth/www.example.com (in your local realm), but this may vary at your site. However you get this keytab, install it in /etc/webauth/keytab and then make sure that it is readable by the web server: chgrp www-data /etc/webauth/keytab chmod 640 /etc/webauth/keytab 3. Enable the WebAuth module and the generic user authorization module: a2enmod authz_user a2enmod webauth You can skip enabling authz_user if you won't be using directives of the form "Require user" or "Require valid-user", but since these directives are used in WebAuth tests and in much of the documentation, I recommend enabling that module to avoid confusion. The WebAuth module will now be loaded the next time you restart your Apache server. Don't restart the server yet; you still need to configure the module. 4. Add the following configuration to: /etc/apache2/conf-available/webauth.conf (or wherever you prefer to put local Apache configuration): WebAuthLoginURL WebAuthWebKdcURL WebAuthWebKdcPrincipal where , , and are the local configuration values that you obtained in step 1. Then enable that configuration file with: a2enconf webauth 5. Restart Apache: apache2ctl graceful At this point, WebAuth authentication is available. In order to protect a section of your web site with WebAuth, just add something like: AuthType WebAuth require user example to a , , or block or a .htaccess file. For more complex access control using LDAP, see libapache2-mod-webauthldap. -- Russ Allbery , Sun, 2 Jun 2013 10:19:38 -0700