WebAuth WebKDC for Debian ------------------------- This package contains the Apache 2.x module for the central WebAuth WebKDC. Only one server (or one pool of load-balanced servers) at a given site need to run this module. On the server that you install this module, you should also install the webauth-weblogin package and follow its installation instructions. The documentation for it has additional information about what site configuration documentation you will probably want to publish for WebAuth users at your site. mod_webkdc.html.en is the formatted manuals, but it expects to be part of the Apache 2.x documentation tree. If you wish, you can install the apache2-doc package and then copy this file into: /usr/share/doc/apache2-doc/manual/mod/ and you will then be able to read it as intended. See: for more information about WebAuth, including copies of the module manuals and places to contact to get help with the installation. Installing the WebKDC --------------------- After installing this package, you must also do the following to make the WebKDC available: 1. Decide what the URL will be for your WebKDC service. I recommend , where example.com is your domain, but you can use anything that you wish. It should, however, be on the same server as the weblogin server. 2. Decide what Kerberos principal to use for the WebKDC service. I recommend service/webkdc (in your local realm), but you can use anything that you wish. 3. Obtain a Kerberos keytab for the WebKDC. How to obtain a keytab varies greatly from one Kerberos site to the next; contact your local Kerberos administrator for more information. However you get this keytab, install it in /etc/webkdc/keytab and then make sure that it is readable by the web server: chgrp www-data /etc/webkdc/keytab chmod 640 /etc/webkdc/keytab 4. In the configuration for your SSL virtual host, or your main server configuration if you don't configure SSL separately, add a block like: SSLRequireSSL SetHandler webkdc You will also have to have a working SSL configuration, which includes a valid SSL certificate that your WebAuth servers will be able to validate. See the Apache documentation for information on setting up SSL. 5. Edit /etc/webkdc/token.acl and configure which Kerberos principals will be allowed to get tokens from the WebKDC. I recommend starting with a line like: krb5:webauth/*@example.com id which will allow any webauth/* principal in the example.com realm (replace that with your own realm) to get an "id" token, which is the token for basic authentication. You can allow particular servers to get additional Kerberos credentials on behalf of the user; for more information, see the manual. 6. Enable the WebKDC module: a2enmod webkdc The WebKDC module will now be loaded the next time you restart your Apache server. 9. Restart Apache: apache2ctl graceful The WebKDC should now be available, and you can start testing with WebAuth servers. -- Russ Allbery , Thu Mar 16 13:33:35 2006