WebAuth for Debian
------------------

This package contains the Apache 2.x modules for the WebAuth
authentication system.  It is not useful by itself; your site also needs
to be running a WebAuth infrastructure including a separate WebKDC and
weblogin server.  See the libapache2-webkdc and webauth-weblogin packages
for the WebKDC server and weblogin server.

You can install the webauth-tests package to get a test suite that you can
use to verify that your installation is working.  See the documentation of
that package for more information.

mod_webauth.html.en and mod_webauthldap.html.en have the formatted
manuals, but they expect to be part of the Apache 2.x documentation tree.
If you wish, you can install the apache2-doc package and then install them
into /usr/share/doc/apache2-doc/manual/mod/ and you will then be able to
read them as intended.

See:

    <http://webauth.stanford.edu/>

for more information about WebAuth, including copies of the module manuals
and places to contact to get help with the installation.


Installing WebAuth
------------------

There are several steps in installing WebAuth that cannot (easily) be
automated, so WebAuth is not active and available immediately after
installing this package.  You must also do the following:

 1. Determine your local site WebAuth configuration.  You need to know
    three pieces of information:  the URL of the WebKDC service, the URL
    of the weblogin service, and the Kerberos principal used by the
    WebKDC.  These should be part of your local WebAuth documentation.

    If you are setting up a new WebAuth installation from scratch, install
    the libapache2-webkdc and webauth-weblogin packages on the system that
    will serve as the WebKDC and weblogin server, follow their
    installation instructions, and then return to here.

 2. Obtain a Kerberos keytab for your WebAuth server.  How to obtain a
    keytab varies greatly from one Kerberos site to the next; contact your
    local Kerberos administrator for more information.  Normally, the
    principal for the WebAuth service on www.example.com would be named
    webauth/www.example.com (in your local realm), but this may vary at
    your site.

    However you get this keytab, install it in /etc/webauth/keytab and
    then make sure that it is readable by the web server:

        chgrp www-data /etc/webauth/keytab
        chmod 640 /etc/webauth/keytab

 3. Enable the WebAuth module and the generic user authorization module:

        a2enmod authz_user
        a2enmod webauth

    You can skip enabling authz_user if you won't be using directives of
    the form "Require user" or "Require valid-user", but since these
    directives are used in WebAuth tests and in much of the documentation,
    I recommend enabling that module to avoid confusion.  (This module is
    new in Apache 2.2; previously, its functionality was built into
    Apache.)

    The WebAuth module will now be loaded the next time you restart your
    Apache server.  Don't restart the server yet; you still need to
    configure the module.

 4. Add the following configuration to /etc/apache2/conf.d/webauth or
    wherever you prefer to put local Apache configuration:

        WebAuthLoginURL <weblogin-url>
        WebAuthWebKdcURL <webkdc-url>
        WebAuthWebKdcPrincipal <webkdc-principal>

    where <weblogin-url>, <webkdc-url>, and <webkdc-principal> are the
    local configuration values that you obtained in step 1.

 5. Restart Apache:

        apache2ctl graceful

At this point, WebAuth authentication is available.  In order to protect a
section of your web site with WebAuth, just add something like:

    AuthType WebAuth
    require user example

to a <Location>, <Directory>, or <Files> block or a .htaccess file.


Installing the LDAP Module
--------------------------

If you also want to use the WebAuth LDAP module, which supports
authorization through directory entries and obtaining directory
information for authenticated users, you need to additionally do the
following:

 1. Add the following configuration to /etc/apache2/conf.d/webauth or
    wherever you prefer to put local Apache configuration:

        WebAuthLdapHost <ldap-server>
        WebAuthLdapBase <ldap-base>

    where <ldap-server> is your local LDAP server name and <ldap-base> is
    the LDAP search base to use (something like dc=example,dc=com).  Your
    local LDAP administrator will be able to provide this information.

 2. If you want to use authorization through privilege groups defined by
    the presence of an LDAP attribute in the record of the authenticated
    user, also add a line like:

        WebAuthLdapAuthorizationAttribute <attribute>

    where <attribute> is a multivalued attribute in directory entries for
    your users that contains all of the privilege groups that that user is
    a member of.

 3. Enable the WebAuth LDAP module:

        a2enmod webauthldap

    and restart Apache:

        apache2ctl graceful

You may now use the WebAuthLdapAttribute directive in <Location>,
<Directory>, or <Files> blocks or .htaccess files to request that
particular LDAP attributes be put into environment variables, and if you
configured a privgroup attribute, you may now use the "require privgroup"
command to restrict access to particular web pages to members of that
privgroup.

 -- Russ Allbery <rra@debian.org>, Mon,  9 Oct 2006 14:24:51 z