Michael Olson <[EMAIL PROTECTED]> writes:
> I have no idea how to get AFS and Apache to work right w.r.t. dynamic
> content. Someone else will have to cover that.
I have the UMBC mod_waklog working on research.cs.berkeley.edu's
cell/webserver. Caveats:
- This is still beta code. It may crash. Not for critical services
yet. But the nice part about this setup is that you don't have to
trust the webserver any more than you trust a random user.
- Only works with Apache 1.3.
What you would need would be this:
# global settings
LoadModule waklog_module /usr/lib/apache/1.3/mod_waklog.so
WaklogUseAFSCell hcoop.net
WaklogDefaultPrincipal [EMAIL PROTECTED] /path/to/[EMAIL PROTECTED]
WaklogProtected On
<Location /some/where/in/webspace/for/user/bob/>
WaklogProtected On
WaklogPrincipal bob/[EMAIL PROTECTED] /path/to/bob.cgi.keytab
</Location>
The "[EMAIL PROTECTED]" user must have "rl" on all directories which will
be served. This is a limitation imposed by the way Apache's "phases"
work -- it wants to be able to stat() the directory to be served
*before* the point where it decides which user to switch to.
The bob/[EMAIL PROTECTED] principal should be an extra kerberos principal
(and AFS ID) for each user. Rather than passwords, these principals
have keytabs, though we do not need to give them to the users -- in
fact, I would recommend against doing so. Users should never need to
actually authenticate as their /cgi principals -- they just need to
grant permissions to those identities.
Obviously the /cgi principals would not be full login accounts, etc.
A similar setup for procmail may be possible, though I am less
familiar with this situation.
The patch is here (their version uses some Solaris-specific stuff):
/afs/megacz.com/debian/patches/umbc-mod-waklog-on-debian-linux.patch
- a
_______________________________________________
HCoop-SysAdmin mailing list
[email protected]
http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
