krb4-nsapi-mod.tgz
distribution
Untar the krb4-nsapi-mod.tgz
distribution and edit the Makefile to reflect the location of your
Kerberos (and optionally, AFS) installations. If you aren't building
with AFS, comment out the AFS definitions.
Now run make
, and move the resulting
krb4_auth.so
NSAPI module and acltest
program into your Netscape server binary directory (usually
/usr/ns-home/bin/https
).
/usr/ns-home/https-hostname/config
). Add the
following line to your obj.conf
file, after the other
Init
definitions, to direct the server to load the
Kerberos v4 functions:
Init fn="load-modules" shlib="/path/krb4_auth.so" \
funcs="krb4_auth_check,krb4_path_check,krb4_service_reply"
obj.conf
. Be sure to customize the parameters - the
arguments to the Kerberos v4 server application functions are
equivalent to the Apache module's KerberosV4 directives:
<Object name="krb4cgi"> ObjectType fn="force-type" type="magnus-internal/cgi" AuthTrans fn="krb4_auth_check" srvtab="/usr/local/www/srvtab.www" principal="www.lukyduk@UMICH.EDU" requires_ssl="on" PathCheck fn="krb4_path_check" enforce_hmac="off" Service fn="krb4_service_reply" method="(GET|HEAD|POST)" principal="www.lukyduk@UMICH.EDU" allow_client_caching="off" error_document="/usr/ns-home/docs/denial.html" Service fn="send-cgi" </Object> <Object name="krb4"> AuthTrans fn="krb4_auth_check" srvtab="/usr/local/www/srvtab.www" principal="www.lukyduk@UMICH.EDU" requires_ssl="on" PathCheck fn="krb4_path_check" enforce_hmac="off" Service fn="krb4_service_reply" method="(GET|HEAD|POST)" principal="www.lukyduk@UMICH.EDU" allow_client_caching="off" error_document="/usr/ns-home/docs/denial.html" Service fn="imagemap" method="(GET|HEAD)" type="magnus-internal/imagemap" Service fn="index-common" method="(GET|HEAD)" type="magnus-internal/directory" Service fn="send-cgi" type="magnus-internal/cgi" Service fn="send-file" method="(GET|HEAD)" type="*~magnus-internal/*" AddLog fn="flex-log" name="access" </Object>
For each directory you wish to protect, add a line within the
default
object definition that looks like:
NameTrans fn="pfx2dir" from="/dir-to-protect" dir="/usr/ns-home/docs/dir-to-protect" name="krb4-obj-type"
krb4
or
krb4cgi
, for regular document trees or CGI directories respectively.
See the Netscape Technical Support site for more info on other server configuration options.
access
log messages,
and will be set as auth-user
in rq->vars
for
all other NSAPI modules. Because of bogus 401 status handling by some
lame commercial browsers, failed authentication attempts are noted in
the access_log
with status 400 instead of 401.
In CGI programs, the name of the Kerberos-authenticated client principal will be set as the environment variable REMOTE_USER, "KerberosV4" will be set as AUTH_TYPE, and the authentication response itself (base-64 encoded service ticket and HMAC-MD5 on the request-URL) will be set as HTTP_COOKIE. Refer to Dave Snyder's KLP C libraries or Jeff Horwitz's Kerberos v4 Perl library for routines to make use of the auth response directly from your CGI programs.