Installing mod_auth_kerb

This page describes installation of module version 5.0. Installation guide for the older module 4.x can be found here.

Because of variety of krb5/krb4 implementations and apache platforms we do not provide binary distributions of the module. However, building the module from sources is easy and if you have any problems building the module feel free to contact the developers.

Prerequisites

Development enviroment (i.e. libraries and header files) for Kerberos5 and/or Kerberos4.
The module is known to work with the MIT Kerberos implementation (supporting both krb4 and krb5), the kth-krb Kerberos4 implementation, and the Heimdal Kerberos5 implementation. The Kerberos installation on your system should contain the krb4-config and/or krb5-config command(s).
Apache server installed.
Both 1.x and 2.x series of Apache are supported (make sure the apache installation contains the apxs command)
Working C compiler, GNU make.
The source of the module. Also available from the main project site.

You will also need to have an working Kerberos enviroment, of course.

Building and installing the module

Unpack the distribution tarball and run the configure script. The script looks for krb5 and krb4 libraries and headers and then for an Apache installation directory. You can use following flags to specify locations of these files:

--with-krb4=
--with-krb5=
these options are used to specify locations of the installation directories for krb4 and krb5, respectively. If you don't want to compile support for one of the method, use no as the appropriate parameter.
--with-apache=
use this parameter to specify location where the Apache installation resides.

After the configuration script finishes run make followed by make install. You will need to have writing permission for the apache directory in order to install the module. An example of the building stage follows:

./configure --with-krb5=/software/krb5-1.3.1		\
            --with-krb4=no				\
            --with-apache=/software/apache-2.0.47
make
su
make install

After installing the module you have to adapt the apache configuration. See this page for detailed information on configuration.

You can submit any comment, questions, bugs etc. via the project page.

Other Compiling Notes

Linking with SSL

SSLeay's libcrypto redefines the DES functions needed by libkrb. When compiling V4 support with SSL, leave off the -ldes. This will likely cause "unix_time_gmt_unixsec" to not be defined. One way to take care of this problem is the following:
- cd /tmp
- cp /usr/kerberos/lib/libdes.a . (or libdes425.a if Kerberos V5)
- ar x libdes.a
- link unix_time.o into the apache binary by adding it to apache_1.3.6/src/Makefile on the OBJS line (about line 65) as the first item, right before modules.o
- Thanks to Sean Fulton for pointing this out.
If using V5 support, note that libkrb5 needs libcrypto. This causes serious conflicts with the SSL libcrypto library. The best way I found to get around this is to simply specify the full path to libcrypto. In my case, that makes the LIBS line look like:
```
    LIBS=-L/usr/kerberos/lib -lkrb5 \
        /usr/kerberos/lib/libcrypto.a -lcom_err
    
```

Building Apache with mod_auth_kerb

If you want to build the module statically you have to specify a few variables:

LIBS='-L/usr/kerberos/lib -lkrb5 -lcrypto -lcom_err -lresolv' \
CFLAGS=-DKRB5 \
INCLUDES=-I/usr/kerberos/include \
./configure --add-module=src/modules/kerberos/mod_auth_kerb.c
make

Defines

The following defines can be added to the CFLAGS line to add/alter functionality of the compiled module:

APXS2 - Compile with support for the Apache 1.* api.
KRB5 - Compile in Kerberos V5 support.
KRB4 - Compile in Kerberos V4 support.
HEIMDAL - Compile with support for the Heimdal kerberos v5 implementation.
HAVE_KRB5_CC_GEN_NEW - Specify if you krb5 libraries contains the krb5_cc_gen_new call. Currently all Heimdal libraries and MIT 1.3 have this function.