mod_akenti
Akenti Access Control module
for Apache
(For Linux/Unix)
Srilekha S. Mudumbai
[mod_akenti Release 1.0]
Last Updated: Jan 2, 2002
Table of Contents
Background
Akenti is a security model and architecture that is intended to
provide scalable security services in highly distributed network
environments. The project goals are:
- to achieve the same level of expressiveness of access control that would
be accomplished through a local human controller in the decision loop
- to accurately reflect the existing policy: authority, delegation, and responsibility present in these environments.
The approach makes use of:
- digitally signed certificates capable of carrying:
- user identity authentication
- resource usage requirements ("use-conditions")
- user attribute authorizations ("attribute certificates")
- set of user rights ("capability certificates")
- delegated authorization ("delegation certificates")
- authorization decisions split among on-line and off-line entities
Download
If you are on Linux/Unix, you must download the source.
In order to get everything to work, you need to have the following
- Akenti shared object libraries. Click here to download akenti source
- OpenSSL shared object libraries (required). Download openssl from
http://www.openssl.org
- OpenLDAP shared object libraries (required). Download openldap from
http://www.openldap.org
Steps to compile and install
- Compiling with Apache (possible)
I have not tried this option as it involves a whole bunch of things
to be compiled and linked for even small changes in the akenti module.
But you can always use a C++ compiler and statically link both the Akenti
and the Apache libraries in order to make the Apache executable.
-
Compiling as Dynamic Shared Object
To use this method, you must have apache compiled and installed with
DSO support.
RedHat Linux comes with Apache compiled with DSO support.
Extract Akenti module
$ gunzip < mod_akenti.tar.gz | tar xvf -
Find out where the program apxs is installed. I assume it is in
/usr/local/apache/bin.
Change the following lines inside the Makefile
APXS=/usr/local/apache/bin/apxs
APACHECTL=/usr/local/apache/bin/apachectl
to where it is installed.
- Read Apache INSTALL file
Read the INSTALL file comes with apache to configure and start apache.
- Read mod_ssl INSTALL file
Read the INSTALL file that comes with mod_ssl package.
To download mod_ssl go to http://www.mod_ssl.org
- Prepare httpd.conf
- Getting Apache to Link the stdc++ Library (Ref.
Zachary C. Miller)
There are a number of global symbols used by C++ programs which
are found in the C++ Standard Library which is not normally needed by
the Apache library. Normally the C++ compiler/linkder takes care of
linking the appropriate libraries to C++ programs but in the case of a
C driver (e.g. apache) dynamically loading a C++ shared object the
linker is not involved.
You can dynamically load arbitrary shared
objects (and their global symbols) into apache using the
Loadfile directive in the httpd.conf file. This
directive must be specified before any LoadModule
directive which loads a C++ module.
The file you need to load will
be a different file based on your operating system, compiler version
and the c++ standard library version. You can compile a dummy C++
program and then use the ldd command to determine which file holds the
correct version and location of the standard C++ library.
Do not forget to update your httpd.conf file everytime you upgrade your
standard C++ library
- Getting Apache to Link Akenti .so libraries
You can use the above mentioned Loadfile option to load
akenti engine's shared object libraries. In order to do that you need to
load openssl shared object libraries and openldap shared object libraries
before loading akenti .so libraries. Please note that the ordering is very
important.
- AkentiConf directive
Akenti policy engine requires Akenti configuration file. The AkentiConf
directive is used to input the configuration file to Akenti via Apache.
You need to give absolute path name for the configuration file.
-
Makefile Usage
If you are outside Akenti Environment (i.e. if you have already downloaded
akenti source and built akenti shared object libraries), then you
are required to set the following environment variables before using the
Makefile. Otherwise, you can expect some warnings and errors. The
env variables are
- APACHE_HOME - The Apache web server home directory
- AKENTI_HOME - The Akenti home directory
- OPENSSL_HOME - The openssl library home directory
- OPENLDAP_HOME - The openldap library home directory
- LOGGER_HOME - The NetLogger library home directory
If you are within Akenti Environment
(mod_akenti is included in Akenti 1.1 source also), then you
are required to modify
two variables inside the Makefile.in
- APACHECTL= {APACHE_HOME}/bin/apachectl
- APXS= {APACHE_HOME}/bin/apxs
Start Apache
Apache can be started, restarted and stopped through the Makefile.
- make install(loads the most recently compiled version of
mod_akenti.so to the directory where Apache searches for dynamic objects.)
- make restart (restarts the Apache server)
- make startssl (starts the secure Apache server)
- make stop (stops the Apache server)
- make reload (loads the most recently compiled version of
mod_akenti.so to the directory where Apache searches for dynamic objects,
then stops and starts the secure Apache server)
Explanation of directives
Please refer to "prepare http.conf"
section
of this document.
Passing Control to
other modules
The current version of mod_akenti does not address this. But it is
possible to hand over the control to other Apache modules if the http
resource requested is not controlled by Akenti. The provision will be
provided in the next version. This will require additional directives
in the httpd.conf file.
Supporting access
controlled and non-access controlled resources
The current version of mod_akenti does not address this feature. By
handing over the control to other modules Akenti can be a part of the existing
non-access controlled server with minor configuration changes. The SSL
is still required. This feature will require additional directives in the
httpd.conf file and some changes in the akenti module.