List the PAM authorization feature first to de-emphasise Basic Auth.

3 files changed, 43 insertions, 42 deletions

diff --git a/README b/README
index 5becfe9..016d8d2 100644
--- a/README
+++ b/README
@@ -2,16 +2,42 @@
 Apache module mod_authnz_pam
 ============================
 
-Apache module mod_authnz_pam serves as Basic Authentication provider
-which runs the [login, password] authentication through the PAM
-stack. It can also be used as an authorization module, supplementing
-authentication done by other modules, for example mod_auth_kerb.
+Apache module mod_authnz_pam serves as PAM authorization module,
+supplementing authentication done by other modules, for example
+mod_auth_kerb. It can also be used as a full Basic Authentication
+provider for testing purposes, running the [login, password]
+authentication through the PAM stack.
 
 The primary intended use is in connection with sssd and pam_sss.so.
 
 Module configuration
 --------------------
 
+Authorization:
+
+Let us assume there is already Kerberos authentication configured:
+
+    <Location /private>
+      AuthType Kerberos
+      AuthName "Kerberos Login"
+      KrbMethodNegotiate On
+      KrbMethodK5Passwd Off
+      KrbAuthRealms EXAMPLE.COM
+      Krb5KeyTab /etc/http.keytab
+      KrbLocalUserMapping On
+      Require valid-user
+    </Location>
+
+The Require valid-user line can be replaced by
+
+    Require pam-account pam_service_name
+
+for example to run authorization check for the Kerberos-authenticated
+user using the PAM service pam_service_name.
+
+This can be useful to get for example host-based access control from
+an IPA server for the web service.
+
 Basic Authentication:
 
 The module is configured using the
@@ -42,31 +68,6 @@ tlwiki example, file /etc/pam.d/tlwiki could be created with content
 
 to authenticate against sssd.
 
-Authorization:
-
-Let us assume there is already Kerberos authentication configured:
-
-    <Location /private>
-      AuthType Kerberos
-      AuthName "Kerberos Login"
-      KrbMethodNegotiate On
-      KrbMethodK5Passwd Off
-      KrbAuthRealms EXAMPLE.COM
-      Krb5KeyTab /etc/http.keytab
-      KrbLocalUserMapping On
-      Require valid-user
-    </Location>
-
-The Require valid-user line can be replaced by
-
-    Require pam-account pam_service_name
-
-for example to run authorization check for the Kerberos-authenticated
-user using the PAM service pam_service_name.
-
-This can be useful to get for example host-based access control from
-an IPA server for the web service.
-
 On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to
 be enabled:
 
diff --git a/authnz_pam.conf b/authnz_pam.conf
index 41cb70d..da57cd8 100644
--- a/authnz_pam.conf
+++ b/authnz_pam.conf
@@ -1,14 +1,6 @@
 
 # LoadModule authnz_pam_module modules/mod_authnz_pam.so
 #
-# <Location /protected>
-# AuthType Basic
-# AuthName "private area"
-# AuthBasicProvider PAM
-# AuthPAMService webapp
-# Require valid-user
-# </Location>
-#
 # <Location /login>
 # AuthType Kerberos
 # AuthName "Kerberos Login"
@@ -19,4 +11,12 @@
 # KrbLocalUserMapping On
 # Require pam-account webapp
 # </Location>
+#
+# <Location /protected>
+# AuthType Basic
+# AuthName "private area"
+# AuthBasicProvider PAM
+# AuthPAMService webapp
+# Require valid-user
+# </Location>
 
diff --git a/mod_authnz_pam.spec b/mod_authnz_pam.spec
index 9178823..a05696d 100644
--- a/mod_authnz_pam.spec
+++ b/mod_authnz_pam.spec
@@ -4,7 +4,7 @@
 %{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
 %{!?_httpd_moddir:    %{expand: %%global _httpd_moddir    %%{_libdir}/httpd/modules}}
 
-Summary: PAM Basic Authentication provider and authorization checker
+Summary: PAM authorization checker and PAM Basic Authentication provider
 Name: mod_authnz_pam
 Version: 0.5
 Release: 1%{?dist}
@@ -24,10 +24,10 @@ Requires: pam
 %{?filter_setup}
 
 %description
-mod_authnz_pam is a Basic Authentication provider which runs the
-[login, password] authentication through the PAM stack; it can also
-be used as an authorization module, supplementing authentication
-done by other modules, for example mod_auth_kerb.
+mod_authnz_pam is a PAM authorization module, supplementing
+authentication done by other modules, for example mod_auth_kerb; it
+can also be used as full Basic Authentication provider which runs the
+[login, password] authentication through the PAM stack.
 
 %prep
 %setup -q -n %{name}-%{version}