diff options
author | Jan Pazdziora <jpazdziora@redhat.com> | 2020-07-09 14:12:20 +0200 |
---|---|---|
committer | Jan Pazdziora <jpazdziora@redhat.com> | 2020-07-09 16:19:25 +0200 |
commit | 025f62adcd1fe0d74264f7ee28efc757b75d5152 (patch) | |
tree | 87b9dd1bfa2eedb4935b0f8c33b8c705dfcd6e0a /README | |
parent | 622996a9a7d462cdb51cd2a2c5ecd3b00bb48b85 (diff) | |
download | mod_authnz_pam-025f62adcd1fe0d74264f7ee28efc757b75d5152.tar.gz mod_authnz_pam-025f62adcd1fe0d74264f7ee28efc757b75d5152.tar.xz mod_authnz_pam-025f62adcd1fe0d74264f7ee28efc757b75d5152.zip |
Clarify account behaviour with AuthBasicProvider and interaction with Require pam-account.
Diffstat (limited to 'README')
-rw-r--r-- | README | 27 |
1 files changed, 26 insertions, 1 deletions
@@ -68,6 +68,31 @@ tlwiki example, file /etc/pam.d/tlwiki could be created with content to authenticate against sssd. +As part of the Basic Authentication operation, both PAM authentication +and PAM account verification (auth and account in PAM service +configuration) are run. This is to ensure that the HTTP status 401 +is returned when the user is not permitted to log in, allowing fallback +to different authentication mechanism. That also means that for the +above example + + AuthBasicProvider PAM + AuthPAMService tlwiki + +it is not necessary to use + + Require pam-account tlwiki + +and + + Require valid-user + +is enough because the account verification will be run as part of the +HTTP authentication. In fact, using Require pam-account with the same +PAM service name will cause the account PAM checks to be run twice. +On the other hand, it is possible to configure Require pam-account +with different PAM service name than the AuthPAMService value and get +two separate account PAM checks during the Basic Authentication. + Handling expired password: AuthPAMExpiredRedirect <URL> @@ -111,7 +136,7 @@ should build and install the module. License ------- -Copyright 2014--2018 Jan Pazdziora +Copyright 2014--2020 Jan Pazdziora Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. |