diff options
author | Jan Pazdziora <jpazdziora@redhat.com> | 2014-01-08 13:45:37 +0800 |
---|---|---|
committer | Jan Pazdziora <jpazdziora@redhat.com> | 2014-01-09 09:25:49 +0800 |
commit | 22605e7336e2346c781207f286a032ce668c2e2a (patch) | |
tree | 9cfbd2bf819672b8cb588bd6a636ac980c5026dc /README | |
parent | 476703f669d8795ffe7684d1d400191545ce6f6f (diff) | |
download | mod_authnz_pam-22605e7336e2346c781207f286a032ce668c2e2a.tar.gz mod_authnz_pam-22605e7336e2346c781207f286a032ce668c2e2a.tar.xz mod_authnz_pam-22605e7336e2346c781207f286a032ce668c2e2a.zip |
List the PAM authorization feature first to de-emphasise Basic Auth.
Diffstat (limited to 'README')
-rw-r--r-- | README | 59 |
1 files changed, 30 insertions, 29 deletions
@@ -2,16 +2,42 @@ Apache module mod_authnz_pam ============================ -Apache module mod_authnz_pam serves as Basic Authentication provider -which runs the [login, password] authentication through the PAM -stack. It can also be used as an authorization module, supplementing -authentication done by other modules, for example mod_auth_kerb. +Apache module mod_authnz_pam serves as PAM authorization module, +supplementing authentication done by other modules, for example +mod_auth_kerb. It can also be used as a full Basic Authentication +provider for testing purposes, running the [login, password] +authentication through the PAM stack. The primary intended use is in connection with sssd and pam_sss.so. Module configuration -------------------- +Authorization: + +Let us assume there is already Kerberos authentication configured: + + <Location /private> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms EXAMPLE.COM + Krb5KeyTab /etc/http.keytab + KrbLocalUserMapping On + Require valid-user + </Location> + +The Require valid-user line can be replaced by + + Require pam-account pam_service_name + +for example to run authorization check for the Kerberos-authenticated +user using the PAM service pam_service_name. + +This can be useful to get for example host-based access control from +an IPA server for the web service. + Basic Authentication: The module is configured using the @@ -42,31 +68,6 @@ tlwiki example, file /etc/pam.d/tlwiki could be created with content to authenticate against sssd. -Authorization: - -Let us assume there is already Kerberos authentication configured: - - <Location /private> - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate On - KrbMethodK5Passwd Off - KrbAuthRealms EXAMPLE.COM - Krb5KeyTab /etc/http.keytab - KrbLocalUserMapping On - Require valid-user - </Location> - -The Require valid-user line can be replaced by - - Require pam-account pam_service_name - -for example to run authorization check for the Kerberos-authenticated -user using the PAM service pam_service_name. - -This can be useful to get for example host-based access control from -an IPA server for the web service. - On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to be enabled: |