Add support for require pam-account the-service-name.

1 files changed, 29 insertions, 1 deletions

diff --git a/README b/README
index f6c80b1..5becfe9 100644
--- a/README
+++ b/README
@@ -4,13 +4,16 @@ Apache module mod_authnz_pam
 
 Apache module mod_authnz_pam serves as Basic Authentication provider
 which runs the [login, password] authentication through the PAM
-stack.
+stack. It can also be used as an authorization module, supplementing
+authentication done by other modules, for example mod_auth_kerb.
 
 The primary intended use is in connection with sssd and pam_sss.so.
 
 Module configuration
 --------------------
 
+Basic Authentication:
+
 The module is configured using the
 
     AuthBasicProvider PAM
@@ -39,6 +42,31 @@ tlwiki example, file /etc/pam.d/tlwiki could be created with content
 
 to authenticate against sssd.
 
+Authorization:
+
+Let us assume there is already Kerberos authentication configured:
+
+    <Location /private>
+      AuthType Kerberos
+      AuthName "Kerberos Login"
+      KrbMethodNegotiate On
+      KrbMethodK5Passwd Off
+      KrbAuthRealms EXAMPLE.COM
+      Krb5KeyTab /etc/http.keytab
+      KrbLocalUserMapping On
+      Require valid-user
+    </Location>
+
+The Require valid-user line can be replaced by
+
+    Require pam-account pam_service_name
+
+for example to run authorization check for the Kerberos-authenticated
+user using the PAM service pam_service_name.
+
+This can be useful to get for example host-based access control from
+an IPA server for the web service.
+
 On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to
 be enabled: