diff options
author | Jan Pazdziora <jpazdziora@redhat.com> | 2014-01-06 12:32:57 +0800 |
---|---|---|
committer | Jan Pazdziora <jpazdziora@redhat.com> | 2014-01-06 15:10:13 +0800 |
commit | c80a81dacc4eeae4a28de6713c77978b2dd4ff64 (patch) | |
tree | cf58454505210a4da40eeb6fb20e8e80c0ba8a16 /README | |
parent | 67060fba58bfe53f5e81447eb623c386549773d9 (diff) | |
download | mod_authnz_pam-c80a81dacc4eeae4a28de6713c77978b2dd4ff64.tar.gz mod_authnz_pam-c80a81dacc4eeae4a28de6713c77978b2dd4ff64.tar.xz mod_authnz_pam-c80a81dacc4eeae4a28de6713c77978b2dd4ff64.zip |
Add support for require pam-account the-service-name.
Diffstat (limited to 'README')
-rw-r--r-- | README | 30 |
1 files changed, 29 insertions, 1 deletions
@@ -4,13 +4,16 @@ Apache module mod_authnz_pam Apache module mod_authnz_pam serves as Basic Authentication provider which runs the [login, password] authentication through the PAM -stack. +stack. It can also be used as an authorization module, supplementing +authentication done by other modules, for example mod_auth_kerb. The primary intended use is in connection with sssd and pam_sss.so. Module configuration -------------------- +Basic Authentication: + The module is configured using the AuthBasicProvider PAM @@ -39,6 +42,31 @@ tlwiki example, file /etc/pam.d/tlwiki could be created with content to authenticate against sssd. +Authorization: + +Let us assume there is already Kerberos authentication configured: + + <Location /private> + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms EXAMPLE.COM + Krb5KeyTab /etc/http.keytab + KrbLocalUserMapping On + Require valid-user + </Location> + +The Require valid-user line can be replaced by + + Require pam-account pam_service_name + +for example to run authorization check for the Kerberos-authenticated +user using the PAM service pam_service_name. + +This can be useful to get for example host-based access control from +an IPA server for the web service. + On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to be enabled: |