From 22605e7336e2346c781207f286a032ce668c2e2a Mon Sep 17 00:00:00 2001 From: Jan Pazdziora Date: Wed, 8 Jan 2014 13:45:37 +0800 Subject: List the PAM authorization feature first to de-emphasise Basic Auth. --- README | 59 +++++++++++++++++++++++++++-------------------------- authnz_pam.conf | 16 +++++++-------- mod_authnz_pam.spec | 10 ++++----- 3 files changed, 43 insertions(+), 42 deletions(-) diff --git a/README b/README index 5becfe9..016d8d2 100644 --- a/README +++ b/README @@ -2,16 +2,42 @@ Apache module mod_authnz_pam ============================ -Apache module mod_authnz_pam serves as Basic Authentication provider -which runs the [login, password] authentication through the PAM -stack. It can also be used as an authorization module, supplementing -authentication done by other modules, for example mod_auth_kerb. +Apache module mod_authnz_pam serves as PAM authorization module, +supplementing authentication done by other modules, for example +mod_auth_kerb. It can also be used as a full Basic Authentication +provider for testing purposes, running the [login, password] +authentication through the PAM stack. The primary intended use is in connection with sssd and pam_sss.so. Module configuration -------------------- +Authorization: + +Let us assume there is already Kerberos authentication configured: + + + AuthType Kerberos + AuthName "Kerberos Login" + KrbMethodNegotiate On + KrbMethodK5Passwd Off + KrbAuthRealms EXAMPLE.COM + Krb5KeyTab /etc/http.keytab + KrbLocalUserMapping On + Require valid-user + + +The Require valid-user line can be replaced by + + Require pam-account pam_service_name + +for example to run authorization check for the Kerberos-authenticated +user using the PAM service pam_service_name. + +This can be useful to get for example host-based access control from +an IPA server for the web service. + Basic Authentication: The module is configured using the @@ -42,31 +68,6 @@ tlwiki example, file /etc/pam.d/tlwiki could be created with content to authenticate against sssd. -Authorization: - -Let us assume there is already Kerberos authentication configured: - - - AuthType Kerberos - AuthName "Kerberos Login" - KrbMethodNegotiate On - KrbMethodK5Passwd Off - KrbAuthRealms EXAMPLE.COM - Krb5KeyTab /etc/http.keytab - KrbLocalUserMapping On - Require valid-user - - -The Require valid-user line can be replaced by - - Require pam-account pam_service_name - -for example to run authorization check for the Kerberos-authenticated -user using the PAM service pam_service_name. - -This can be useful to get for example host-based access control from -an IPA server for the web service. - On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to be enabled: diff --git a/authnz_pam.conf b/authnz_pam.conf index 41cb70d..da57cd8 100644 --- a/authnz_pam.conf +++ b/authnz_pam.conf @@ -1,14 +1,6 @@ # LoadModule authnz_pam_module modules/mod_authnz_pam.so # -# -# AuthType Basic -# AuthName "private area" -# AuthBasicProvider PAM -# AuthPAMService webapp -# Require valid-user -# -# # # AuthType Kerberos # AuthName "Kerberos Login" @@ -19,4 +11,12 @@ # KrbLocalUserMapping On # Require pam-account webapp # +# +# +# AuthType Basic +# AuthName "private area" +# AuthBasicProvider PAM +# AuthPAMService webapp +# Require valid-user +# diff --git a/mod_authnz_pam.spec b/mod_authnz_pam.spec index 9178823..a05696d 100644 --- a/mod_authnz_pam.spec +++ b/mod_authnz_pam.spec @@ -4,7 +4,7 @@ %{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}} %{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}} -Summary: PAM Basic Authentication provider and authorization checker +Summary: PAM authorization checker and PAM Basic Authentication provider Name: mod_authnz_pam Version: 0.5 Release: 1%{?dist} @@ -24,10 +24,10 @@ Requires: pam %{?filter_setup} %description -mod_authnz_pam is a Basic Authentication provider which runs the -[login, password] authentication through the PAM stack; it can also -be used as an authorization module, supplementing authentication -done by other modules, for example mod_auth_kerb. +mod_authnz_pam is a PAM authorization module, supplementing +authentication done by other modules, for example mod_auth_kerb; it +can also be used as full Basic Authentication provider which runs the +[login, password] authentication through the PAM stack. %prep %setup -q -n %{name}-%{version} -- cgit