blob: 5becfe90b8bad5b54dd84bdc72d321b5156f9087 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
|
Apache module mod_authnz_pam
============================
Apache module mod_authnz_pam serves as Basic Authentication provider
which runs the [login, password] authentication through the PAM
stack. It can also be used as an authorization module, supplementing
authentication done by other modules, for example mod_auth_kerb.
The primary intended use is in connection with sssd and pam_sss.so.
Module configuration
--------------------
Basic Authentication:
The module is configured using the
AuthBasicProvider PAM
directive and then by specifying the PAM service name:
AuthPAMService name_of_the_PAM_service
The PAM service to authenticate against.
Example:
<Location /private>
AuthType Basic
AuthName "private area"
AuthBasicProvider PAM
AuthPAMService tlwiki
Require valid-user
</Location>
The PAM service needs to be configured. For the above shown
tlwiki example, file /etc/pam.d/tlwiki could be created with content
auth required pam_sss.so
account required pam_sss.so
to authenticate against sssd.
Authorization:
Let us assume there is already Kerberos authentication configured:
<Location /private>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbAuthRealms EXAMPLE.COM
Krb5KeyTab /etc/http.keytab
KrbLocalUserMapping On
Require valid-user
</Location>
The Require valid-user line can be replaced by
Require pam-account pam_service_name
for example to run authorization check for the Kerberos-authenticated
user using the PAM service pam_service_name.
This can be useful to get for example host-based access control from
an IPA server for the web service.
On SELinux enabled systems, boolean allow_httpd_mod_auth_pam needs to
be enabled:
setsebool -P allow_httpd_mod_auth_pam 1
Building from sources
---------------------
When building from sources, command
apxs -i -a -c mod_authnz_pam.c -lpam -Wall -pedantic
should build and install the module.
License
-------
Copyright 2014 Jan Pazdziora
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
|