[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Apache PAM Auth module



On Tuesday 01 April 2008 17:59:29 Les Mikesell wrote:
> > With the modules mentioned above you can use PAM as well, but the actual
> > authentication is done after an indirection and takes place outside of
> > the httpd process. Of course you need some other elevated entity to
> > access /etc/shadow then. In case of mod_auth(nz)_external that is a
> > suid-root binary (pwauth). In case of mod_auth(n)_sasl it is saslauthd,
> > which you might already be using if you host secure SMTP, IMAP or LDAP on
> > the box.
>
> I can't find much documentation on how to glue these together but it
> does sound like it would work for my situation if the performance hit
> from an external process to authenticate every page isn't too bad.

Check that saslauthd is running and is using PAM as it's backend. You can tell 
from the -a command line option which backend it uses. Then make sure httpd 
has rw access to the unix socket given to saslauthd as the -m option.

I think performance should be sufficient if you prefork enough saslauthd 
instances (-n option) for your needs. If not it might be worth considering to 
implement some kind of caching into the httpd module. Please let me know if 
you run in troubles here.

> Is there an example of the configuration needed for web authentication
> with no account info somewhere?  I'm using Centos and am fairly sure the
> smtp and imap authentication already tracks the system PAM configuration
> so the sasl/pam setup is probably already there.

For the httpd module part I can only help you on how it is done with 
mod_authn_sasl, which I maintain. A sample .htaccess would look like:

AuthType Basic
AuthName "private area"
AuthBasicProvider sasl
AuthBasicAuthoritative On
AuthSaslPwcheckMethod saslauthd
Require valid-user

Note that mod_authn_sasl is for Apache httpd 2.2 only, so you might need to 
look at mod_auth_sasl if you httpd is older. 

Regards
Heiko

_______________________________________________
Pam-list mailing list
Pam-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/pam-list

[Index of Archives]     [Fedora Users]     [Kernel]     [Red Hat Install]     [Linux for the blind]     [Gimp]
  Powered by Linux