TLUG Mailing List

Mailing List Archive

tlug.jp Mailing List tlug archive tlug Mailing List Archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [tlug] Apache mod_auth_pam module

Date: Tue, 14 Jan 2003 11:25:35 -0500

From: Josh Glover <jmglov@example.com>

Subject: Re: [tlug] Apache mod_auth_pam module

References: <20021126172927.GL5021@example.com> <761705BC-016B-11D7-B7E6-000393A75CF0@example.com>

User-agent: Mutt/1.4i
Way back when, I asked how to make the Apache ModAuthPam module play nicely
with the PAM pam_smb_auth module. I finally came up with a solution, but it
is not for the faint of heart. In case anyone else would like to know how to
make Apache authenticate off a Windows domain without a local account, dig
this:

Grab mod_auth_pam and pam_smb_auth, compile and install them. Verify that
pam_smb_auth is working first. A simple test is editing your /etc/pam.d/su
file to read:


#%PAM-1.0

auth       sufficient   /lib/security/pam_rootok.so
auth       required     /lib/security/pam_wheel.so use_uid
auth       required     /lib/security/pam_smb_auth debug


Now, when you 'su foo', it should succeed when you enter foo's domain
password (and foo has a local account).

The next step is setting up mod_auth_pam to use pam_smb_auth. Your
/etc/pam.d/httpd should read:


#%PAM-1.0
auth       required     /lib/security/pam_smb_auth.so nolocal
account    required     /lib/security/pam_permit.so


This will allow basic auth to succeed with mod_auth_pam. You must enable
mod_auth_pam in your httpd.conf like this:


LoadModule pam_auth_module    /usr/lib/apache/mod_auth_pam.so
AddModule mod_auth_pam.c


Then, something like this (again, an excerpt from an httpd.conf) should work:


<Directory /home/httpd/htdocs/pamtest>
  AuthType Basic
  AuthName "pamtest"
  require valid-user
</Directory>


The reason that you have to use pam_permit.so in the /etc/pam.d/httpd PAM
config file is that mod_auth_pam always checks for a valid account, even
if you do *not* include an 'account    required' line in the config file.
I consider this a bug, and coded up a patch that fixes that.

My patch is available from and described at http://www.jmglov.net/ if
anyone is interested. It also adds a debug function to mod_auth_pam.


-- 
Josh Glover <jmglov@example.com>

Associate Systems Administrator
INCOGEN, Inc.
http://www.incogen.com/

GPG keyID 0x62386967 (7479 1A7A 46E6 041D 67AE  2546 A867 DBB1 6238 6967)
gpg --keyserver pgp.mit.edu --recv-keys 62386967
Attachment: pgp00035.pgp
Description: PGP signature

Follow-Ups:

Re: [tlug] Apache mod_auth_pam module
From: Mike Gauthier

Prev by Date: Re: [tlug] Ugly OpenOffice Menu font

Next by Date: [tlug] Fwd: looking for Rob Bickel

Previous by thread: Re: Ogg Decoding and Burning (was: Re: [tlug] QT 2.2.2 -- another lib question.)

Next by thread: Re: [tlug] Apache mod_auth_pam module

Index(es):

Date

Thread

Home | Main Index | Thread Index

Home Page Mailing List Linux and Japan TLUG Members Links