HOWTO PAM authentication with Apache 2.2 and mod authnz external

From Gentoo Linux Wiki

Jump to: navigation, search

Contents

[edit] Preface

With mod_authnz_external you are able to use any kind of authentication method you like, for example a script you wrote, LDAP, PAM or whatever.

This howto is about PAM, because I used mod_auth_pam before but after upgrading apache this module broke and though nothing changed the configuration, I was not able to use this module again. So I searched a replacement and found mod_authnz_external (and had some trouble configuring it).

[edit] Why not mod_auth_pam?

There are three reasons why you should not use mod_auth_pam:

  • The module isn't under active development
  • Apache 2.2 has a new auth-handling and mod_auth_pam needs to disable it to work
  • Apache with mod_auth_pam needs read-access to /etc/shadow, which may be a security risk

[edit] Installation

Two programs are needed, which are both provided by portage (maybe you have to unmask them):

  • www-apache/mod_authnz_external, which provides the interface to apache authentication
  • www-apache/pwauth, which actually does the authentication. You may choose to use another program instead, if you have special needs.

[edit] Configuration

  • Edit your /etc/conf.d/apache2 and add -D AUTHNZ_EXTERNAL to APACHE2_OPTS
  • You must not edit /etc/apache2/modules.d/10_mod_authnz_external.conf!

Instead we create a new file

File: /etc/apache2/vhosts.d/auth.include 
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
AddExternalGroup unixgroup /usr/sbin/unixgroup
SetExternalGroupMethod unixgroup environment
  • Include this file at the bottom of all your virtual servers where you need authentication with this module, for example default vhost and ssl vhost:
File: /etc/apache2/vhosts.d/00_default_vhost.conf 
<VirtualHost *:80>
        ServerName www.example.com:80
        Include /etc/apache2/vhosts.d/default_vhost.include

        <IfModule mpm_peruser_module>
                ServerEnvironment apache apache
        </IfModule>
        Include /etc/apache2/vhosts.d/auth.include
</VirtualHost>

Do not put this include directive into default_vhost.include!

  • Configure your secured web-area to use mod_authnz_external:
File: .htaccess 
        AuthType Basic
        AuthName "This is private"
        AuthBasicProvider external
        AuthExternal pwauth
        GroupExternal unixgroup
        ...

Don't forget to append your require/order/...-statements.

  • Restart your apache
Retrieved from "http://gentoo-wiki.com/HOWTO_PAM_authentication_with_Apache_2.2_and_mod_authnz_external"
Personal tools