I have been playing with trying to get mod_auth_pam to work on my apache
1.3 install. The pam setup is standard for Redhat 7.3; that is:
[]# cat /etc/pam.d/system-auth
#%PAM-1.0
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
[]# cat /etc/pam.d/httpd
#%PAM-1.0
auth required /lib/security/pam_stack.so service=system-auth
account required /lib/security/pam_stack.so service=system-auth
The section in my apache config that I am using to test is:
<Location /protected/>
AllowOverride None
<Limit GET POST OPTIONS PROPFIND>
AuthName "Dav"
AuthType Basic
require group www
</Limit>
</Location>
I am having a problem though in that when the required group is a users
primary group then authentication succeeds, but when it is a supplementary
group it doesn't.
The authentication itself isn't failing because I put the debug option on
the pam_unix for auth and it only complains when I put in a bad password
either way. I read in the changelog that there was a patch to support
supplemental groups, but I can't find a call to getgroups in the auth
function. (I haven't written C in about 4 years, so I am a little rusty.) =)
I was wondering if anyone here knew the status of this? I am wanting to
get this worked out because mod_dav requires all files to be writable by
the webserver process and having pam will help with getting at least a
modicum of security in place.
Will Holcomb
