have you thought about using mod_auth_external? This way apache doesn't have to have the rights for reading shadow, but uses a pam-enabled setuid-root password checker program that does it. See http://www.unixpapa.com/mod_auth_external.html for the module.
Definitely looks like the better solution for compartmentalizing the process. I'll have to see if I can get it in RPM form.
_______________________________________________ Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
