On Tuesday 01 April 2008 17:59:29 Les Mikesell wrote: > > With the modules mentioned above you can use PAM as well, but the actual > > authentication is done after an indirection and takes place outside of > > the httpd process. Of course you need some other elevated entity to > > access /etc/shadow then. In case of mod_auth(nz)_external that is a > > suid-root binary (pwauth). In case of mod_auth(n)_sasl it is saslauthd, > > which you might already be using if you host secure SMTP, IMAP or LDAP on > > the box. > > I can't find much documentation on how to glue these together but it > does sound like it would work for my situation if the performance hit > from an external process to authenticate every page isn't too bad. Check that saslauthd is running and is using PAM as it's backend. You can tell from the -a command line option which backend it uses. Then make sure httpd has rw access to the unix socket given to saslauthd as the -m option. I think performance should be sufficient if you prefork enough saslauthd instances (-n option) for your needs. If not it might be worth considering to implement some kind of caching into the httpd module. Please let me know if you run in troubles here. > Is there an example of the configuration needed for web authentication > with no account info somewhere? I'm using Centos and am fairly sure the > smtp and imap authentication already tracks the system PAM configuration > so the sasl/pam setup is probably already there. For the httpd module part I can only help you on how it is done with mod_authn_sasl, which I maintain. A sample .htaccess would look like: AuthType Basic AuthName "private area" AuthBasicProvider sasl AuthBasicAuthoritative On AuthSaslPwcheckMethod saslauthd Require valid-user Note that mod_authn_sasl is for Apache httpd 2.2 only, so you might need to look at mod_auth_sasl if you httpd is older. Regards Heiko _______________________________________________ Pam-list mailing list Pam-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/pam-list
