Apache module mod_authnz_pam
Apache module mod_authnz_pam serves as PAM authorization module, supplementing authentication done by other modules, for example mod_auth_kerb. It can also be used as a full Basic Authentication provider, running the [login, password] authentication through the PAM stack.
The primary intended use is in connection with SSSD and pam_sss.so but any PAM service with any PAM stack configuration for auth and account management groups can be used.
Download mod_authnz_pam-1.2.3.tar.gz, the latest release. See the source at either GitHub or fedorapeople.org.
Basic Authentication
The module is configured using the
- AuthBasicProvider PAM
- AuthPAMService name_of_the_PAM_service
- The PAM service to authenticate against.
Example:
<Location /private> AuthType Basic AuthName "private area" AuthBasicProvider PAM AuthPAMService tlwiki Require valid-user </Location>
The PAM service needs to be configured. For the above shown tlwiki example, file /etc/pam.d/tlwiki could be created with content
auth required pam_sss.so account required pam_sss.soto authenticate against sssd.
As part of the Basic Authentication operation, both PAM authentication and PAM account verification (auth and account in PAM service configuration) are run. This is to ensure that the HTTP status 401 is returned when the user is not permitted to log in, allowing fallback to different authentication mechanism. That also means that for the above example
AuthBasicProvider PAM AuthPAMService tlwikiit is not necessary to use
Require pam-account tlwikisince
Require valid-useris enough because the account verification will be run as part of the HTTP authentication. In fact, using Require pam-account with the same PAM service name will cause the account PAM checks to be run twice. On the other hand, it is possible to configure Require pam-account with different PAM service name than the AuthPAMService value and get two separate account PAM checks during the Basic Authentication.
Handling expired password
- AuthPAMExpiredRedirect <URL> [<status>]
For both the authorization and HTTP Basic authentication case, if the password the user has presented has expired (PAM return codes PAM_CRED_EXPIRED or PAM_NEW_AUTHTOK_REQD), when AuthPAMExpiredRedirect is specified with a URL, redirect is made to that location. For FreeIPA server, the setting would be
AuthPAMExpiredRedirect https://<IPA-server>/ipa/ui/reset_password.htmlBy default the redirect is done using 303 See Other. The redirect status can be specified as numerical value in the 3xx range.
It is also possible to use placeholders in the URL that will be replaced with current location (for backreference) and username (to prefill) on the target page:
- %s
- URL of the current page.
- %u
- The username that was used for the PAM authentication.
- %%
- The character % itself.
For example for FreeIPA 4.1+, the value can actually be
https://<IPA-server>/ipa/ui/reset_password.html?url=%s
SELinux
On SELinux enabled systems, boolean httpd_mod_auth_pam needs to be enabled:
setsebool -P httpd_mod_auth_pam 1
Building from sources
When building from sources, command
apxs -i -a -c mod_authnz_pam.c -lpam -Wall -pedanticshould build and install the module.
License
Copyright 2013--2022 Jan Pazdziora
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.