Apache NIS accounts authentication

In the past , I use mod_auth_sys as a compiled in modules in apache1.3.28 under Sun Solaris platform for authentication on NIS user acounts on confidential webpages . As for apache2.2.19 under CentOS (well, most of our Sun workstations are retiring) , I use mod_authnz_external_3.2.5 and mod_authz_unixgroup_1.0.2 for this purpose.

Module mod_authnz_external allows apache to use external application (pwauth here) for user authentication while mod_authz_unixgroup allow apache to use unix group instead of individual username as access control in .htaccess.

Compile and install them as loadable modules into apache server (In my case, the apache server is manually installed to /export/web/apache ) :


% cd {source dir}/mod_authnz_external-3.2.5
% /export/web/apache/bin/apxs -c mod_authnz_external.c
% /export/web/apache/bin/apxs -i -a mod_authnz_external.la
% cd {source dir}/mod_authz_unixgroup-1.0.2
% /export/web/apache/bin/apxs -c mod_authz_unixgroup.c
% /export/web/apache/bin/apxs -i -a mod_authz_unixgroup.la

Ensure loadable module authz_user_module is also loaded , here is my list of loadable modules related to authentication :


LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule authz_unixgroup_module modules/mod_authz_unixgroup.so
LoadModule authnz_external_module modules/mod_authnz_external.so

I use pwauth-2.3.9 , as mentioned in README of mod_authnz_external source directory, as external application for authenting our NIS users .

Now check the uid for user who run the apache (uid is 1230 for webuser here ), as pwauth should only be allowed to run by webuser . In {source dir}/pwauth-2.3.9/config.h, uncomment the line for PAM , and then comment the definition for “SHADOW_SUN” and “MIN_UNIX_UID” :


/* #define SHADOW_SUN /* Linux, Solaris, IRIX */
#define PAM /* Linux PAM or OpenPAM */
/*#define MIN_UNIX_UID 500 /**/
#define SERVER_UIDS 1230 /* user webuser uid :1230 */

Update the {source dir}/pwauth-2.3.9/Makefile :


#LIB= -lcrypt
# For PAM on Redhat Linux
LIB=-lpam -ldl

After finish the make for pwauth , I copy it to /usr/local/bin. According to the readme for pwauth , you need to setuid as root for it as it need to read shadow passwd file in centos, however, in my case , I only need it to authenticate our NIS user only and I do not need it to authenticate the local users . So I do not setuid it to root . However, if you need it to authenticate local users as well , you must do the setuid .

Create a file /etc/pam.d/pwauth as follow :


auth include system-auth
account include system-auth

Now back to configuration of httpd.conf , I want to ensure only NIS users of unix group “techstf” “infogrp” are allowed into the webpage http://www.mysite.com:1080/local/ :

NameVirtualHost *:1080
< VirtualHost *:1080>
…….
AddExternalAuth pwauth /usr/local/bin/pwauth
SetExternalAuthMethod pwauth pipe
….
Alias /local/ “/export/web/apache/htdocs/”
< Location /local/>
AuthType Basic
AuthName “Restricted”
AuthBasicProvider external
AuthExternal pwauth
require group techstf infogrp
< /Location>

You may also like...