[OpenAFS] PTS lookup via LDAP or apache2

Chris Huebsch chris.huebsch@informatik.tu-chemnitz.de
Mon, 4 Sep 2006 09:53:50 +0200 (CEST)

On Mon, 4 Sep 2006, Chris Huebsch wrote:
> Some time ago, I wrote a pam module called pam_afs_groups and an Apache
> module mod_auth_afs_group (with the help of Thomas Mueller).

Perhaps I should explain the usage of both modules...

pam_afs_groups is used for services using pam as authentification base.

you can use it in the auth-section of pam like that:

auth required pam_afs_groups.so	groups chu:test,foo:bar

mod_auth_afs_group is an Apache2 module.

It provides the following options:

AuthAFSGROUP_Enabled on|off
    If on, mod_auth_afs_group will try to verify
    any 'require afsgroup <list of groups>' against
    the PT-Server of the current cell.

    If off, mod_auth_afs_group will DECLINE immediately.

    This will make Apache try other modules.

    Defaults to on

AuthAFSGROUP_ValidateGroups on|off

    If on, makes mod_auth_afs_group deny access, if one
    or more of the Groups don't exist in the PT-Databse.

    Defaults to off

Here is a sample .htaccess
AuthType Basic
AuthName AFS-Groups
AuthAuthoritative off

AuthPam_Enabled on

AuthAFSGROUP_ValidateGroups off

require afsgroup chu:test foo:bar

Note that you need an other Apache module to authenticate the user. In my case
it is mod_auth_pam.

"AuthAuthoritative off" is necessary to tell mod_auth that "require afsgroup"
is a valid require statement.

  TU Chemnitz, Informatik, VSR  | Chemnitzer Linux-Tage 2007, 3.-4. Maerz
   Str. d. Nationen 62, B204    |     http://chemnitzer.linux-tage.de
        D-09107 Chemnitz        |
+49 371 531-31118, Fax -831118 | http://www.huebsch-gemacht.de -> weblog