[OpenAFS] PTS lookup via LDAP or apache2
Christopher D. Clausen
cclausen@acm.org
Mon, 4 Sep 2006 03:08:34 -0500
Chris Huebsch <chris.huebsch@informatik.tu-chemnitz.de> wrote:
> On Mon, 4 Sep 2006, Chris Huebsch wrote:
>> Some time ago, I wrote a pam module called pam_afs_groups and an
>> Apache module mod_auth_afs_group (with the help of Thomas Mueller).
>
> Perhaps I should explain the usage of both modules...
Well, one of the other admins has it sort-of up and running. We'll need
to do more testing though.
> pam_afs_groups is used for services using pam as authentification
> base.
> you can use it in the auth-section of pam like that:
>
> auth required pam_afs_groups.so groups chu:test,foo:bar
>
> mod_auth_afs_group is an Apache2 module.
>
> It provides the following options:
>
> AuthAFSGROUP_Enabled on|off
> If on, mod_auth_afs_group will try to verify
> any 'require afsgroup <list of groups>' against
> the PT-Server of the current cell.
>
> If off, mod_auth_afs_group will DECLINE immediately.
>
> This will make Apache try other modules.
>
> Defaults to on
>
> AuthAFSGROUP_ValidateGroups on|off
>
> If on, makes mod_auth_afs_group deny access, if one
> or more of the Groups don't exist in the PT-Databse.
>
> Defaults to off
>
>
> Here is a sample .htaccess
> -------------------
> SSLRequireSSL
> AuthType Basic
> AuthName AFS-Groups
> AuthAuthoritative off
>
> AuthPam_Enabled on
>
> AuthAFSGROUP_ValidateGroups off
>
> require afsgroup chu:test foo:bar
> -------------------
>
> Note that you need an other Apache module to authenticate the user.
> In my case it is mod_auth_pam.
>
> "AuthAuthoritative off" is necessary to tell mod_auth that "require
> afsgroup" is a valid require statement.
Hmm. If I am trying to use mod_auth_kerb (for SSO via SPNEGO) and it
appends a realm to the user name, is that going to cause issues?
For instance, right now I can login as either cclausen@AD.UIUC.EDU or as
cclausen@ACM.UIUC.EDU. Those names are passed through apache to other
modules. Is this supported with your module?
<<CDC