[OpenAFS] PTS lookup via LDAP or apache2
Christopher D. Clausen
Mon, 4 Sep 2006 03:08:34 -0500
Chris Huebsch <firstname.lastname@example.org> wrote:
> On Mon, 4 Sep 2006, Chris Huebsch wrote:
>> Some time ago, I wrote a pam module called pam_afs_groups and an
>> Apache module mod_auth_afs_group (with the help of Thomas Mueller).
> Perhaps I should explain the usage of both modules...
Well, one of the other admins has it sort-of up and running. We'll need
to do more testing though.
> pam_afs_groups is used for services using pam as authentification
> you can use it in the auth-section of pam like that:
> auth required pam_afs_groups.so groups chu:test,foo:bar
> mod_auth_afs_group is an Apache2 module.
> It provides the following options:
> AuthAFSGROUP_Enabled on|off
> If on, mod_auth_afs_group will try to verify
> any 'require afsgroup <list of groups>' against
> the PT-Server of the current cell.
> If off, mod_auth_afs_group will DECLINE immediately.
> This will make Apache try other modules.
> Defaults to on
> AuthAFSGROUP_ValidateGroups on|off
> If on, makes mod_auth_afs_group deny access, if one
> or more of the Groups don't exist in the PT-Databse.
> Defaults to off
> Here is a sample .htaccess
> AuthType Basic
> AuthName AFS-Groups
> AuthAuthoritative off
> AuthPam_Enabled on
> AuthAFSGROUP_ValidateGroups off
> require afsgroup chu:test foo:bar
> Note that you need an other Apache module to authenticate the user.
> In my case it is mod_auth_pam.
> "AuthAuthoritative off" is necessary to tell mod_auth that "require
> afsgroup" is a valid require statement.
Hmm. If I am trying to use mod_auth_kerb (for SSO via SPNEGO) and it
appends a realm to the user name, is that going to cause issues?
For instance, right now I can login as either cclausen@AD.UIUC.EDU or as
cclausen@ACM.UIUC.EDU. Those names are passed through apache to other
modules. Is this supported with your module?