[opensuse] apache2 authenticate system users and groups
Hi I want apache (2.4) to authenticate against local system users. I have installed apache mod authnz_external So far I have added this: <IfModule authnz_external_module> AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe </IfModule> to my site's config file: and also this: AuthType Basic AuthName "Stop snooping, this is for the IT techs only!" AuthBasicProvider external AuthExternal pwauth Require valid-user under the directory I wish to restrict, which works great but I wish to allow only users in a specific group to be able to authenticate. I have read that authz_unixgroup might me a good module but I cannot seem to find how to include this in my above config I tried this: http://stackoverflow.com/questions/5627184/htaccess-from-specific-unix-group but apache cannot recognise AuthzUnixgroup on and will not start what is the correct way to set this module up? Or does anyone know a better way? Paul -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Paul Groves wrote:
I tried this:
http://stackoverflow.com/questions/5627184/htaccess-from-specific-unix-group
but apache cannot recognise AuthzUnixgroup on and will not start
Try this: http://ben.kulbertis.org/2016/03/changes-in-mod-authz-unixgroup-from-apache-... It seems to explain the situation. -- Per Jessen, Zürich (3.9°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 15/03/17 06:16, Per Jessen wrote:
Paul Groves wrote:
I tried this:
http://stackoverflow.com/questions/5627184/htaccess-from-specific-unix-group
but apache cannot recognise AuthzUnixgroup on and will not start Try this:
http://ben.kulbertis.org/2016/03/changes-in-mod-authz-unixgroup-from-apache-...
It seems to explain the situation.
Great that solved one problem, Thanks. Apache now starts without error. But... as we know apache 2.4 can be mysterious... With the Require unixgroup groupname specified all I get now is internal server error. Same result if user is in group or not. Can anyone see where I have gone wrong? My config file contains <IfModule mod_authnz_external.so> AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe </IfModule> <IfModule mod_authz_unixgroup.so> AddExternalGroup unixgroup /usr/sbin/unixgroup SetExternalGroupMethod unixgroup environment </IfModule> and under the Directory tag I have AuthType Basic AuthName "Login" AuthBasicProvider external AuthExternal pwauth <RequireAll> Require valid-user Require unix-group itdepartment #If I delete this line I can log in fine using any user </RequireAll> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 15/03/17 12:34, Paul Groves wrote:
On 15/03/17 06:16, Per Jessen wrote:
Paul Groves wrote:
I tried this:
http://stackoverflow.com/questions/5627184/htaccess-from-specific-unix-group
but apache cannot recognise AuthzUnixgroup on and will not start Try this:
http://ben.kulbertis.org/2016/03/changes-in-mod-authz-unixgroup-from-apache-...
It seems to explain the situation.
Great that solved one problem, Thanks. Apache now starts without error.
But... as we know apache 2.4 can be mysterious...
With the Require unixgroup groupname specified all I get now is internal server error. Same result if user is in group or not.
Can anyone see where I have gone wrong?
My config file contains
<IfModule mod_authnz_external.so> AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe </IfModule>
<IfModule mod_authz_unixgroup.so> AddExternalGroup unixgroup /usr/sbin/unixgroup SetExternalGroupMethod unixgroup environment </IfModule>
and under the Directory tag I have
AuthType Basic AuthName "Login" AuthBasicProvider external AuthExternal pwauth <RequireAll> Require valid-user Require unix-group itdepartment #If I delete this line I can log in fine using any user </RequireAll>
OK I have just noticed that if I comment out the <IfModule
mod_authz_unixgroup.so> and corresponding </IfModule> tag it works! But
obviuosly the configuration needs to have IfModule in case the module
gets disabled
I have tried:
<IfModule mod_authz_unixgroup.so>
<IfModule mod_authz_unixgroup>
<IfModule authz_unixgroup>
On 15/03/17 12:44, Paul Groves wrote:
On 15/03/17 12:34, Paul Groves wrote:
On 15/03/17 06:16, Per Jessen wrote:
Paul Groves wrote:
I tried this:
http://stackoverflow.com/questions/5627184/htaccess-from-specific-unix-group
but apache cannot recognise AuthzUnixgroup on and will not start Try this:
http://ben.kulbertis.org/2016/03/changes-in-mod-authz-unixgroup-from-apache-...
It seems to explain the situation.
Great that solved one problem, Thanks. Apache now starts without error.
But... as we know apache 2.4 can be mysterious...
With the Require unixgroup groupname specified all I get now is internal server error. Same result if user is in group or not.
Can anyone see where I have gone wrong?
My config file contains
<IfModule mod_authnz_external.so> AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe </IfModule>
<IfModule mod_authz_unixgroup.so> AddExternalGroup unixgroup /usr/sbin/unixgroup SetExternalGroupMethod unixgroup environment </IfModule>
and under the Directory tag I have
AuthType Basic AuthName "Login" AuthBasicProvider external AuthExternal pwauth <RequireAll> Require valid-user Require unix-group itdepartment #If I delete this line I can log in fine using any user </RequireAll>
OK I have just noticed that if I comment out the <IfModule mod_authz_unixgroup.so> and corresponding </IfModule> tag it works! But obviuosly the configuration needs to have IfModule in case the module gets disabled
I have tried:
<IfModule mod_authz_unixgroup.so> <IfModule mod_authz_unixgroup> <IfModule authz_unixgroup>
None of these work.
However the <IfModule mod_authnz_external.so> works fine.
As far as I can see my syntax is correct.
A friend just emailed me this. Apparently you are supposed to use the module names as he has set out below. I have tried the configuration and it is working as expected. <IfModule authnz_external_module> AddExternalAuth pwauth /usr/sbin/pwauth SetExternalAuthMethod pwauth pipe </IfModule> <IfModule authz_unixgroup_module> AddExternalGroup unixgroup /usr/sbin/unixgroup SetExternalGroupMethod unixgroup environment </IfModule> And as before: AuthType Basic AuthName "You shall not pass! (Unless you are a system administrator)" AuthBasicProvider external AuthExternal pwauth <RequireAll> Require valid-user Require unix-group sudo </RequireAll> -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Paul Groves -
Per Jessen