One consequence of the server outage was that I could finally justify the time to solve an irritating Apache authentication problem. In fact, I had to solve the problem, because I needed to log in to our control panels. (I really love our new control panels, but I wrote them, so I should. I’ll release a new version Real Soon Now. Don’t bother looking for the old version – it’s horribly out-of-date.)
The solution had two parts, both related to changes in the Authentication and Access Control of Apache httpd 2.2. In summary, it seems that there are now mod_auth modules which direct authentication (authn) modules and authorisation (authz) or access control modules, and there are some authnz modules which can do both parts.
So, the solution: Firstly, mod_authnz_external has become an easier way to do PAM authentication than getting
mod_auth_pam to work with the new system. (As an alternative, I could have authenticated directly against the SQL database used by the control panel, but it seems neater to do all authentication through PAM.) So, the modules enabled were auth_basic, authn_file, authz_groupfile, authz_host and authnz_external, but it still gave an error message.
Secondly, I found a blog post about the no groups file? error I got then, which suggested re-enabling mod_authz_user. That cured the error, although I don’t yet understand why. The error and the solution don’t seem particularly related. But it works!
The above took me about 3 hours of researching, installing, configuring and testing to get working. My guess that it was an awkward job was right. I think TTLLP control panel customers will be glad they’re not paying all of that!
4 Responses to HOWTO Apache httpd 2.2 PAM Authentication Modules