>>> On 8/2/2006 at 9:01 AM, in message <[EMAIL PROTECTED]>, Jason Keltz <[EMAIL PROTECTED]> wrote: > I apologize in advance if this is not the right forum for this type of > question -- if so, please accept my apology and let me know where I > might address this problem... > > ----- > > The currently available version of mod_auth_pam for Apache 2.0.X series > does not work with the new Apache 2.2.X authentication scheme when > combined with basic authentication since mod_auth_pam doesn't register a > provider. Surprisingly enough, I can't find any references on the web > to people trying to use mod_auth_pam with Apache 2.2.X which surprises > me. I was looking at how I might attempt to patch the current module to > work with 2.2.X. I can't seem to find much documentation on the new
> "aaa" scheme in 2.2.X, but it doesn't look overly complicated to do when > I look at say, mod_authn_file. You are right, there isn't much development documentation which covers converting an older auth module to the new authnz architecture. The best bet is to take the existing modules as examples. >I'm confused by an aspect of the new > 2.2.X authentication scheme which I was hoping someone might be able to > help with. If I want to port the "AuthPAM_Enabled on|off" into the new > module, where would it go? It looks like there should be a > mod_authn_pam which just handles only the pam authentication, and then > say, a mod_authz_pamgroup that handles the "require group" directive, > but it isn't clear to me where the enable flag belongs? I looked > through the modules that come with Apache. The only module that has an > enable type flag seems to be the ldap module, yet all of the references > to the enable flag are commented out in that code. I wonder why? Understand that I have not looked at the auth_pam module so I don't know exactly what all of the different configuration directives do. However it is highly likely that you do not even need the AuthPAM_Enabled directive any more. Under the new architecture, enabling or disabling an authn module is done my simply including it or excluding it from the AuthXXXProvider directive. > Further, how about the AuthFailDelay, and AuthPAM_FallThrough? Would > these go into mod_authn_pam as well? As far as I can see, mod_authz_pam > doesn't seem necessary since the basic authentication covers the use of > "require user"... I would guess that the only thing required is that you create a mod_authn_pam authentication module and that an authz_pam module is not needed. Unless you have the need to implement a very specialized type of authorization, you can simply rely on the existing authz modules to do the work. However, if you do need a specialized PAM group authorization for example, rather than implementing another 'Require group xxx' directive, you would need to implement a 'pam-group' authorization type. See mod_authnz_ldap or mod_authz_dbm as examples. Brad
