Closed nycoe closed 5 years ago
How would you propose for this feature to work? Note that mod_authnz_pam doesn't do any lookups, it just delegates the authentication and authorization to the PAM stack. I don't think this module is the place for what you are after.
If the application owner needs to manage group membership, you should be able to just use AuthGroupFile
from mod_authz_groupfile, stored somewhere where it can be managed by the application owner.
And of course, if you need some more advanced access control than editing some file, mod_authnz_pam with (say) SSSD and Active Directory or FreeIPA is exactly when you are looking for. Then the access can be managed on the remote server, and evaluated by the module on the Web server.
Since the discussion did not continue, closing.
It would be great if this module can be used to specify group(s) that a valid-user need to be a member of. This can currently be done via the pam config the module uses, but changes to the pam config would (and should) require root rights, while an app owner should be able to configure their apache config themselves.