Would it be possible to add Require group "groupname" directive

adelton / mod_authnz_pam

Apache module to run PAM authorization on result of other module's authentication; also full Basic Auth PAM provider.

https://www.adelton.com/apache/mod_authnz_pam/

Apache License 2.0

14 stars 9 forks source link

Would it be possible to add Require group "groupname" directive #6

Closed nycoe closed 5 years ago

nycoe commented 6 years ago

It would be great if this module can be used to specify group(s) that a valid-user need to be a member of. This can currently be done via the pam config the module uses, but changes to the pam config would (and should) require root rights, while an app owner should be able to configure their apache config themselves.

adelton commented 6 years ago

How would you propose for this feature to work? Note that mod_authnz_pam doesn't do any lookups, it just delegates the authentication and authorization to the PAM stack. I don't think this module is the place for what you are after. If the application owner needs to manage group membership, you should be able to just use AuthGroupFile from mod_authz_groupfile, stored somewhere where it can be managed by the application owner.

adelton commented 6 years ago

And of course, if you need some more advanced access control than editing some file, mod_authnz_pam with (say) SSSD and Active Directory or FreeIPA is exactly when you are looking for. Then the access can be managed on the remote server, and evaluated by the module on the Web server.

adelton commented 5 years ago

Since the discussion did not continue, closing.