Closed Shea690901 closed 5 years ago
adelton
commented
6 years ago On Fedora/CentOS/RHEL, /etc/shadow group is root and you most likely do not want to add some web service to that group.
Can you elaborate on the use case when you'd want to authenticate Apache HTTP server with the local system accounts?
adelton
commented
5 years ago Since the discussion did not continue, closing.
Shea690901
commented
5 years ago Sorry, for the long delay (problems with my computer and my ISP)
The use case? E.g.: WebDAV access to some part of a users homedir...
And as I wrote, I too think it's unwise to add some service to the group owning /etc/shadow, that's exactly why I was missing those remarks in the readme:
At best don't use mod_authnz_pam when using shadow passwords, since it would need group membership of group owning /etc/shadow, better use mod_authnz_external...
adelton
commented
5 years ago The expected approach is to use SSSD, as documented.
It would be nice to have somewhere in the manual a notice, that for mod_authnz_pam to authenticate system accounts stored within standard
/etc/passwd&/etc/shadow(!!!) it is needed to give the user running the server membership in group shadow (actual name may vary but is the group-owner of the shadow file).Something which IMHO shouldn't be done ;) For this case one should use mod_authnz_external (should also be mentioned within the readme).