Topic: Apache group authentication question

[edbneutron]

Hello,

i would like to use unix-group in .htaccess files to authenticate users and check if they belong to a specific unix-group. So far i had no success.
Things i tried:

1. LDAP-auth.  does not work, because LDAP in SME does not contain passwords. So not even authentication is possible. (found out the hard way

2. pwauth with GroupExternal unixgroup in config file. throws "invalid GroupExternal keyword (unixgroup)" in apache log. no idea whats wrong here

3. Mod_Authz_Unixgroup from  http://unixpapa.com/mod_authz_unixgroup/
I couldn´t compile the module, because Apache in SME doesn´t contain "apxs" to compile apache modules. Tried a module from mandriva Linux. no success. apache crashes on startup.
......

So, now i´m out of ideas... C´mon it can´t be so hard to check for unixgroups...
Did someone manage to do this?

Regards!

And thanks to all the SME developers and contributors. Just installed SME-Server 7.2 4 days ago. It´s VERY COOL and much less install/admin work is needed. ... as long as u stick to the predefined things though..

[mmccarn]

You need to end up with the following items in your <Directory>...</Directory> declaration in httpd.conf:

Code: [Select]

<Directory /some/path/on/your/server>
        AuthType Basic
        AuthExternal pwauth
        AuthName "The Name You Want Users Prompted With When They Login"
        Require group group-name
</Directory>
(Note: I have *not* included all directives, only the ones you need to set in order to authenticate by Group...)

Here's a howto on setting up 'Dav enabled' ibays - not what you're trying to do, but possibly useful: http://wiki.contribs.org/DAV_Enabled_Ibays

[cactus]

You need to end up with the following items in your <Directory>...</Directory> declaration in httpd.conf:

Code: [Select]

<Directory /some/path/on/your/server>
        AuthType Basic
        AuthExternal pwauth
        AuthName "The Name You Want Users Prompted With When They Login"
        Require group group-name
</Directory>
(Note: I have *not* included all directives, only the ones you need to set in order to authenticate by Group...)
The use of group authentication is not available in the current version of Apache that is running on SME Server. This is an option that is available as of version 2.2, which will most likely be shipped with SME Server 8, your best bet is to expand the users in the group and add them to the Require user directive. I have done something similar in the smeserver-subversion contrib.

As far as I know pwauth does not authenticate against groups, I also ran into that problem when writing my smeserver-subversio contrib.

I solved this by expanding the group to all members in it and adding them to the require user directive. Here is the code I use:

Code: [Select]

                my $users;
                my @list;

                if ($properties{'Groups'}) {

                    my @groups = split (/,/, $properties{'Groups'});

                    foreach my $group (@groups) {

                        my $members = $db_accounts->get_prop($group, 'Members') || "";

                        if (length($members) > 0) {

                           push @list, split (/,/, $members);

                        }

                    }

                }

                if ($properties{'Users'}) {

                     push @list, split (/,/, $properties{'Users'});

                }

                if (@list > 1) {

                    @list = sort(@list);

                }

                my $prev = '';
                @list = grep($_ ne $prev && (($prev) = $_), @list);

                $users = join(" ", @list) || '';

                undef @list;


[cactus]

3. Mod_Authz_Unixgroup from  http://unixpapa.com/mod_authz_unixgroup/
I couldn´t compile the module, because Apache in SME doesn´t contain "apxs" to compile apache modules. Tried a module from mandriva Linux. no success. apache crashes on startup.
......

As SME Server is based on Centos (and SME Server 7.2 is based on CentOS4.5) you should stick to either Centos4.5 RPM's or RHEL4  RPMS, Mandriva has a very different architecture and therefore Mandriva RPM's most vertainly will not work or crash your system.

On top of that I believe the mod_authz_unixgroup only works on httpd 2.2.x and higher, and the current version of SME Server does run a 2.0.x version, you will have to wait for SME Server 8 as this will most likely have a 2.2.x under the bonnet.

[shell]

Cactus,

can you explain where the script is run from - is the script placed at the top of the custom template so that it is run before the <Directory>...</Directory> declaration in httpd.conf?  Or do you simply run this script once before creating the template so that the static list would need to be manually updated with the addition of new members to the group?

Cheers,
Shell

[raem]

Cactus & anyone

> can you explain where the script is run from .....

...and perhaps add the details to this Howto
http://wiki.contribs.org/Htaccess

or post more explicit info/steps here and I'll update the Howto.

Thanks
Ray

[cactus]

Cactus,

can you explain where the script is run from - is the script placed at the top of the custom template so that it is run before the <Directory>...</Directory> declaration in httpd.conf?  Or do you simply run this script once before creating the template so that the static list would need to be manually updated with the addition of new members to the group?

Cheers,
Shell

The script is part of the 28SubversionContent template fragment and is located in the etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/ directory if you have the smeserver-subversion plugin installed.

[edbneutron]

Finally i found a solution to use the user-groups for authentication!

Goal: Use Unixgroups that can be configured using SME-Server-Manager.

Problem: Apache and SME-Server don´t have a solution to check group membership out of the box.
Problem2: LDAP not fully integrated into SME, so it´s not usable for this purpose.

Solution:

Step 1 - get unixgroup check script

Go to http://www.unixpapa.com/pwauth/ and download the latest pwauth-2.3.3.tar.gz.
Untar it into directory of your choice. we use only the unixgroup script.

Code: [Select]

# cd /root
# mkdir pwauth
# cd pwauth
# wget http://www.unixpapa.com/software/pwauth-2.3.3.tar.gz
# tar -xvzf pwauth-2.3.3.tar.gz
# cd pwauth-2.3.3
# chown root:root unixgroup
# chmod 755 unixgroup
# cp unixgroup /usr/bin/

Step2 - configure Apache

in the httpd.conf file you need:

Code: [Select]

AddExternalGroup ugroup /usr/bin/unixgroup
SetExternalGroupMethod ugroup environment
PER VIRTUAL HOST!!!!!

Not at the beginning of the file!! (found out the hard way...)

So a solution would be:

in /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/

Code: [Select]

# cd /etc/e-smith/templates/etc/httpd/conf/httpd.conf/VirtualHosts/
# touch 33GroupAuth
# echo "\$OUT .= '
        AddExternalGroup ugroup /usr/bin/unixgroup
        SetExternalGroupMethod ugroup environment';" >33GroupAuth
# expand-template /etc/httpd/conf/httpd.conf
# /etc/init.d/httpd-e-smith graceful

After that you are able to check for group membership using following code in .htaccess-Files:
(be sure that you are allowed to "AllowOverride AuthConfig" in your directory-rule from apache.

Code: [Select]

    AuthName "mySite"
    AuthType Basic
    AuthExternal pwauth
    GroupExternal ugroup
    Require group mygroup
    Satisfy all

After that you are able to check for group-membership.

Regards!