GitHub - ondrejv2/mod_authz_sss: Apache module to authorize the authenticated user based on groups he is member of.

ondrejv2 / mod_authz_sss Public

forked from adelton/mod_lookup_identity

Notifications You must be signed in to change notification settings
Fork 0
Star 1

Apache module to authorize the authenticated user based on groups he is member of.

www.adelton.com/apache/mod_lookup_identity/

Apache-2.0 license

1 star 1 fork Branches Tags Activity

Star

Notifications

Branches Tags

Name		Name	Last commit message	Last commit date
Latest commit History 70 Commits
LICENSE		LICENSE
README		README
authz_sss.module		authz_sss.module
mod_authz_sss.c		mod_authz_sss.c
mod_authz_sss.spec		mod_authz_sss.spec

Repository files navigation

Apache module mod_authz_sss
=================================

Apache module to authorize previously authenticated user based on
groups he is member of. It is ideal to be used in conjunction with
the mod_auth_gssapi module which provides the authentication.

The module supports retrieval of list of group names the user belongs 
to via SSSD D-Bus call using org.freedesktop.sssd.infopipe.GetUserGroups
method.

The sssd-dbus package needs to be installed and the ifp service
enabled in the [sssd] section of /etc/sssd/sssd.conf.

The module itself needs to be loaded into Apache's configuration file
like /etc/httpd/conf/httpd.conf with directive like

    LoadModule authz_sss_module modules/mod_authz_sss.so

Mod_Authz_sss would come into play if you wanted to further restrict access
to specific groups SSSD recognizes - these can be Posix (i.e. unix) 
or even non-Posix. You might append the following directive:

    Require sss-group staff admin

This would allow only access to accounts in the 'staff' or 'admin' groups.

Example of sssd.conf:

    [domain/example.com]
    ...

    [sssd]
    services = nss, pam, ssh, ifp

    [ifp]
    allowed_uids = apache, root


Building from sources
---------------------

The available version of sssd has to provide the ifp dbus service
When building from sources, command

    apxs -i -a -c $(pkg-config --cflags dbus-1) $(pkg-config --libs dbus-1) \
	 -Wc,"-Wall -pedantic -std=c99" mod_authz_sss.c

should build and install the module.

Limitations
--------------------

The authenticated user has to be a POSIX user

You need to authenticate using principal that SSSD is able to resolve.
this is usually in form of "User Principal Name" - especially when the
SSSD backend is configured to use Active Directory, see bug:

https://bugzilla.redhat.com/show_bug.cgi?id=2236087

License
-------

Copyright 2022-2024 Ondrej Valousek

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.