forked from adelton/mod_lookup_identity
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
79 lines (51 loc) · 2.35 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
Apache module mod_authz_sss
=================================
Apache module to authorize previously authenticated user based on
groups he is member of. It is ideal to be used in conjunction with
the mod_auth_gssapi module which provides the authentication.
The module supports retrieval of list of group names the user belongs
to via SSSD D-Bus call using org.freedesktop.sssd.infopipe.GetUserGroups
method.
The sssd-dbus package needs to be installed and the ifp service
enabled in the [sssd] section of /etc/sssd/sssd.conf.
The module itself needs to be loaded into Apache's configuration file
like /etc/httpd/conf/httpd.conf with directive like
LoadModule authz_sss_module modules/mod_authz_sss.so
Mod_Authz_sss would come into play if you wanted to further restrict access
to specific groups SSSD recognizes - these can be Posix (i.e. unix)
or even non-Posix. You might append the following directive:
Require sss-group staff admin
This would allow only access to accounts in the 'staff' or 'admin' groups.
Example of sssd.conf:
[domain/example.com]
...
[sssd]
services = nss, pam, ssh, ifp
[ifp]
allowed_uids = apache, root
Building from sources
---------------------
The available version of sssd has to provide the ifp dbus service
When building from sources, command
apxs -i -a -c $(pkg-config --cflags dbus-1) $(pkg-config --libs dbus-1) \
-Wc,"-Wall -pedantic -std=c99" mod_authz_sss.c
should build and install the module.
Limitations
--------------------
The authenticated user has to be a POSIX user
You need to authenticate using principal that SSSD is able to resolve.
this is usually in form of "User Principal Name" - especially when the
SSSD backend is configured to use Active Directory, see bug:
https://bugzilla.redhat.com/show_bug.cgi?id=2236087
License
-------
Copyright 2022-2024 Ondrej Valousek
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.