Table of Contents

About

Apache can be made to authenticate by using Pluggable Authentication Modules (PAM) as intermediary. The benefit in doing that is that user and group accounts can be easily centralised.

Requirements

Most distributions should be compatible. On a Debian system some packages should be installed with the command:

aptitude install libapache2-mod-authnz-external libapache2-mod-authz-unixgroup pwauth

the tricky package here is pwauth which may not contain unixgroup on Ubuntu or Debian which would require a download and recompile from the original pwauth project page.

Getting Unix Group Authentication Working

First download the original pwauth and save it to /usr/src/pwauth-2.3.11 - any version will do. Then change directory and compile:

cd /usr/src/pwauth-2.3.11
make

Finally, copy unixgroup to /usr/sbin/ and adjust permissions:

chmod g+s /usr/sbin/unixgroup
chown root:shadow /usr/sbin/unixgroup

Enabling Apache Modules

Some modules should be enabled using the a2enmod command:

a2enmod authnz_external authz_unixgroup

Configuring the Modules

The pwauth package installs a binary at /usr/sbin/pwauth (and should install unixgroup at /usr/sbin/unixgroup) and the following Apache clause will enable its usage in case the authnz_external module has been enabled:

<IfModule mod_authnz_external.c>
    AddExternalAuth pwauth /usr/sbin/pwauth
    SetExternalAuthMethod pwauth pipe
    AddExternalGroup unixgroup /usr/sbin/unixgroup
    SetExternalGroupMethod unixgroup environment
</IfModule>

It must be added within the VirtualHost directive for which you will use the authentication.

Protecting Directories

The final step is to protect a directory:

<Directory /var/www/folder>
    AuthType Basic
    AuthName "Restricted Area"
    AuthBasicProvider external
    AuthExternal pwauth
    GroupExternal unixgroup
    Require user jane
</Directory>

in this example:

Another example, where access is restricted to a group, would be the following:

<Directory /var/www/development>
    AuthType Basic
    AuthName "Restricted Area"
    AuthBasicProvider external
    AuthExternal pwauth
    GroupExternal unixgroup
    Require group devs
</Directory>

which restricts access to /var/www/development to the group devs.