Hi list,
I would like to use something like mod_authz_unixgroups or mod_lookup_identity to allow users to browse certain location based on their group membership. I know that mod_authz_unixgroup would do exactly what I need via the "require unix-group" parameter, but unfortunately that module does not seem to be present in RedHat repo and I do not want to compile it myself.
I am wondering, can mod_lookup_identity (connected to SSSD via the ifp-dbus) do something similar?
Thanks,
Ondrej
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
I don't think mod_lookup_identity is what you are looking for, it does not deal with access authorization.
You don't say how your users authenticate, so I'll assume you have that sorted out. In that case, mod_authnz_pam might be the way to go. You mention you use SSSD, so configuring just
account required pam_sss.so
(without the auth module) should delegate the authorization to SSSD.
Jan (not subscribed to the mailing list, replying via WebUI)
The server my Apache is running on is joined to domain and running sssd.
The point is, that I need to authorize users based on a groups they are member of. I do not think mod_authz_pam is capable of doing that. Mod_authz_unixgroup is doing what I need, but that's not in RH repo.
That's why I thought mod_lookup_identity could potentially help here. Ondrej
-----Original Message----- From: Jan Pazdziora [mailto:jpazdziora@redhat.com] Sent: Monday, September 03, 2018 10:58 AM To: sssd-users@lists.fedorahosted.org Subject: [SSSD-users] Re: mod_lookup_identity & Apache authorization
I don't think mod_lookup_identity is what you are looking for, it does not deal with access authorization.
You don't say how your users authenticate, so I'll assume you have that sorted out. In that case, mod_authnz_pam might be the way to go. You mention you use SSSD, so configuring just
account required pam_sss.so
(without the auth module) should delegate the authorization to SSSD.
Jan (not subscribed to the mailing list, replying via WebUI) _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-----
The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18.
sssd-users@lists.fedorahosted.org