Mod_Authz_Unixgroup 1.0.0 review
DownloadIf you are having users authenticate with real Unix login ID over the net, using something like my mod_authnz_external / pwauth combi
|
|
If you are having users authenticate with real Unix login ID over the net, using something like my mod_authnz_external / pwauth combination, and you want to do access control based on unix group membership, then mod_authz_unixgroup is exactly what you need.
Let's say you are doing unix passwd file authentication with mod_authnz_external and pwauth. Your .htaccess file for a protected directory would probably start with the following directives:
AuthType Basic
AuthName mysite
AuthBasicProvider external
AuthExternal pwauth
That would cause mod_auth_basic and mod_authnz_external to do authentication based on the Unix passwd database. Mod_Authz_Unixgroup would come into play if you wanted to further restrict access to specific Unix groups. You might append the following directives:
AuthzUnixgroup on
Require group staff admin
This would allow only access to accounts in the 'staff' or 'admin' unix groups. You can alternately specify groups by their gid numbers instead of their names.
Or you could use mod_authz_unixgroup together with the standard apache module mod_authz_owner to do something like:
Require file-group
This would allow access to the page, only the user was a member of the unix group that owns the file.
Though it makes the most sense to use mod_authz_unixgroup with unix passwd authentication, it can be used with other databases. In that case it would grant access if, (1) the name the user authenticated with exactly matched the name of a real unix account on the server, and (2) that real unix account was in one of the required groups. However, I think this would be a pretty senseless way to use this module. I expect that it will really only be used by user of mod_authnz_external and pwauth.
Mod_Authz_Unixgroup 1.0.0 search tags