Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NIS + mod_auth_pam + Apache2 + Debian

From: Matt Bogosian (mattbcolumbia.edu)
Date: Wed Nov 12 2003 - 02:08:27 CST

Howdy all,

I've tried to search to see if there's already a solution for this in
the archives, but I've come up with nothing (maybe I'm just not drawing
the right parallels somewhere).

At any rate, I have a working (Debian) system using PAM/NIS. All the
users in the NIS directory can log into the machine (via ssh). They can
also use their login/passwords to check their mail via IMAP (running on
the same machine). However, none of them can authenticate using HTTP
Auth with Apache2. Every attempt results in a log entry like:

[Tue Nov 11 23:53:22 2003] [error] [client] PAM: user
'test' - not authenticated: Authentication failure

Here's my /etc/nsswitch.conf:
passwd: compat
group: compat
shadow: compat

Here's my /etc/pam.d/ssh:
auth required pam_nologin.so
include common-auth
include common-account
include common-session
session optional pam_motd.so
session optional pam_mail.so standard noenv
include common-password

Here's my /etc/pam.d/imap:
include common-auth
include common-account
include common-password
include common-session

Here's my /etc/pam.d/apache2:
include common-auth
include common-account

Here's my /etc/pam.d/common-auth:
auth required pam_env.so
auth required pam_unix.so

Here's my /etc/pam.d/common-account:
auth required pam_unix.so

Here's my /etc/pam.d/common-session:
session required pam_limits.so
session required pam_unix.so

Here's my /etc/pam.d/common-password:
password required pam_unix.so md5

Here's my Apache2 configuration:
<Location /someplace>
    Order Allow,Deny
    Allow From All

    AuthPAM_Enabled On
    AuthPAM_FallThrough Off

    AuthType Basic
    AuthName somplace
    Require group myusers

Each of the users that I want to be able to successfully authenticate
via HTTP Auth are in the group 'myusers'. If I log into the machine (as
'test') I am a member of that group:

% groups
test myusers
% ypcat passwd
% ypcat group

I've tried changing my nsswitch.conf to read:
passwd: compat nis
group: compat nis
shadow: compat nis

But that doesn't make a difference. I'd really like for my NIS users to
be able to authenticate using mod_auth_pam, but I just don't know how to
make it work. Any help would be appreciated....


Pam-list mailing list