My employer has been running RHEL 6.x and Apache httpd 2.2 for many years. We are currently in the process of migrating to new hardware running RHEL 7.1 and Apache httpd 2.4. Our current web site has various locations that contain downloadable material for different sets of clients. Clients all have system accounts on the server box. We currently control access to the locations based on client user's group membership.
For example:
<Location /xyzzy/*>
AuthName "xyzzy product support"
AuthShadow on
AuthType Basic
require group xyzzy
Options Includes ExecCGI Indexes FollowSymLinks MultiViews
</Location>
We have been successfully using mod_auth_shadow to implement this access control under Apache 2.2. However, we've found that this module won't load under 2.4 because the module calls ap_requires(), which is not present under 2.4.
We've noticed that RHEL 7 by default runs
/usr/sbin/saslauthd -m /run/saslauthd -a pam
so I've been looking at using PAM through mod_authn_sasl as a replacement for mod_auth_shadow. I've had partial success with this apache configuration:
<Location /xyzzy/*>
AuthType Basic
AuthName "xyzzy product support"
AuthBasicProvider sasl
AuthBasicAuthoritative On
AuthSaslPwcheckMethod saslauthd
Require valid-user
</Location>
combined with this /etc/pam.d/http file:
#%PAM-1.0
auth include password-auth
auth include pam_group
account include password-auth
With this combination any user with valid login credentials can access the xyzzy location. I believe this validates that the basic connection between Apache -> saslauthd -> PAM is working. But that's not the level of granularity we're looking for.
This alternative httpd configuration:
<Location /xyzzy/*>
AuthType Basic
AuthName "xyzzy product support"
AuthBasicProvider sasl
AuthBasicAuthoritative On
AuthSaslPwcheckMethod saslauthd
Require group xyzzy
</Location>
generates this error in the httpd log:
AH01664: No group file was specified in the configuration
This suggests that httpd is not going through saslauthd in order to validate group membership. So far, I haven't found an httpd directive that would force group authentication through sasl in the way that user/password authentication does.
(Why am I using the system passwd, shadow and group files for authentication instead of a separate database for http? Some clients prefer to download their support files via ftp rather than http. So we use the system in order to give our clients relatively easy switching between the two protocols)
As a last resort I'm prepared to try updating mod_auth_shadow for 2.4. But I've never coded or debugged an apache module, so there's an unknown learning curve involved in that approach. So I'm completely open to suggestions!