Apache PAM authentication using Winbind

Some initial considerations:

This documentation details the configuration of the mod_auth_pam module for use with Apache. As per the documentation http://pam.sourceforge.net/mod_auth_pam/ mod_auth_pam should be used in conjunction with SSL/TLS. Please make sure that your site is configured for SSL/TLS before deploying this system in a live environment.

This configuration requires that DSPAM users have their windows samid configured as an email alias for their particular dspam settings as per Installation/Postfix/RelayClamExchangeWebUiToActiveDirectory and as this system uses windows-authentication it is assumed that you are configuring a relay server with an exchange or other windows-enabled backend.

I have used this configuration with both exchange 2003 and a sendmail based system running with winbind local authentication. Both seem to run without any problems.

Why not use LDAP?

Good question... mod_auth_pam is no longer maintained and there are quite a few LDAP modules available. So why bother?

The main reason I've implemented winbind is that in my Active Directory environment I find it quite easy to attach a Linux server to the domain using Samba and Winbind but have quite a bit of trouble with LDAP tools due to SSL/TLS - Mainly to do with the fact that it is quite difficult to configure LDAP to 'trust' the Active Directory Root certificate and windows servers do not generally allow LDAP binds using unsecure LDAP connections. So because both sides are doing the right thing and refusing unsecure or untrusted communication I'm stuck unless I can get openldap to 'trust' the SSL certificates from my Windows server.

So in my case it was simply a matter of using the working authentication mechanism over the one that would take me far too much time to configure. If there is no need for you to configure winbind for other uses I encourage you to look elsewhere.

Getting started

Mod_auth_pam:

Download mod_auth_pam from http://pam.sourceforge.net/mod_auth_pam/download.html and build the application using the provided documentation at http://pam.sourceforge.net/mod auth pam/install.html.

Winbind:

I'd like to be able to list a detailed configuration here at some stage, but for now please check the samba documentation at http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/. I do have a few tips though:

Pam:

So far I have only configured this system on Fedora. If anyone has any instructions for other distros please feel free to insert them below:

Fedora:

vi /etc/pam.d/httpd

#%PAM-1.0
auth        required    pam_winbind.so

account     required      pam_winbind.so

Apache:

Within your DSPAM server configuration adjust the following: 

  <VirtualHost *:443>
      DocumentRoot "/var/www/htdocs/<yourRoot>"
      ServerName <yourServerName>
      ServerAdmin <yourServerAdmin>
      ErrorLog /usr/local/apache2/logs/<yourErrorLog>
      TransferLog /usr/local/apache2/logs/<yourAccessLog>
      SSLEngine on
      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
      SSLCertificateFile /usr/local/apache2/conf/ssl.crt/<yourCert>
      SSLCertificateKeyFile /usr/local/apache2/conf/ssl.key/<yourKey>
      RewriteEngine on
      RewriteRule ^/$ /dspam.cgi [R]
      SuexecUserGroup dspam dspam #<replace with your suexec user and group>
      <Directory "/var/www/htdocs/<yourRoot>">
          AuthBasicAuthoritative off
          AuthPAM_Enabled on
          AuthPAM_Fallthrough off
          Options FollowSymLinks ExecCGI
          order deny,allow
          SSLRequireSSL
          AuthType Basic
          AuthName "DSPAM Control Center"
          require group "domain users" #<modify this to a suitable windows group>
      </Directory>
  </VirtualHost>

Restart your Apache server and attempt to log in. Provided that PAM, Winbind and Mod_Auth_Pam are configured, you should be able to authenticate. If this does not work try troubleshooting each section separately:

Disclaimer:

last edited 2007-10-05 04:40:24 by JoelButler