Re: Using system passwords with Apache

[Michael Loftis <mloftis@modwest.com>]

--On July 31, 2005 1:07:27 PM -0400 Stephen R Laniel <steve@laniels.org> 
wrote:

> On Sun, Jul 31, 2005 at 03:41:02PM +0200, jonathan gonzalez wrote:
> > i recomend you mod-auth-mysql and mod-auth-ldap. Aditionally you can try
> > testing the digest authentication (MD5) instead of clear text
> > credentials.
>
> I think I'd just use SSL rather than MD5 authentication.

SSL has much wider support than MD5 auth anyway.

> Others have suggested mod_auth_pam. My concern with using
> PAM, come to think of it, is that my client's site is using
> virtual hosts. I don't want every shell user to have access
> to every virtual host. For hackish reasons, shell users have
> names like 'johnsmith-example-com' for user johnsmith on
> host example.com. So:
>
> 1) Does anyone know whether mod_auth_pam would have the
>    problem that I mentioned? And
>
> 2) Do mod_auth_mysql and mod_auth_ldap play nicely with
>    virtual hosts?
>
> I have literally zero experience with LDAP and MySQL, so
> this will be an education for me.

MySQL and LDAP are alternative technologies to using /etc/passwd.....so if 
you're not using them already then you're going to have to convert all if 
your existing users and passwords.  Not simple.  Plus they'll need to be 
all kept in sync, which is easy enough to do with PAM over the entire 
system.  I use PAM irregardless of the underlying technology, because then 
I configure the underlying technology once, and in one place.  Everything 
else just says "use PAM".  If something changes with say the LDAP schema or 
what have you, I change it once in one place.