ModAuthzUnixGroup
Author and Former Maintainer: Jan Wolter (http://www.unixpapa.com, deceased)
Mailing List: mod_auth_external@googlegroups.com
Mod_Authz_Unixgroup is a unix group access control module for Apache 2.1 and later. If you are having users authenticate with real Unix login ID over the net, using something like my mod_authnz_external / pwauth combination, and you want to do access control based on unix group membership, then mod_authz_unixgroup is exactly what you need.
There are different versions of mod_authz_unixgroup for different Apache releases:
| Apache 2.2 | Mod_authz_unixgroup 1.0.x |
|---|---|
| Apache 2.4 | Mod_authz_unixgroup 1.1.x |
The configuration commands for these two versions are quite different.
Let's say you are doing unix passwd file authentication with mod_authnz_external and pwauth. Your .htaccess file for a protected directory would probably start with the following directives:
AuthType Basic
AuthName mysite
AuthBasicProvider external
AuthExternal pwauth
That would cause mod_auth_basic and mod_authnz_external to do authentication based on the Unix passwd database. Mod_Authz_Unixgroup would come into play if you wanted to further restrict access to specific Unix groups. You might append the following directives:
Apache 2.2:
AuthzUnixgroup on
Require group staff admin
Apache 2.4:
Require unix-group staff admin
This would allow only access to accounts in the 'staff' or 'admin' unix groups. You can alternately specify groups by their gid numbers instead of their names.
Though it makes the most sense to use mod_authz_unixgroup with unix passwd authentication, it can be used with other databases. In that case it would grant access if, (1) the name the user authenticated with exactly matched the name of a real unix account on the server, and (2) that real unix account was in one of the required groups. However, I think this would be a pretty senseless way to use this module. I expect that it will really only be used by users of mod_authnz_external and pwauth or other similar software.
Some authentication modules, like mod_auth_kerb, use usernames that have domains appended to them, like "whomever@krb.ncsu.edu". In such cases, mod_authz_unixgroup will take the part before the @-sign as the username and ignore the rest.
It will come as no surprise that this module works only on Unix systems. It should work on pretty much any vaguely modern Unix.
To install the module in Apache, you follow pretty much the same procedure as for mod_auth_external.
The configuration commands for mod_authz_unixgroup are entirely different depending on whether you are using Apache 2.2 or Apache 2.4. Choose your poison:
- List of Available Authenticators
- Historical License and Version Notes
- A Brief Explanation of the Apache Authn/z Architecture
- Links to Related Software
- Ideas for Future Improvements to Mod_authnz_external