Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at

Bug 166542

Summary: Review Request: mod_auth_pam: PAM authentication module for Apache
Product: [Fedora] Fedora Reporter: Ignacio Vazquez-Abrams <ivazqueznet>
Component: Package ReviewAssignee: Aurelien Bompard <gauret>
Status: CLOSED NEXTRELEASE QA Contact: David Lawrence <dkl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: avi, fedora-extras-list, lesmikesell, rdieter
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-09-28 17:42:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 163779    

Description Ignacio Vazquez-Abrams 2005-08-23 05:09:24 UTC
Spec Name or Url:
SRPM Name or Url:
Description: The PAM authentication module implements Basic authentication on top of the Pluggable Authentication Module library. Thereby it supports standard unix passwd, shadow, NIS, SMB auth and radius authentication transparently and easily interchangeable, wherever the HTTP protocol allows it.

Comment 1 Rex Dieter 2005-08-23 11:57:55 UTC
Looks good (very close to what I've been using).  
Now, pam is a dark-art and mysterious black-box to me most of the time (so my 
understanding and suggestion my be way off-base), but, I'd suggest replacing 
the sample pam.d/httpd containing: 
auth       required     /lib/security/ 
account    required     /lib/security/ 
auth       required service=system-auth 
account    required service=system-auth 
so that mod_auth_pam uses whatever has been configured via system-config-auth. 

Comment 2 Matthias Saou 2005-08-23 12:04:50 UTC
Worth mentioning too that the /lib/security/*.so lines won't work on x86_64
where those are in /lib64/security/ instead, so yes, fixing those lines is required.

Comment 3 Ignacio Vazquez-Abrams 2005-08-23 16:18:11 UTC

Comment 4 Aurelien Bompard 2005-09-02 16:58:43 UTC
* Please use "install -p" to preserve timestamps
* Change the Requires line to:
Requires: httpd-mmn = %(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)
 as in the PHP package, it causes an error in mock.
* If you want, you can use a dist tag.
* Is the License tag correct ? I know you have included the full text of the
license, but maybe the License tag should be "Distributable", (which is what we
use when we mean "look at the LICENSE file")
* please prefix the additional sources with mod_auth_pam- for those who have a
common SOURCES dir (as in the default rpm setup).

Comment 5 Ignacio Vazquez-Abrams 2005-09-03 21:12:58 UTC

Comment 6 Aurelien Bompard 2005-09-04 10:02:26 UTC
The requires httpd-mmn lines stills kills mock. In the file root.log:
/sbin/runuser -c 'rpm -Uvh --nodeps
/builddir/build/originals/mod_auth_pam-1.1.1-1.src.rpm' mockbuild
mod_auth_pam                warning: user ignacio does not exist - using root
warning: group ignacio does not exist - using root
warning: group ignacio does not exist - using root
error: line 16: Version required: Requires:       httpd-mmn =

The reason is that when mock installs the srpm, httpd is not yet installed, but
the spec file is parsed. You have to add some kind of "|| true" parachute to the
line, as done in the php package.

Comment 7 Les Mikesell 2005-09-09 16:35:43 UTC
One option to consider is:

auth       required service=system-auth 
account    required

as a variation that will allow web access to anyone that can authenticate to pam
even if they don't otherwise have an account set up.   This can be used, for
example. with smb authentication against a windows domain and will permit anyone
in the domain to use web services even if they can't log into the machine
services that require an account (and unlike winbindd, smb doesn't create one).

Comment 8 Ignacio Vazquez-Abrams 2005-09-27 12:17:41 UTC
(In reply to comment #6)


(In reply to comment #7)

I added a little note to the PAM config about this.

Comment 9 Aurelien Bompard 2005-09-27 12:52:48 UTC
One last thing : /usr/share/doc/mod_auth_pam-1.1.1/COPYING is set executable.

Comment 10 Ignacio Vazquez-Abrams 2005-09-27 14:09:26 UTC
Whoops. Updated.

Comment 11 Aurelien Bompard 2005-09-27 14:51:41 UTC
Review for release 1:
* RPM name is OK
* Source mod_auth_pam-2.0-1.1.1.tar.gz is the same as upstream
* Builds fine in mock
* rpmlint of mod_auth_pam looks OK
* File list of mod_auth_pam looks OK
* Works fine.

Comment 12 Ignacio Vazquez-Abrams 2005-09-28 17:42:07 UTC
Built for FC4 and devel.