Okay, I'm pretty new to Apache, but so far I'm doing okay, except that I've run into an issue that seems simple, but so far I've found no resolution for it. I'm also new to this forum, so if what I'm asking is a FAQ (and I expect it might be, but I haven't found the information), I'd appreciate a pointer to the appropriate documentation. Summary: I am looking for a way to get Apache to perform user authentication with the same credentials as the system login, rather than artificially creating a second authentication file. Background: I am setting up a Subversion server on an Ubuntu box, and using Apache as my HTTP server to expose the Subversion repository. Apache authentication is required to make sure only authorized users can get at the repository. I've been reasonably successful so far, but have not been able to set up the type of Authentication I want. Problem Details: So far, almost everything that I've found seems to be indicating that I can't do what I want. The examples all refer to using the htpasswd command to create a username/password file, then using the AuthUserFile directive in the Apache config. I have been working with various sources: The O'Reilly Subversion book Official Apache documentation on Authentication (http://httpd.apache.org/docs/2.2/howto/auth.html) A tutorial I found on "Apache Web Login Authentication" (http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html) A couple of Ubuntu docs on Subversion setup (https://help.ubuntu.com/8.04/serverguide/C/subversion.html, http://www.subversionary.org/howto/setting-up-a-subversion-server-on-ubuntu-gutsy-gibbon-server) The problem with using htpasswd and AuthUserFile is that there is no relation between the credentials in this file, and what the user would normally use to log in on the Linux system. Users are required to remember a second password, or give their password to the Apache/Subversion admin to add to the authentication file. And, any time the user changes their password, the Apache authentication file also needs to be updated to keep them in sync. I have used Subversion (served up by Apache) at previous jobs, and the credentials required by Apache were always the same as the system login. On first connection to the repository, Apache would prompt the user for credentials, the user would give their system login name and password, and the authentication would remain valid for that session. When users needed to change their passwords (every 60 days), there was no reconfiguring or updating of Apache authentication credentials; the next time Apache challenged for credentials, the user would give the new password, and it would be accepted by Apache, allowing access to the repository. What I'm doing is focusing on access to a Subversion repository, but Subversion doesn't really factor into the equation here. Apache is just being told how to authenticate users within a <Location> block. The only clue that I've found to indicate that Apache can use system login credentials is in a tutorial section called "Using NIS for Apache Authentication" (http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.html#NIS), which says: "The advantage of using NIS, is the comonality of computer system accounts and web site logins. This configuration requires that the system the Apache web server is running on, must be using NIS authentication for system logins." Since I am just setting this up on a small home network (one Linux and two Windows boxes), I strongly doubt that I'm using (or would want to use) NIS. It may be that what we were doing in a work environment on a large, sophisticated network can't be done on my small home system. So, I'm able to set up my Apache server to perform authentication when accessing my Subversion repository, but it's using this artificial secondary file to do so. If it's not possible in this small environment to get Apache to use system logins, I can live with that. But if there is a straightforward way of doing what I want, I would appreciate a pointer. Thanks.
You need to look up the auth_pam module. This will authenticate against the PAM (Pluggable Authentication Module) system that linux already uses. If you're using a debian-based system (like Ubuntu), it may already be in the repository and a simple apt-get will install it. Hope this helps. -Doug
I've gotten a chance to take a look at the PAM, and I'm thinking it doesn't look like a good option. Sounds like just what I wanted, but from what I've found, it seems like it is outdated, and no longer maintained. Looking in the Synaptic Package Manager at libapache2-mod-auth-pam (version 1.1.1-6.1ubuntu1), the description says: module for Apache2 which authenticate using PAM mod_auth_pam implements authentication routines using PAM (Plugable Authentication Modules) for apache's authentication protocol. This package provides the module for Apache 2.0 sever. The emphasis on the Apache 2.0 is mine, but it's relevant, since I'm using Apache 2.2. I also found this information at (http://pam.sourceforge.net/mod_auth_pam/), the SourceForge page for pluggable authentication for Apache: Status & Support mod_auth_pam is not supported and/or developed any longer. The original author moved on and it mostly works for Apache 1.3 and 2.0. So, all things considered, it doesn't sound like the right way for me to go, if it doesn't support my current version of Apache, and it isn't being developed any longer. Has anyone tried it and had good results with Apache 2.2? Thanks.