Configure HTTPD (Apache) for PAM Authentication
Recall that the reason for doing this Linux-Windows integration was to get the users of my Linux-based backup server to have web-based access to their files, from their Windows XP desktops.
I will not go into the details of configuring the BackupPC web interface. That's extensively covered in the BackupPC documentation here.
Apache has an almost-annoyingly huge number of authentication mechanisms, but most people use password authentication based on an .htpasswd or .htaccess file. However, since all the users of my Linux-based backup system already had acounts on the ADS server, it seemed to make no sense to have to create a parallel authentication database for them. Not to think of the nightmare of synchronising the two databases when either or both change.
I'll start by getting Apache to grant access only to users who authenticate on its host Linux box. Keep in mind though, that those users will actually be authenticating against an ADS database. This is made possible by PAM, and to make Apache authenticate using PAM, we must download and install the Apache mod_auth_pam module.
You can download mod_auth_pam here for Apache 2.0, or here, for Apache 1.3.
For some reason, although Fedora Core 4 ships with Apache 2.0, the version of mod_auth_pam shipped is for Apache 1.3, so I had to download from the site mentioned earlier, and build mod_auth_pam for Apache 2. This may have been corrected if you have the latest updates installed.
I also found that I needed apxs, which must be the correct version for your version of Apache. apxs is included in the httpd-devel rpm package, so you should install that if it's not installed.
Once mod_auth_pam is built and/or installed, you need to edit (or create) the /etc/pam.d/httpd file. Make sure you have the following contents in that file:
#%PAM-1.0 auth required pam_winbind.so service=system-auth account required pam_permit.so
You also need to edit your httpd.conf file (located in /etc/httpd/conf/httpd.conf in Fedora Core 4. Your location may be different). The part of that file you need to edit is the part that controls access to your BackupPC_Admin script, located in Apache's cgi-bin directory (which you would have specified when installing BackupPC):
<Directory /var/www/cgi-bin/> # <-- Put your BackupPC cgi-bin folder here SetHandler perl-script PerlResponseHandler ModPerl::Registry PerlOptions +ParseHeaders Options +ExecCGI Order deny,allow Deny from allAllow from x.y.z a.b.c # <-- Put this if you want to restrict access to a few specified hosts AuthName "BackupPC Server" # <-- Name displayed in the login box seen by your users## The following lines are the ones that control access to the BackupPC cgi-bin directory via PAM Authentication AuthPAM_Enabled on AuthType BasicRequire valid-user # <-- i.e. valid user in the ADS domain </Directory>
Once you've done this, restart your httpd server.
Now, anybody who tries to access the protected BackupPC directory (by typing
The next step is to integrate all this with BackupPC's web interface, so that users only see their own workstation's files, and BackupPC Administrators see all files for all workstations.
