After a very frustrating hour of trying to figure out why
pwauth called from the Apache module
mod_auth_external was failing for some user accounts but not others, I finally discovered that the source code has a default mimum UID of 500. This appears to be preserved in the package
pwauth-2.3.10-1.el6.x86_64 from epel.
The error messages on failure in the apache error_log look something like this:
[Wed Aug 08 17:08:04 2012] [error] [client 10.1.1.1] user foo: authentication failure for "/bar/": Password Mismatch [Wed Aug 08 17:08:29 2012] [error] [client 10.1.1.1] AuthExtern pwauth [/usr/bin/pwauth]: Failed (3) for user foo
The solution is to download the pwauth source and change some header values. For pwauth-2.3.10, you need to change these two values in the
#define SERVER_UIDS 30 /* user "wwwrun" on the author's system */ #define MIN_UNIX_UID 500 /**/
On RHEL/SL/Centos, the SERVER_UID (aka, the UID of apache) is likely
48. Since I I had already installed the pwauth RPM, the installation was simple as the nessicary pam configuration was already done.
sudo mv /usr/bin/pwauth /usr/bin/pwauth.old sudo cp ./pwauth /usr/bin/pwauth sudo chgrp apache /usr/bin/pwauth sudo chmod 4750 /usr/bin/pwauth $ ls -la /usr/bin/pwauth* -rwsr-x--- 1 root apache 20066 Aug 8 17:28 /usr/bin/pwauth -rwsr-x--- 1 root apache 8112 May 7 18:27 /usr/bin/pwauth.old
And that fixes the UID restriction.