NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | ATTRIBUTES | SEE ALSO | NOTES
site_path/conf/realms.conf - Web site realms
/etc/http/realms.conf - Server realms for server administration
Realms in SunTM WebServerTM define sets of protection spaces or authentication domains consisting of user names, groups, and passwords. Sun WebServer uses realm information to determine how a user is authenticated. For example, a UNIX-based realm stores user and password information as well as group information in appropriate files or tables if distributed NIS/NIS+ is used. For HTPASSWD relams, you can define your own set of users and groups in a realm. Regardless of how the realm information is stored and accessed, the access control settings require realms to protect resources.
Realms are also differentiated based on how they are used. Two different realms can have different names with the same underlying users and groups database. This gives additional flexibility in naming the authentication domains displayed in the browser.
Most browsers display the realm name in the prompt when a user name and password are required, so the realm name should indicate to users the purpose for password protection and which user name and password to use.
Realm files may be created by htrealm(1m) or by the Sun WebServer GUI.
A realm definition consists of the following:
Realm identifier
Source of user information: HTPASSWD, ISP, ISPADMIN, or UNIXSYS
ISP or ISPADMIN realms are only valid if you are running Sun WebServer in an environment where Sun Directory Service for the Solaris ISP ServerTM software has been installed.
List of realm members with permission to modify the realm itself
Directory location of user information for HTPASSWD realms
The following syntax rules apply to the realms.conf file:
The pound sign (#) is a comment character. All characters from a # to the end of a line are ignored
White space is ignored in directive definitions.
Some directives accept a list of values. Separate multiple values by white space. If more than one line is required to list all values, escape all but the last newline with a backslash (\) at the end of the line.
All directives are grouped in blocks surrounded by curly braces ({ and }). Any amount of white space, newlines, or directive definitions may appear between an opening curly brace and its matching close, including directive blocks that also use matched curly braces to contain a definition.
Each realm definition is in the following form:
realm <identifier> { realm_source UNIXSYS | ISP | ISPADMIN | HTPASSWD [ realm_dir <data_directory> ] administrator { [user <realm_user_name>[ <realm_user_name>...]] [ group <realm_group_name>[ <realm_group_name>...] ] } }
The syntax and definition of each directive are explained in the following Directives section.
The following keyword directives are valid in the realms.conf file:
Defines the realm users and groups that have permission to modify realm data. The admins directive may have a user directive or have a group directive. If neither user nor group is specified, then the site administrator becomes the default administrator.
Names groups of users that have permission to modify realm data. The group_name directive is an optional directive valid in the administrator block. Separate multiple group names with white space.
Defines the component identification, the version of Solaris ISP Server, and the Administrator realm (ISPADMIN). The default value is "SUNWhttp-2.1".
Defines a realm. There may be multiple realm definitions in the realms.conf file, as long as each has a unique identifier. The identifier directive can be any arbitrary string of alphanumeric data (no special characters). White space is allowed when enclosed in double quotes.
The definition consists of realm directives, and must include at least a realm_source.
Defines a directory relative to the site path where the users and groups files for an HTPASSWD realm are stored. realm_dir is required and valid only if realm_source is HTPASSWD. It can be either an absolute path or a path relative to realms.conf, or it can be left unspecified. The default value is realms/realmname/.
Defines the source of user and group information for the realm. This directive is required in every realm definition. realm_source may be one of the following:
Indicates that the user or group information is retrieved using the Sun WebServer users/group file format, and that user and group information will be maintained in the data directory named by realm_dir. The htrealm(1m) utility is used to create users and modify passwords.
Indicates that the user or group is stored in the Solaris ISP Server shared directory service. Changes to user and group information cannot be made through Sun WebServer.
Indicates that the principals are administrators in the Solaris ISP Server SunTM Internet AdministratorTM. The -d flag takes the ISP-component ID and version (for example, "SUNWftp-2.0").
Indicates that the operating system user and group definitions will be used to authenticate users in the realm. Sun WebServer employs a standard Pluggable Authentication Module (PAM) for authentication. Changes to user and group information cannot be made through Sun WebServer.
Names realm users that have permission to modify realm data. The user_name can be specified in the administrator block. Separate multiple user names with white space.
httpd auth sufficient /usr/lib/security/pam_unix.so.1 httpd-isp auth sufficient /usr/lib/security/pam_ldap.so.1 autohost
This configures Sun WebServer httpd to use the UNIX PAM library for authenticating for Solaris ISP Serversubscribers stored in the LDAP-based directory. This does not use stacking, but uses different service names (httpd, httpd-isp).
Sample realms.conf file:
realm siteAdmin { realm_source HTPASSWD administrator { user user1 } } realm SystemUsers { realm_source UNIXSYS }
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Availability | SUNWhttpc |
Interface Stability | Evolving |
Sun WebServer on Solaris 2.6 and greater uses a Pluggable Authentication Module (PAM) for authenticating principals in UNIXSYS and ISP realms using /usr/lib/security/pam_unix.so, and /usr/lib/security/pam_ldap.so, respectively. Refer to pam.conf(4) for details on how to set up PAM.
NAME | SYNOPSIS | DESCRIPTION | EXAMPLES | ATTRIBUTES | SEE ALSO | NOTES