lpmauthrepo — Restricted access LPMtool package repository


This is a basic implementation of a restricted access lpm package repository. Restricted package repositories are LPMtool package repositories that require a valid authorization key, issued by the repository's maintainer. An authorization key is required to download packages from the repository. Restricted repositories are described in greater detail in LPMtool's manual, Chapter 10, Creating restricted-access repositories.

lpmauthrepo is a Perl script that works together with the Apache HTTP server. lpmauthrepo requires version 2 of Apache with the ext_filter_module plugin, and a reasonably modern version of Perl with a Digest::SHA1 module.


lpmauthrepo is not meant to be used with large repositories with thousands of valid authorization keys. It works best for small to medium-sized repositories. Large repositories with thousands of keys are better served with a dedicated database that holds all the authorization keys, and a custom package repository server.

lpmauthrepo is only an example of a simple, basic implementation of a restricted package repository.

The following configuration settings must be added to Apache's httpd.conf configuration file:

ExtFilterDefine lpm-auth-timestamp cmd="/usr/share/lpmtool/lpmauthrepo -timestamp"

RewriteEngine on
RewriteMap lpm-auth-validate prg:/usr/share/lpmtool/lpmauthrepo

<Directory /var/www/html/repositories>
        AllowOverride FileInfo

This example runs /usr/share/lpmtool/lpmauthrepo, which is the default location of this script. A non-standard version of LPMtool may use a different installation directory, and both references to this script, in this example, must be adjusted accordingly. Also, this example assumes that restricted access repositories will be created in /var/www/html/repositories. Again, this is an adjustable location. Add additional <Directory> blocks, as necessary, if repositories are going to be scattered across multiple places.


Most Apache configurations also offer a separate configuration directory, /etc/httpd/conf.d. As an alternative, save the above example as a separate file, /etc/httpd/conf.d/lpmauthrepo.conf.


Some versions of Apache include the ext_filter_module plugin, but for some reason it does not get loaded by Apache's configuration file. This appears to be an accidental oversight in Fedora Linux. The following configuration setting must also be added in this case. The following setting needs to appear before the ExtFilterDefine line:

LoadModule ext_filter_module modules/

The /etc/lpmauthrepo configuration file

lpmauthrepo can handle multiple package repositories. All package repositories may use either the same set of authorization keys, or a separate set of authorization keys may exist for each individual repository.

Each individual package repository is associated with a single realm. A realm just a list of valid authorization keys. A package repository can have only one defined realm. All individual package repositories may use the same realm, or each repository may have its own, separate realm. The same authorization key can be individually added to more than one realm, though.

lpmauthrepo reads the /etc/lpmauthrepo configuration file. This is the default location of this configuration file. A custom version of LPMtool may use a different location. lpmauthrepo is a simple Perl script, and the configuration file's name is set at the beginning of the script, readily available just for asking.

This configuration file contains one or more of the following lines:

auth realm filename

realm is the name of an authorization realm, and filename is the file that lists all valid authorization keys for this reaslm. Example:

auth default /etc/lpmauthrepo.default

Each filename is a simple text file, with each line containing a single authorization key. Example:


lpmauthrepo gets started, automatically, by Apache. lpmauthrepo reads all authorization keys at startup. Periodically, lpmauthrepo checks whether any configuration file's timestamp has changed. If so, lpmauthrepo rereads the configuration file, and updates its list of valid authorization keys accordingly. It can take up to two minutes for any changes to take effect.


The configuration files should not be edited in place. The new version of a configuration file should be saved separately, then renamed in place of the existing file. If the configuration file is rewritten from the beginning at the same time lpmauthrepo happens to check for updates, its possible that lpmauthrepo may lose all authorization keys for up to two minutes.

Once lpmauthrepo is set up, use the setauthrepo(8) command to assign authorization realms to individual repositories.


This is a basic, but a working example of a simple restricted access repository, cobbled together with Perl, and some Apache configuration hacking. Use it as an inspiration for bigger, and better things.