USAGE

This is a basic implementation of a restricted access lpm package repository. Restricted package repositories are LPMtool package repositories that require a valid authorization key, issued by the repository's maintainer. An authorization key is required to download packages from the repository. Restricted repositories are described in greater detail in LPMtool's manual, Chapter 10, Creating restricted-access repositories.

lpmauthrepo is a Perl script that works together with the Apache HTTP server. lpmauthrepo requires version 2 of Apache with the ext_filter_module plugin, and a reasonably modern version of Perl with a Digest::SHA1 module.

The following configuration settings must be added to Apache's httpd.conf configuration file:

ExtFilterDefine lpm-auth-timestamp cmd="/usr/share/lpmtool/lpmauthrepo -timestamp"

RewriteEngine on
RewriteMap lpm-auth-validate prg:/usr/share/lpmtool/lpmauthrepo

<Directory /var/www/html/repositories>
        AllowOverride FileInfo
</Directory>

This example runs /usr/share/lpmtool/lpmauthrepo, which is the default location of this script. A non-standard version of LPMtool may use a different installation directory, and both references to this script, in this example, must be adjusted accordingly. Also, this example assumes that restricted access repositories will be created in /var/www/html/repositories. Again, this is an adjustable location. Add additional <Directory> blocks, as necessary, if repositories are going to be scattered across multiple places.

LoadModule ext_filter_module modules/mod_ext_filter.so

The /etc/lpmauthrepo configuration file

lpmauthrepo can handle multiple package repositories. All package repositories may use either the same set of authorization keys, or a separate set of authorization keys may exist for each individual repository.

Each individual package repository is associated with a single “realm”. A realm just a list of valid authorization keys. A package repository can have only one defined “realm”. All individual package repositories may use the same realm, or each repository may have its own, separate realm. The same authorization key can be individually added to more than one realm, though.

lpmauthrepo reads the /etc/lpmauthrepo configuration file. This is the default location of this configuration file. A custom version of LPMtool may use a different location. lpmauthrepo is a simple Perl script, and the configuration file's name is set at the beginning of the script, readily available just for asking.

This configuration file contains one or more of the following lines:

auth realm filename

“realm” is the name of an authorization realm, and filename is the file that lists all valid authorization keys for this reaslm. Example:

auth default /etc/lpmauthrepo.default

Each filename is a simple text file, with each line containing a single authorization key. Example:

user100:kjafhJHGSgnbxc8e8er9wq03147ks
user101:mHJSjHkHSD87887hifdJDS87hjfdk

lpmauthrepo gets started, automatically, by Apache. lpmauthrepo reads all authorization keys at startup. Periodically, lpmauthrepo checks whether any configuration file's timestamp has changed. If so, lpmauthrepo rereads the configuration file, and updates its list of valid authorization keys accordingly. It can take up to two minutes for any changes to take effect.

Once lpmauthrepo is set up, use the setauthrepo(8) command to assign authorization realms to individual repositories.

BUGS

This is a basic, but a working example of a simple restricted access repository, cobbled together with Perl, and some Apache configuration hacking. Use it as an inspiration for bigger, and better things.

SEE ALSO

setauthrepo(8).