subject:"\"mod_fcgid \\\- cannot get authorizer process to be started\""

mod_fcgid - cannot get authorizer process to be started

2009-09-29 Thread Barry Scott

The mod_fcgid page says to ask on dev I assume that this is the right 
place to ask.


I'm using mod_fcgid from svn with HTTPD 2.2.

I want to use a fast CGI authorizer to allow me to control access based 
on my rules.

The authorizer needs to be a long running process - never exits.

I know that the fcgid code is noticing the directive because I can 
change the filename

and see the error message from the sources.

But I'm at a lose as to the required to get this configuration to 
actually call my code.

mod_fcgid is not starting up the authorizer process.

I have the following fcgid specific lines in my httpd.conf file:

 httpd.conf 
...
LoadModule fcgid_module modules/mod_fcgid.so
...

Listen *:9000

  
  Order allow,deny
  Allow from all
  AuthType Digest
  AuthName "Manager System"
  Require valid-user
  AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
  AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd

  FastCgiAuthorizer 
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer 


  

  
#+ HTTP auth file
  Order allow,deny
  Allow from all
  AuthType Digest
  AuthName "Manager System"
  Require valid-user
  AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
  AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
  #- HTTP auth file
  #FCGID

  

---

Barry


-
The official User-To-User support forum of the Apache HTTP Server Project.
See http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
 "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: mod_fcgid - cannot get authorizer process to be started

2009-09-29 Thread Jeff Trawick

On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott wrote:

> The mod_fcgid page says to ask on dev I assume that this is the right place
> to ask.
>
> I'm using mod_fcgid from svn with HTTPD 2.2.
>
> I want to use a fast CGI authorizer to allow me to control access based on
> my rules.
> The authorizer needs to be a long running process - never exits.
>
> I know that the fcgid code is noticing the directive because I can change
> the filename
> and see the error message from the sources.
>
> But I'm at a lose as to the required to get this configuration to actually
> call my code.
> mod_fcgid is not starting up the authorizer process.
>
> I have the following fcgid specific lines in my httpd.conf file:
>
>  httpd.conf 
> ...
> LoadModule fcgid_module modules/mod_fcgid.so
> ...
>
> Listen *:9000
> 
>  
>  Order allow,deny
>  Allow from all
>  AuthType Digest
>

Did you really mean Digest authentication instead of Basic authentication?

mod_fcgid only supports Basic, AFAICT.

/* Get the user password */
if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
return res;

Re: mod_fcgid - cannot get authorizer process to be started

2009-09-29 Thread Barry Scott


Jeff Trawick wrote:
On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott > wrote:


The mod_fcgid page says to ask on dev I assume that this is the
right place to ask.

I'm using mod_fcgid from svn with HTTPD 2.2.

I want to use a fast CGI authorizer to allow me to control access
based on my rules.
The authorizer needs to be a long running process - never exits.

I know that the fcgid code is noticing the directive because I can
change the filename
and see the error message from the sources.

But I'm at a lose as to the required to get this configuration to
actually call my code.
mod_fcgid is not starting up the authorizer process.

I have the following fcgid specific lines in my httpd.conf file:

 httpd.conf 
...
LoadModule fcgid_module modules/mod_fcgid.so
...

Listen *:9000

 
 Order allow,deny
 Allow from all
 AuthType Digest


Did you really mean Digest authentication instead of Basic authentication?

mod_fcgid only supports Basic, AFAICT.

/* Get the user password */
if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
return res;



I don't want to be an authenticator, I want to be a authorizer.
Authorizer has no need of passwords right.

Barry

Re: mod_fcgid - cannot get authorizer process to be started

2009-09-29 Thread Jeff Trawick

On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott wrote:

> Jeff Trawick wrote:
>
>  On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott 
> > barry.sc...@onelan.co.uk>> wrote:
>>
>>The mod_fcgid page says to ask on dev I assume that this is the
>>right place to ask.
>>
>>I'm using mod_fcgid from svn with HTTPD 2.2.
>>
>>I want to use a fast CGI authorizer to allow me to control access
>>based on my rules.
>>The authorizer needs to be a long running process - never exits.
>>
>>I know that the fcgid code is noticing the directive because I can
>>change the filename
>>and see the error message from the sources.
>>
>>But I'm at a lose as to the required to get this configuration to
>>actually call my code.
>>mod_fcgid is not starting up the authorizer process.
>>
>>I have the following fcgid specific lines in my httpd.conf file:
>>
>> httpd.conf 
>>...
>>LoadModule fcgid_module modules/mod_fcgid.so
>>...
>>
>>Listen *:9000
>>
>> 
>> Order allow,deny
>> Allow from all
>> AuthType Digest
>>
>>
>> Did you really mean Digest authentication instead of Basic authentication?
>>
>> mod_fcgid only supports Basic, AFAICT.
>>
>>/* Get the user password */
>>if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
>>return res;
>>
>>
> I don't want to be an authenticator, I want to be a authorizer.
> Authorizer has no need of passwords right.
>

whoops :(

yes

your "require valid-user" implies that you don't need authorization; try
"require valid-group" instead

Re: mod_fcgid - cannot get authorizer process to be started

2009-09-29 Thread Barry Scott


Jeff Trawick wrote:
On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott 
mailto:barry.sc...@onelan.co.uk>> wrote:


Jeff Trawick wrote:

On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
mailto:barry.sc...@onelan.co.uk>
>> wrote:

   The mod_fcgid page says to ask on dev I assume that this is the
   right place to ask.

   I'm using mod_fcgid from svn with HTTPD 2.2.

   I want to use a fast CGI authorizer to allow me to control
access
   based on my rules.
   The authorizer needs to be a long running process - never
exits.

   I know that the fcgid code is noticing the directive
because I can
   change the filename
   and see the error message from the sources.

   But I'm at a lose as to the required to get this
configuration to
   actually call my code.
   mod_fcgid is not starting up the authorizer process.

   I have the following fcgid specific lines in my httpd.conf
file:

    httpd.conf 
   ...
   LoadModule fcgid_module modules/mod_fcgid.so
   ...

   Listen *:9000
   

Order allow,deny
Allow from all
AuthType Digest


Did you really mean Digest authentication instead of Basic
authentication?

mod_fcgid only supports Basic, AFAICT.

   /* Get the user password */
   if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
   return res;


I don't want to be an authenticator, I want to be a authorizer.
Authorizer has no need of passwords right.


whoops :(

yes

your "require valid-user" implies that you don't need authorization; 
try "require valid-group" instead


I want the users password checked and to only proceed if it is valid.
I also want to run the fcgi Authorizer to check that the URL being
access is allowed according to the logic in my Authorizer code.

To that end I have the following:

   
   Order allow,deny
   Allow from all

   # Use digest auth to check the username/password pair
   AuthType Digest
   AuthName "Manager System"
   # no one gets in without a valid username/password pair
   Require valid-user

   # Use these files to find the passwd and group information
   AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
   AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd

   # Run the Authorizer.sh to veto URL based on the username
   FastCgiAuthorizer 
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh

   

What triggers HTTPD to call the Authorizer.sh code?
Surely not the commands that control authentication checks?

I cannot find Require valid-group defined in the 2.2 docs.

Do you mean I need to add:

 Require group nosuchgroup

And that will cause the mod_authn_user (or what ever module) to try
and match nosuchgroup. When it fails my Authenicator will be run
to see if it can handle that directive?

Isn't this module crying out for a directive like:

   Require fcgid-authenticater-user-is-valid

Barry

Re: mod_fcgid - cannot get authorizer process to be started

2009-09-29 Thread Barry Scott


Barry Scott wrote:

Jeff Trawick wrote:
On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott 
mailto:barry.sc...@onelan.co.uk>> wrote:


Jeff Trawick wrote:

On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
mailto:barry.sc...@onelan.co.uk>
>> wrote:

   The mod_fcgid page says to ask on dev I assume that this 
is the

   right place to ask.

   I'm using mod_fcgid from svn with HTTPD 2.2.

   I want to use a fast CGI authorizer to allow me to control
access
   based on my rules.
   The authorizer needs to be a long running process - never
exits.

   I know that the fcgid code is noticing the directive
because I can
   change the filename
   and see the error message from the sources.

   But I'm at a lose as to the required to get this
configuration to
   actually call my code.
   mod_fcgid is not starting up the authorizer process.

   I have the following fcgid specific lines in my httpd.conf
file:

    httpd.conf 
   ...
   LoadModule fcgid_module modules/mod_fcgid.so
   ...

   Listen *:9000
   

Order allow,deny
Allow from all
AuthType Digest


Did you really mean Digest authentication instead of Basic
authentication?

mod_fcgid only supports Basic, AFAICT.

   /* Get the user password */
   if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
   return res;


I don't want to be an authenticator, I want to be a authorizer.
Authorizer has no need of passwords right.


whoops :(

yes

your "require valid-user" implies that you don't need authorization; 
try "require valid-group" instead


I want the users password checked and to only proceed if it is valid.
I also want to run the fcgi Authorizer to check that the URL being
access is allowed according to the logic in my Authorizer code.

To that end I have the following:

   
   Order allow,deny
   Allow from all

   # Use digest auth to check the username/password pair
   AuthType Digest
   AuthName "Manager System"
   # no one gets in without a valid username/password pair
   Require valid-user

   # Use these files to find the passwd and group information
   AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
   AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd

   # Run the Authorizer.sh to veto URL based on the username
   FastCgiAuthorizer 
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh 


   

What triggers HTTPD to call the Authorizer.sh code?
Surely not the commands that control authentication checks?

I cannot find Require valid-group defined in the 2.2 docs.

Do you mean I need to add:

 Require group nosuchgroup


This does not work...


And that will cause the mod_authn_user (or what ever module) to try
and match nosuchgroup. When it fails my Authenicator will be run
to see if it can handle that directive?

Isn't this module crying out for a directive like:

   Require fcgid-authenticater-user-is-valid

Barry




Barry

Re: mod_fcgid - cannot get authorizer process to be started

2009-09-29 Thread Jeff Trawick

On Tue, Sep 29, 2009 at 12:51 PM, Barry Scott wrote:

> Barry Scott wrote:
>
>> Jeff Trawick wrote:
>>
>>> On Tue, Sep 29, 2009 at 11:26 AM, Barry Scott 
>>> >> barry.sc...@onelan.co.uk>> wrote:
>>>
>>>Jeff Trawick wrote:
>>>
>>>On Tue, Sep 29, 2009 at 8:18 AM, Barry Scott
>>>mailto:barry.sc...@onelan.co.uk>
>>>>>>> wrote:
>>>
>>>   The mod_fcgid page says to ask on dev I assume that this is the
>>>   right place to ask.
>>>
>>>   I'm using mod_fcgid from svn with HTTPD 2.2.
>>>
>>>   I want to use a fast CGI authorizer to allow me to control
>>>access
>>>   based on my rules.
>>>   The authorizer needs to be a long running process - never
>>>exits.
>>>
>>>   I know that the fcgid code is noticing the directive
>>>because I can
>>>   change the filename
>>>   and see the error message from the sources.
>>>
>>>   But I'm at a lose as to the required to get this
>>>configuration to
>>>   actually call my code.
>>>   mod_fcgid is not starting up the authorizer process.
>>>
>>>   I have the following fcgid specific lines in my httpd.conf
>>>file:
>>>
>>>    httpd.conf 
>>>   ...
>>>   LoadModule fcgid_module modules/mod_fcgid.so
>>>   ...
>>>
>>>   Listen *:9000
>>>   
>>>
>>>Order allow,deny
>>>Allow from all
>>>AuthType Digest
>>>
>>>
>>>Did you really mean Digest authentication instead of Basic
>>>authentication?
>>>
>>>mod_fcgid only supports Basic, AFAICT.
>>>
>>>   /* Get the user password */
>>>   if ((res = ap_get_basic_auth_pw(r, &password)) != OK)
>>>   return res;
>>>
>>>
>>>I don't want to be an authenticator, I want to be a authorizer.
>>>Authorizer has no need of passwords right.
>>>
>>>
>>> whoops :(
>>>
>>> yes
>>>
>>> your "require valid-user" implies that you don't need authorization; try
>>> "require valid-group" instead
>>>
>>
>> I want the users password checked and to only proceed if it is valid.
>> I also want to run the fcgi Authorizer to check that the URL being
>> access is allowed according to the logic in my Authorizer code.
>>
>
"require valid-user" means that all it takes to access this resource is a
properly authenticated user.

If mod_authz_user sees "valid-user" during the authorization stage, it
returns OK and mod_fcgid' authorization hook is not called.  You want to
take it further and also run the authorizer, since a properly authenticated
user is not good enough.  So "require valid-user" or "require user xxx" or
other checks that can be made since the user is already known can't be used.

"require valid-group" is a hack to bypass checks that the AAA modules know
how to make (require user foo, require group bar, require ldap-group ...,
etc.).  There's no provision to allow a FastCGI authorizer app to implement
a particular authorization require-ment. "require group foo" can also get
you to your authorizer (subject to what the group file module would do).  I
haven't checked if that required group name is available to your authorize.




>
>> To that end I have the following:
>>
>>   
>>   Order allow,deny
>>   Allow from all
>>
>>   # Use digest auth to check the username/password pair
>>   AuthType Digest
>>   AuthName "Manager System"
>>   # no one gets in without a valid username/password pair
>>   Require valid-user
>>
>
mod_authz_user always returns OK from authorization hook with this require


>
>>   # Use these files to find the passwd and group information
>>   AuthGroupFile /home/bscott/Work/httpd-fcgid-test/auth/http.group
>>
>
not needed and maybe harmful depending on your require directive



>   AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd
>>
>>   # Run the Authorizer.sh to veto URL based on the username
>>   FastCgiAuthorizer
>> /home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh
>>
>>   
>>
>> What triggers HTTPD to call the Authorizer.sh code?
>> Surely not the commands that control authentication checks?
>>
>
yes, the require directive; furthermore, if authorization hooks called
before mod_fcgid's think they have answered the question authoritatively,
mod_fcgid won't be called


>
>> I cannot find Require valid-group defined in the 2.2 docs.
>>
>> Do you mean I need to add:
>>
>> Require group nosuchgroup
>>
>
> This does not work...


because mod_authz_groupfile sees your AuthGroupFile and tries to answer
based on its contents (as well as whether or not that check is authoritative
(see
http://httpd.apache.org/docs/2.2/mod/mod_authz_groupfile.html#authzgroupfileauthoritative))?


>
>
>> And that will cause the mod_authn_user (or what

Re: mod_fcgid - cannot get authorizer process to be started

2009-09-30 Thread Barry Scott


At this point let me ask this:

Is it possible with the current code to ever have the fcgid Authorizer 
called?


If it is not possible I'm willing to try and code the missing pieces, 
with a little

help being pointed in the right direction.

Barry

Re: mod_fcgid - cannot get authorizer process to be started

2009-09-30 Thread Jeff Trawick

On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott wrote:

> At this point let me ask this:
>
> Is it possible with the current code to ever have the fcgid Authorizer
> called?
>

yes

This works for me, though it uses the unfortunate valid-group hack with
httpd 2.2 so that no authorizers running before fcgid think they should
evaluate:


  = 2.2>
  AuthBasicAuthoritative Off
# AuthBasicProvider foo
  

  # work around problem with AAA in mod_fcgid (it can't track more than
  # one AAA script per URL, and even then the URL can't be handled by a
  # FastCGI app)
  #
  # FastCgiAccessChecker %%MYHG%%/apache/fastcgi/apps/access_check.pl
  # FastCgiAuthenticator %%MYHG%%/apache/fastcgi/apps/authenticate.pl
  # FastCgiAuthorizer%%MYHG%%/apache/fastcgi/apps/authorize.pl

  FastCgiAccessChecker %%MYHG%%/apache/fcgid/apps/aaa.pl
  FastCgiAuthenticator %%MYHG%%/apache/fcgid/apps/aaa.pl
  FastCgiAuthorizer%%MYHG%%/apache/fcgid/apps/aaa.pl

  FastCgiAccessCheckerAuthoritative On
  FastCgiAuthenticatorAuthoritative On
  FastCgiAuthorizerAuthoritativeOn

  AuthType Basic
  AuthName "foo"

  

  
Require group foo
  

  = 2.2>
Require valid-group
  

Order allow,deny
Allow from all
  

  = 2.3>
Require group foo
  





>
> If it is not possible I'm willing to try and code the missing pieces, with
> a little
> help being pointed in the right direction.
>

I hope some "require" experts could jump in ;)

A good solution might be to associate a script with a particular
require-ment so that mod_fcgid can check the Require for any require-ments
implemented by a FastCGI script.

[too] simple example:

FCGIDRequire mydb-user /path/to/my/authorizer.sh


  Require mydb-user
  SetEnv whatever-needed-by-authorizer.sh

Re: mod_fcgid - cannot get authorizer process to be started

2009-09-30 Thread Jeff Trawick

On Wed, Sep 30, 2009 at 12:11 PM, Jeff Trawick  wrote:

> On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott wrote:
>
>> At this point let me ask this:
>>
>> Is it possible with the current code to ever have the fcgid Authorizer
>> called?
>>
>
> yes
>
> This works for me, though it uses the unfortunate valid-group hack with
> httpd 2.2 so that no authorizers running before fcgid think they should
> evaluate:
>
> 
>   = 2.2>
>   AuthBasicAuthoritative Off
> # AuthBasicProvider foo
>   
>
>   # work around problem with AAA in mod_fcgid (it can't track more than
>   # one AAA script per URL, and even then the URL can't be handled by a
>   # FastCGI app)
>   #
>   # FastCgiAccessChecker %%MYHG%%/apache/fastcgi/apps/access_check.pl
>   # FastCgiAuthenticator %%MYHG%%/apache/fastcgi/apps/authenticate.pl
>   # FastCgiAuthorizer%%MYHG%%/apache/fastcgi/apps/authorize.pl
>
>   FastCgiAccessChecker %%MYHG%%/apache/fcgid/apps/aaa.pl
>   FastCgiAuthenticator %%MYHG%%/apache/fcgid/apps/aaa.pl
>   FastCgiAuthorizer%%MYHG%%/apache/fcgid/apps/aaa.pl
>
>   FastCgiAccessCheckerAuthoritative On
>   FastCgiAuthenticatorAuthoritative On
>   FastCgiAuthorizerAuthoritativeOn
>
>   AuthType Basic
>   AuthName "foo"
>
>   
>
>   
> Require group foo
>   
>
>   = 2.2>
> Require valid-group
>   
>
> Order allow,deny
> Allow from all
>   
>
>   = 2.3>
> Require group foo
>   
>
> 
>
>
>
>>
>> If it is not possible I'm willing to try and code the missing pieces, with
>> a little
>> help being pointed in the right direction.
>>
>
> I hope some "require" experts could jump in ;)
>
> A good solution might be to associate a script with a particular
> require-ment so that mod_fcgid can check the Require for any require-ments
> implemented by a FastCGI script.
>
> [too] simple example:
>
> FCGIDRequire mydb-user /path/to/my/authorizer.sh
>
> 
>   Require mydb-user
>   SetEnv whatever-needed-by-authorizer.sh
> 
>
>
BTW, authentication is another area where mod_fcgid could better fit in with
httpd (in this case, 2.2+).  Bundled authn module implement a "provider,"
and the admin can specify which provider(s) handles authn.  That's better
than just calling all the authn hooks in a somewhat mysterious order and
having them look at other config to decide if they should try to
authenticate.  It would be nice to configure a FastCGI authenticator as a
provider, and then specify that the provider should be used within a
particular container.

Re: mod_fcgid - cannot get authorizer process to be started

2009-10-01 Thread Barry Scott


Jeff Trawick wrote:
On Wed, Sep 30, 2009 at 11:37 AM, Barry Scott 
mailto:barry.sc...@onelan.co.uk>> wrote:


At this point let me ask this:

Is it possible with the current code to ever have the fcgid
Authorizer called?


yes


thanks for the confirmation and the example.

I now have my Authorizer code and have the authentication happening.

Listen *:9000

   
   Order allow,deny
   Allow from all
   AuthType Digest
   AuthName "Manager System"
   AuthUserFile /home/bscott/Work/httpd-fcgid-test/auth/http.passwd

   Require onelan magic
   FastCgiAuthorizer 
/home/bscott/wc/svn/NTB-Next/onelan/DSM/Sources/WebUserInterface/bin/Authorizer.sh

   



What I have learned about the code is this:

* If any Require directive is present a 401 is returned if no 
credentials are sent
* If any Require directive is present and credentials are present they 
are checked and the username is set in r.
* If any Require directive is present and its not processed by any other 
authorizer the FastCgiAuthorizer is run


It would be nice to reserve a Require entity name for use by fast CGI.
The code as written today does not care if a Require entity name is 
processed by any module.
Use of valid-group that sound officialbut is simply a Require entity 
name that no module supports.


Barry

mod_fcgid - cannot get authorizer process to be started

Re: mod_fcgid - cannot get authorizer process to be started

Re: mod_fcgid - cannot get authorizer process to be started

Re: mod_fcgid - cannot get authorizer process to be started

Re: mod_fcgid - cannot get authorizer process to be started

Re: mod_fcgid - cannot get authorizer process to be started

Re: mod_fcgid - cannot get authorizer process to be started

Re: mod_fcgid - cannot get authorizer process to be started

Re: mod_fcgid - cannot get authorizer process to be started

Re: mod_fcgid - cannot get authorizer process to be started

Re: mod_fcgid - cannot get authorizer process to be started

11 matches

Site Navigation

Mail list logo

Footer information