Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default
reassign 619408 libapache2-mod-auth-plain thanks Fixed your grep up and did this instead: # for pid in `pgrep apache2`; do for so in `cat /proc/$pid/maps | fgrep .so | awk '{ print $6 }' | sort -u`; do strings $so | grep -qi 'unknown require directive:' echo $so; done; done Which turned up this: /usr/lib/apache2/modules/mod_auth_plain.so This is in this package: # dpkg -S /usr/lib/apache2/modules/mod_auth_plain.so libapache2-mod-auth-plain: /usr/lib/apache2/modules/mod_auth_plain.so The bug is in libapache2-mod-auth-plain, reassigning. From the source, it looks like a possible workaround may be to use AuthPlainAuthoritative off in the directory where you want to use ldap. As for the module, it still uses the 2.0.x hooks which I am not very familiar with. Maybe adding if (!conf-auth_pwfile) { return DECLINED; } near the beginning of plain_check_user_access() does the trick. But this should be tested for unintended side effects. In principle, I would recommend to update the module to use the 2.2.x authn provider interface. OTOH, for wheezy, I hope that we will have Apache httpd 2.4.x which will change the interface again. -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/201103272346.27426...@sfritsch.de
Processed: Re: Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default
Processing commands for cont...@bugs.debian.org: reassign 619408 libapache2-mod-auth-plain Bug #619408 [apache2.2-common] apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default Bug reassigned from package 'apache2.2-common' to 'libapache2-mod-auth-plain'. Bug No longer marked as found in versions apache2/2.2.16-6. thanks Stopping processing here. Please contact me if you need assistance. -- 619408: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619408 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/handler.s.c.130126481128953.transcr...@bugs.debian.org
Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default
Package: apache2.2-common Version: 2.2.16-6 Severity: normal In the default configuration mod_authnz_ldap.load is symlinked from mods-available to mods-enabled but that orders it (lexicographically) after the symlink to load mod_authnz_default. This causes a number of ldap specific arguments to the Require definition to be unrecognized and logged as follows: [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:ldap-user bpktest bpkroth [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:ldap-group cn=bpk-test,ou=Group,o=ORG [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:ldap-attribute myacl=unix [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: user bpktest not allowed access The relevant tidbits from my .htaccess file are as follows: # Allow authenticated access AuthType Basic AuthName Restricted Access AuthBasicProvider ldap AuthzLDAPAuthoritative on AuthLDAPURL ldap://ldapauth.mydomain.com:389/ou=People,o=ORG?uid; STARTTLS AuthLDAPRemoteUserIsDN Off AuthLDAPGroupAttribute memberUid AuthLDAPGroupAttributeIsDN off Require ldap-user bpktest bpkroth Require ldap-group cn=bpk-test,ou=Group,o=ORG Require ldap-attribute myacl=unix Adding another symlink to mod_authnz_ldap.load in mods-enabled as 01-mod_authnz_ldap.load corrects this behavior, albeit with a warning message on startup (probably avoidable with an if statement around the load). Let me know if you need anything else. Thanks, Brian -- Package-specific info: List of /etc/apache2/mods-enabled/*.load: 01-authnz_ldap alias auth_basic auth_kerb auth_pam auth_plain auth_sys_group authn_file authnz_ldap authz_default authz_groupfile authz_host authz_user autoindex cgi deflate dir env include info ldap mime mod-security negotiation php5 reqtimeout rewrite rpaf setenvif ssl status unique_id vhost_alias wsgi List of enabled php5 extensions: adodb apc curl ffmpeg gd geoip gmp idn imagick interbase lasso ldap mcrypt memcache ming mssql mysql mysqli odbc pam_auth pdo pdo_dblib pdo_mysql pdo_odbc pdo_pgsql pdo_sqlite pgsql ps pspell radius recode redland sasl snmp sqlite sqlite3 ssh2 suhosin tidy uuid xmlrpc xsl -- System Information: Debian Release: 6.0 APT prefers stable APT policy: (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.16-6 utility programs for webservers ii apache2.2-bin 2.2.16-6 Apache HTTP Server common binary f ii libmagic1 5.04-5 File type determination library us ii lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip ii mime-support3.48-1 MIME files 'mime.types' 'mailcap ii perl5.10.1-17Larry Wall's Practical Extraction ii procps 1:3.2.8-9/proc file system utilities Versions of packages apache2.2-common recommends: pn ssl-cert none (no description available) Versions of packages apache2.2-common suggests: pn apache2-doc none (no description available) pn apache2-suexec | apache2-su none (no description available) ii lynx-cur [www-browser] 2.8.8dev.5-1 Text-mode WWW Browser with NLS sup Versions of packages apache2.2-common is related to: pn apache2-mpm-event none (no description available) pn apache2-mpm-itk none (no description available) ii apache2-mpm-prefork 2.2.16-6 Apache HTTP Server - traditional n pn apache2-mpm-workernone (no description available) -- Configuration Files: /etc/apache2/mods-available/authnz_ldap.load changed: # NOTE: This must be loaded before mod_authnz_default to avoid messages like this: # unknown require directive:ldap-attribute myacl=unix # 2011-03-23 # bpkroth # Depends: ldap LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so -- no debconf information -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110323163100.29873.39275.report...@bobo.cae.wisc.edu
Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default
On Wed, 23 Mar 2011, Brian P Kroth wrote: In the default configuration mod_authnz_ldap.load is symlinked from mods-available to mods-enabled but that orders it (lexicographically) after the symlink to load mod_authnz_default. This causes a number of ldap specific arguments to the Require definition to be unrecognized and logged as follows: [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:ldap-user bpktest bpkroth This message is not produced by apache2's core or any of the default modules. Therefore I expect that the bug is in a third party module. To find out which module may be the culprit, enter as root: grep require: $(cat /proc/XXX/maps |fgrep .so|awk '{print $6}'|sort -u) Replace XXX with the pid of a running apache process. -- To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/alpine.deb.1.10.1103232252510.19...@eru.sfritsch.de
Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default
Stefan Fritsch s...@sfritsch.de 2011-03-23 23:01: On Wed, 23 Mar 2011, Brian P Kroth wrote: In the default configuration mod_authnz_ldap.load is symlinked from mods-available to mods-enabled but that orders it (lexicographically) after the symlink to load mod_authnz_default. This causes a number of ldap specific arguments to the Require definition to be unrecognized and logged as follows: [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:ldap-user bpktest bpkroth This message is not produced by apache2's core or any of the default modules. Therefore I expect that the bug is in a third party module. To find out which module may be the culprit, enter as root: grep require: $(cat /proc/XXX/maps |fgrep .so|awk '{print $6}'|sort -u) Replace XXX with the pid of a running apache process. Fixed your grep up and did this instead: # for pid in `pgrep apache2`; do for so in `cat /proc/$pid/maps | fgrep .so | awk '{ print $6 }' | sort -u`; do strings $so | grep -qi 'unknown require directive:' echo $so; done; done Which turned up this: /usr/lib/apache2/modules/mod_auth_plain.so This is in this package: # dpkg -S /usr/lib/apache2/modules/mod_auth_plain.so libapache2-mod-auth-plain: /usr/lib/apache2/modules/mod_auth_plain.so Anything else? Thanks, Brian signature.asc Description: Digital signature