Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default

2011-03-27 Thread Stefan Fritsch 
reassign 619408 libapache2-mod-auth-plain
thanks


 Fixed your grep up and did this instead:
 
 # for pid in `pgrep apache2`; do for so in `cat /proc/$pid/maps |
 fgrep .so | awk '{ print $6 }' | sort -u`; do strings $so | grep
 -qi 'unknown require directive:'  echo $so; done; done
 
 Which turned up this:
 /usr/lib/apache2/modules/mod_auth_plain.so
 
 This is in this package:
 # dpkg -S /usr/lib/apache2/modules/mod_auth_plain.so
 libapache2-mod-auth-plain:
 /usr/lib/apache2/modules/mod_auth_plain.so

The bug is in libapache2-mod-auth-plain, reassigning.

From the source, it looks like a possible workaround may be to use 
AuthPlainAuthoritative off in the directory where you want to use 
ldap.

As for the module, it still uses the 2.0.x hooks which I am not very 
familiar with. Maybe adding

if (!conf-auth_pwfile) {
return DECLINED;
}

near the beginning of plain_check_user_access() does the trick. But 
this should be tested for unintended side effects.

In principle, I would recommend to update the module to use the 2.2.x 
authn provider interface. OTOH, for wheezy, I hope that we will have 
Apache httpd 2.4.x which will change the interface again.



--
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/201103272346.27426...@sfritsch.de

Processed: Re: Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default

2011-03-27 Thread Debian Bug Tracking System 
Processing commands for cont...@bugs.debian.org:

 reassign 619408 libapache2-mod-auth-plain
Bug #619408 [apache2.2-common] apache2.2-common: mod_authnz_ldap require 
directives unrecognized if loaded after mod_authnz_default
Bug reassigned from package 'apache2.2-common' to 'libapache2-mod-auth-plain'.
Bug No longer marked as found in versions apache2/2.2.16-6.
 thanks
Stopping processing here.

Please contact me if you need assistance.
-- 
619408: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=619408
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems


-- 
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/handler.s.c.130126481128953.transcr...@bugs.debian.org

Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default

2011-03-23 Thread Brian P Kroth 
Package: apache2.2-common
Version: 2.2.16-6
Severity: normal


In the default configuration mod_authnz_ldap.load is symlinked from
mods-available to mods-enabled but that orders it (lexicographically)
after the symlink to load mod_authnz_default.  This causes a number of
ldap specific arguments to the Require definition to be unrecognized and
logged as follows:

[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, 
reason: unknown require directive:ldap-user bpktest bpkroth
[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, 
reason: unknown require directive:ldap-group cn=bpk-test,ou=Group,o=ORG
[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, 
reason: unknown require directive:ldap-attribute myacl=unix
[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, 
reason: user bpktest not allowed access

The relevant tidbits from my .htaccess file are as follows:

# Allow authenticated access
AuthType Basic
AuthName Restricted Access

AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldapauth.mydomain.com:389/ou=People,o=ORG?uid; STARTTLS

AuthLDAPRemoteUserIsDN Off
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off

Require ldap-user bpktest bpkroth
Require ldap-group cn=bpk-test,ou=Group,o=ORG
Require ldap-attribute myacl=unix



Adding another symlink to mod_authnz_ldap.load in mods-enabled as
01-mod_authnz_ldap.load corrects this behavior, albeit with a warning
message on startup (probably avoidable with an if statement around the
load).

Let me know if you need anything else.

Thanks,
Brian

-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
  01-authnz_ldap alias auth_basic auth_kerb auth_pam auth_plain
  auth_sys_group authn_file authnz_ldap authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env include info
  ldap mime mod-security negotiation php5 reqtimeout rewrite rpaf
  setenvif ssl status unique_id vhost_alias wsgi
List of enabled php5 extensions:
  adodb apc curl ffmpeg gd geoip gmp idn imagick interbase lasso ldap
  mcrypt memcache ming mssql mysql mysqli odbc pam_auth pdo pdo_dblib
  pdo_mysql pdo_odbc pdo_pgsql pdo_sqlite pgsql ps pspell radius
  recode redland sasl snmp sqlite sqlite3 ssh2 suhosin tidy uuid
  xmlrpc xsl

-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2.2-common depends on:
ii  apache2-utils   2.2.16-6 utility programs for webservers
ii  apache2.2-bin   2.2.16-6 Apache HTTP Server common binary f
ii  libmagic1   5.04-5   File type determination library us
ii  lsb-base3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  mime-support3.48-1   MIME files 'mime.types'  'mailcap
ii  perl5.10.1-17Larry Wall's Practical Extraction 
ii  procps  1:3.2.8-9/proc file system utilities

Versions of packages apache2.2-common recommends:
pn  ssl-cert  none (no description available)

Versions of packages apache2.2-common suggests:
pn  apache2-doc none   (no description available)
pn  apache2-suexec | apache2-su none   (no description available)
ii  lynx-cur [www-browser]  2.8.8dev.5-1 Text-mode WWW Browser with NLS sup

Versions of packages apache2.2-common is related to:
pn  apache2-mpm-event none (no description available)
pn  apache2-mpm-itk   none (no description available)
ii  apache2-mpm-prefork   2.2.16-6   Apache HTTP Server - traditional n
pn  apache2-mpm-workernone (no description available)

-- Configuration Files:
/etc/apache2/mods-available/authnz_ldap.load changed:
# NOTE: This must be loaded before mod_authnz_default to avoid messages like 
this:
# unknown require directive:ldap-attribute myacl=unix
# 2011-03-23
# bpkroth

# Depends: ldap
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

-- no debconf information



-- 
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/20110323163100.29873.39275.report...@bobo.cae.wisc.edu

Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default

2011-03-23 Thread Stefan Fritsch 

On Wed, 23 Mar 2011, Brian P Kroth wrote:

In the default configuration mod_authnz_ldap.load is symlinked from
mods-available to mods-enabled but that orders it (lexicographically)
after the symlink to load mod_authnz_default.  This causes a number of
ldap specific arguments to the Require definition to be unrecognized and
logged as follows:

[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth 
failed, reason: unknown require directive:ldap-user bpktest bpkroth


This message is not produced by apache2's core or any of the default 
modules. Therefore I expect that the bug is in a third party module. To 
find out which module may be the culprit, enter as root:


grep require: $(cat /proc/XXX/maps |fgrep .so|awk '{print $6}'|sort -u)

Replace XXX with the pid of a running apache process.



--
To UNSUBSCRIBE, email to debian-apache-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Archive: 
http://lists.debian.org/alpine.deb.1.10.1103232252510.19...@eru.sfritsch.de

Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default

2011-03-23 Thread Brian Kroth 
Stefan Fritsch s...@sfritsch.de 2011-03-23 23:01:
 On Wed, 23 Mar 2011, Brian P Kroth wrote:
 In the default configuration mod_authnz_ldap.load is symlinked from
 mods-available to mods-enabled but that orders it (lexicographically)
 after the symlink to load mod_authnz_default.  This causes a number of
 ldap specific arguments to the Require definition to be unrecognized and
 logged as follows:
 
 [Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to
 /auth failed, reason: unknown require directive:ldap-user bpktest
 bpkroth
 
 This message is not produced by apache2's core or any of the default
 modules. Therefore I expect that the bug is in a third party module.
 To find out which module may be the culprit, enter as root:
 
 grep require: $(cat /proc/XXX/maps |fgrep .so|awk '{print $6}'|sort -u)
 
 Replace XXX with the pid of a running apache process.

Fixed your grep up and did this instead:

# for pid in `pgrep apache2`; do for so in `cat /proc/$pid/maps | fgrep .so | 
awk '{ print $6 }' | sort -u`; do strings $so | grep -qi 'unknown require 
directive:'  echo $so; done; done

Which turned up this:
/usr/lib/apache2/modules/mod_auth_plain.so

This is in this package:
# dpkg -S /usr/lib/apache2/modules/mod_auth_plain.so
libapache2-mod-auth-plain: /usr/lib/apache2/modules/mod_auth_plain.so

Anything else?

Thanks,
Brian


signature.asc
Description: Digital signature