subject:"\[users@httpd\] RE\: Apache authorization using require dbd\-group from SQL Server database"

Re: [users@httpd] RE: Apache authorization using require dbd-group from SQL Server database

2021-02-08 Thread Yann Ylavic

Thanks Kyle.

Since this fix resulted in two 2.4 changes actually, it's possibly
worth mentioning them to the redhat team, that could help them:
- http://svn.apache.org/r1701404
- http://svn.apache.org/r1701405

Regards;
Yann.

On Mon, Feb 8, 2021 at 5:27 PM Kyle Hansen  wrote:
>
> Good suggestion.  Done here (https://bugs.centos.org/view.php?id=18053) for 
> anyone that may be interested.
>
> -Original Message-
> From: Yann Ylavic 
> Sent: Saturday, February 6, 2021 7:31 AM
> To: users@httpd.apache.org
> Subject: Re: [users@httpd] RE: Apache authorization using require dbd-group 
> from SQL Server database
>
> Hi Kyle,
>
> On Sat, Feb 6, 2021 at 12:21 AM Kyle Hansen  
> wrote:
> >
> > After a lot of work, I was able to solve this myself.  I updated the 
> > previously linked Stack Overflow link with the solution, but am copying it 
> > here for completeness.
>
> Thanks for the feedback.
>
> >
> > My Apache Version was 2.4.6 but the most recent RHEL Version,
> > httpd-2.4.6-97.el7.centos I believe. Looking at the Change Log for
> > apache 2.4 (https://www.apachelounge.com/Changelog-2.4.html) most of
> > the mod_authz_dbd changes were included in the CentOS version except
> > for the one integrated in Apache 2.4.17 entitled
> >
> > *) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
> >PR 57868. [Jose Kahan < jose w3.org>, Yann Ylavic]
> []
> > Unfortunately, my Apache now doesn't have the benefits of RHEL if I go
> > this route
>
> You may want to reach out with the RHEL/centos team to report this bug and 
> upstream fix to possibly have it included in their httpd-2.4.6-next version.
>
> Regards;
> Yann.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

RE: [users@httpd] RE: Apache authorization using require dbd-group from SQL Server database

2021-02-08 Thread Kyle Hansen

Good suggestion.  Done here (https://bugs.centos.org/view.php?id=18053) for 
anyone that may be interested.

-Original Message-
From: Yann Ylavic  
Sent: Saturday, February 6, 2021 7:31 AM
To: users@httpd.apache.org
Subject: Re: [users@httpd] RE: Apache authorization using require dbd-group 
from SQL Server database

Hi Kyle,

On Sat, Feb 6, 2021 at 12:21 AM Kyle Hansen  wrote:
>
> After a lot of work, I was able to solve this myself.  I updated the 
> previously linked Stack Overflow link with the solution, but am copying it 
> here for completeness.

Thanks for the feedback.

>
> My Apache Version was 2.4.6 but the most recent RHEL Version, 
> httpd-2.4.6-97.el7.centos I believe. Looking at the Change Log for 
> apache 2.4 (https://www.apachelounge.com/Changelog-2.4.html) most of 
> the mod_authz_dbd changes were included in the CentOS version except 
> for the one integrated in Apache 2.4.17 entitled
>
> *) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
>PR 57868. [Jose Kahan < jose w3.org>, Yann Ylavic]
[]
> Unfortunately, my Apache now doesn't have the benefits of RHEL if I go 
> this route

You may want to reach out with the RHEL/centos team to report this bug and 
upstream fix to possibly have it included in their httpd-2.4.6-next version.

Regards;
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Re: [users@httpd] RE: Apache authorization using require dbd-group from SQL Server database

2021-02-06 Thread Yann Ylavic

Hi Kyle,

On Sat, Feb 6, 2021 at 12:21 AM Kyle Hansen  wrote:
>
> After a lot of work, I was able to solve this myself.  I updated the 
> previously linked Stack Overflow link with the solution, but am copying it 
> here for completeness.

Thanks for the feedback.

>
> My Apache Version was 2.4.6 but the most recent RHEL Version, 
> httpd-2.4.6-97.el7.centos I believe. Looking at the Change Log for apache 2.4 
> (https://www.apachelounge.com/Changelog-2.4.html) most of the mod_authz_dbd 
> changes were included in the CentOS version except for the one integrated in 
> Apache 2.4.17 entitled
>
> *) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
>PR 57868. [Jose Kahan < jose w3.org>, Yann Ylavic]
[]
> Unfortunately, my Apache now doesn't have the benefits of RHEL if I go this 
> route

You may want to reach out with the RHEL/centos team to report this bug
and upstream fix to possibly have it included in their
httpd-2.4.6-next version.

Regards;
Yann.

-
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

[users@httpd] RE: Apache authorization using require dbd-group from SQL Server database

2021-02-05 Thread Kyle Hansen

After a lot of work, I was able to solve this myself.  I updated the previously 
linked Stack Overflow link with the solution, but am copying it here for 
completeness.


For anyone that has a similar issue, I was finally able to solve the problem 
myself.

My Apache Version was 2.4.6 but the most recent RHEL Version, 
httpd-2.4.6-97.el7.centos I believe. Looking at the Change Log for apache 2.4 
(https://www.apachelounge.com/Changelog-2.4.html) most of the mod_authz_dbd 
changes were included in the CentOS version except for the one integrated in 
Apache 2.4.17 entitled

*) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.

PR 57868. [Jose Kahan < jose w3.org>, Yann Ylavic]



Interestingly, this type of crash seemed to similarly describe the type of 
crash I was observing, though my DB access permissions were correct.

I followed the instructions here 
(https://crosp.net/blog/administration/install-latest-apache-server-centos-7/) 
to install Apache 2.4.46. Getting this updated version of Apache solved my 
problem using the exact same .conf file listed above. Unfortunately, my Apache 
now doesn't have the benefits of RHEL if I go this route, but I'm assuming this 
bug fix in Apache 2.4.17 is tied to the error I was seeing.

Either way, I figured it was worth mentioning the solution I was able to obtain 
in case anyone else runs into a similar issue.


From: Kyle Hansen 
Sent: Tuesday, February 2, 2021 7:54 PM
To: users@httpd.apache.org
Subject: [users@httpd] Apache authorization using require dbd-group from SQL 
Server database


I have an app running behind a reverse proxy on Apache 2.4.6 on CentOS 7. I am 
doing authentication using Shibboleth and am currently doing authorization via 
a whitelist using AuthGroupFile /path/to/authfile and Require group authGroup. 
This currently works with my setup. I'm trying to change this process to do 
authorization against a whitelist stored in a SQL Server database, and this is 
proving to be difficult.  I had assumed I could just replace AuthGroupFile 
/path/to/authfile with AuthzDBDQuery "SELECT appName FROM authTable WHERE 
UserLogin = %s" and replace Require group authGroup with Require dbd-group 
myApp but that does not seem to be working as expected.

Currently in conf.d/shib.conf I have the following:

DBDriver odbc

DBDParams "DATASOURCE=ODBCconn,USER=myUser,PASSWORD=myPwd"





  AuthType shibboleth

  ShibRequestSetting requireSession 1

  Require dbd-group myApp

  AuthzDBDQuery "SELECT appName FROM authTable WHERE UserLogin = %s"





My with my DSM ODBCconn I am using ODBC Driver 17 for SQL Server and I can use 
that DSM to connect using those credentials via pyodbc in python, so I think I 
have that setup correctly. In the database, the column appName will return the 
name of the applications the user is authorized to use as stored in authTable, 
or essentially the groups the user is a part of. Hence, if a user has a row for 
myApp they will be authorized to use myApp. My understanding of the 
documentation (https://httpd.apache.org/docs/trunk/mod/mod_authz_dbd.html) is 
this is how my query should work for defining a group.

However, when running this I get a stack smashing error in my 
httpd/logs/error_log that looks something like:

*** stack smashing detected ***: /usr/sbin/httpd terminated

=== Backtrace: =

...

...

Long long list of files

...

...

[Thu Jan 28 09:36:53.306151 2021] [core:notice] [pid 10621] AH00052: child pid 
24810 exit signal Aborted (6)

[Thu Jan 28 09:36:53.306215 2021] [core:notice] [pid 10621] AH00052: child pid 
28192 exit signal Aborted (6)

[Thu Jan 28 09:36:53.306238 2021] [core:notice] [pid 10621] AH00052: child pid 
31928 exit signal Aborted (6)



Any help on what might be going wrong with my setup that is preventing 
authorization in this way?

Additionally posted on Stack Overflow without responses yet 
(https://stackoverflow.com/questions/65945922/apache-authorization-using-require-dbd-group-from-sql-server-database)

Kyle Hansen, PhD
Email: kyle.r.han...@hsc.utah.edu

Re: [users@httpd] RE: Apache authorization using require dbd-group from SQL Server database

RE: [users@httpd] RE: Apache authorization using require dbd-group from SQL Server database

Re: [users@httpd] RE: Apache authorization using require dbd-group from SQL Server database

[users@httpd] RE: Apache authorization using require dbd-group from SQL Server database

4 matches

Site Navigation

Mail list logo

Footer information