I have an app running behind a reverse proxy on Apache 2.4.6 on CentOS 7. I am doing authentication using Shibboleth and am currently doing authorization via a whitelist using AuthGroupFile /path/to/authfile and Require group authGroup. This currently works with my setup. I'm trying to change this process to do authorization against a whitelist stored in a SQL Server database, and this is proving to be difficult. I had assumed I could just replace AuthGroupFile /path/to/authfile with AuthzDBDQuery "SELECT appName FROM authTable WHERE UserLogin = %s" and replace Require group authGroup with Require dbd-group myApp but that does not seem to be working as expected.
Currently in conf.d/shib.conf I have the following: DBDriver odbc DBDParams "DATASOURCE=ODBCconn,USER=myUser,PASSWORD=myPwd" <Location /authLocation> AuthType shibboleth ShibRequestSetting requireSession 1 Require dbd-group myApp AuthzDBDQuery "SELECT appName FROM authTable WHERE UserLogin = %s" </Location> My with my DSM ODBCconn I am using ODBC Driver 17 for SQL Server and I can use that DSM to connect using those credentials via pyodbc in python, so I think I have that setup correctly. In the database, the column appName will return the name of the applications the user is authorized to use as stored in authTable, or essentially the groups the user is a part of. Hence, if a user has a row for myApp they will be authorized to use myApp. My understanding of the documentation (https://httpd.apache.org/docs/trunk/mod/mod_authz_dbd.html) is this is how my query should work for defining a group. However, when running this I get a stack smashing error in my httpd/logs/error_log that looks something like: *** stack smashing detected ***: /usr/sbin/httpd terminated ======= Backtrace: ========= ... ... Long long list of files ... ... [Thu Jan 28 09:36:53.306151 2021] [core:notice] [pid 10621] AH00052: child pid 24810 exit signal Aborted (6) [Thu Jan 28 09:36:53.306215 2021] [core:notice] [pid 10621] AH00052: child pid 28192 exit signal Aborted (6) [Thu Jan 28 09:36:53.306238 2021] [core:notice] [pid 10621] AH00052: child pid 31928 exit signal Aborted (6) Any help on what might be going wrong with my setup that is preventing authorization in this way? Additionally posted on Stack Overflow without responses yet (https://stackoverflow.com/questions/65945922/apache-authorization-using-require-dbd-group-from-sql-server-database) Kyle Hansen, PhD Email: kyle.r.han...@hsc.utah.edu<mailto:kyle.r.han...@hsc.utah.edu>
