[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#397774: marked as done (apache2.2-common: Support mod_auth_ldap to mod_aunthz_ldap migration. Or at least warn!)

Your message dated Thu, 1 May 2008 11:47:37 +0200
with message-id <200805011147.37837.sf@sfritsch.de>
and subject line #397774 apache2.2-common: Support mod_auth_ldap to mod_aunthz_ldap migration
has caused the Debian Bug report #397774,
regarding apache2.2-common: Support mod_auth_ldap to mod_aunthz_ldap migration. Or at least warn!
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org

397774: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=397774
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apache2.2-common
Version: 2.2.3-3
Severity: important

In short: config syntax for LDAP authorization changed a LOT, and is
not well described anywhere. While updating from apache 2.0, the user
should be warned about necessary configuration changes.

A bit longer: I use LDAP-authorization for my apache2 installation.
Today I tried upgrading my apache from 2.0 to 2.2. And ... 

1) First surprise happened while updating 

Preparing to replace apache2-mpm-prefork 2.0.55-4.1 (using .../apache2-mpm-prefork_2.2.3-3_i386.deb) ...
Stopping apache 2.0 web server...Syntax error on line 1 of /etc/apache2/mods-enabled/auth_ldap.load:
Cannot load /usr/lib/apache2/modules/mod_ldap.so into server: /usr/lib/apache2/modules/mod_ldap.so: cannot open shared object file: No such file or directory

And of course any attempts to start apache2 after update finished 
resulted in the same problem.

Solving this costed me about 15 minutes (first I thought that the ldap
module was splitted to some package), but I finally found that I
        a2dismod ldap 
        a2enmod authnz_ldap
Nevertheless, this is surely the thing I could be warned before
upgrade. Also, disabling ldap module automatically is really worth

2) OK, I enabled the module above, restarted apache. Now every access
to my pages resulted in Internal Server Error, with fantasy errors
in logfile:

[Thu Nov 09 12:01:12 2006] [error] Internal error: pcfg_openfile() called with NULL filename
[Thu Nov 09 12:01:12 2006] [error] [client] (9)Bad file descriptor: Could not open password file: (null)

Some googling shown PLENTY of people desperately seeking for the
solution of this problem on different mailing lists and forums,
usually without any reply. Finally I found the solution, one
must add the following lines to the configuration file

  AuthBasicProvider ldap
  AuthUserFile /dev/null

3) Finally, there were no more internal errors, but my authorizations
were not accepted for some reason. I did not analyse it into detail,
but it seems 'require valid-user' no longer works. Fortunately
there is new syntax which works correctly - 'require ldap-group'.

My suggestions:

a) during upgrade disable ldap module before stopping apache
   to avoid syntax error

b) before upgrade show to the user message, warning him about
   important config changes in case he is using ldap authorization
   and refering him to some doc file

c) in the doc file advise him to:

- a2enmod authnz_ldap

- add clauses
      AuthBasicProvider ldap
      AuthUserFile /dev/null
  in all <Location> blocks which refer to ldap authorization

- review require clauses and change require user and require group
  to new require ldap-group, require ldap-user etc

-- System Information:
Debian Release: testing/unstable
  APT prefers testing
  APT policy: (500, 'testing'), (50, 'unstable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.15-1-686
Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2)

Versions of packages apache2.2-common depends on:
ii  apache2-utils                 2.2.3-3    utility programs for webservers
ii  libmagic1                     4.17-4     File type determination library us
ii  lsb-base                      3.1-15     Linux Standard Base 3.1 init scrip
ii  mime-support                  3.37-1     MIME files 'mime.types' & 'mailcap
ii  net-tools                     1.60-17    The NET-3 networking toolkit

apache2.2-common recommends no packages.

-- no debconf information

--- End Message ---
--- Begin Message ---
Thanks for your bug report. The bug concerns the upgrade from Apache 
2.0 to 2.2 but was unfortunately not fixed in time for Etch's 
release. It is also not severe enough to warrant a stable update. 
Therefore, the bug is not relevant anymore and I am closing it.

--- End Message ---

Reply to: