Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default
From: Brian P Kroth <bpkroth@gmail.com>
Date: Wed, 23 Mar 2011 11:31:00 -0500
Message-id: <[🔎] 20110323163100.29873.39275.reportbug@bobo.cae.wisc.edu>
Reply-to: Brian P Kroth <bpkroth@gmail.com>, 619408@bugs.debian.org

Package: apache2.2-common
Version: 2.2.16-6
Severity: normal


In the default configuration mod_authnz_ldap.load is symlinked from
mods-available to mods-enabled but that orders it (lexicographically)
after the symlink to load mod_authnz_default.  This causes a number of
ldap specific arguments to the Require definition to be unrecognized and
logged as follows:

[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:"ldap-user bpktest bpkroth"
[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:"ldap-group cn=bpk-test,ou=Group,o=ORG"
[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:"ldap-attribute myacl=unix"
[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: user bpktest not allowed access

The relevant tidbits from my .htaccess file are as follows:

# Allow authenticated access
AuthType Basic
AuthName "Restricted Access"

AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://ldapauth.mydomain.com:389/ou=People,o=ORG?uid"; STARTTLS

AuthLDAPRemoteUserIsDN Off
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off

Require ldap-user bpktest bpkroth
Require ldap-group cn=bpk-test,ou=Group,o=ORG
Require ldap-attribute myacl=unix



Adding another symlink to mod_authnz_ldap.load in mods-enabled as
01-mod_authnz_ldap.load corrects this behavior, albeit with a warning
message on startup (probably avoidable with an if statement around the
load).

Let me know if you need anything else.

Thanks,
Brian

-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
  01-authnz_ldap alias auth_basic auth_kerb auth_pam auth_plain
  auth_sys_group authn_file authnz_ldap authz_default authz_groupfile
  authz_host authz_user autoindex cgi deflate dir env include info
  ldap mime mod-security negotiation php5 reqtimeout rewrite rpaf
  setenvif ssl status unique_id vhost_alias wsgi
List of enabled php5 extensions:
  adodb apc curl ffmpeg gd geoip gmp idn imagick interbase lasso ldap
  mcrypt memcache ming mssql mysql mysqli odbc pam_auth pdo pdo_dblib
  pdo_mysql pdo_odbc pdo_pgsql pdo_sqlite pgsql ps pspell radius
  recode redland sasl snmp sqlite sqlite3 ssh2 suhosin tidy uuid
  xmlrpc xsl

-- System Information:
Debian Release: 6.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages apache2.2-common depends on:
ii  apache2-utils           2.2.16-6         utility programs for webservers
ii  apache2.2-bin           2.2.16-6         Apache HTTP Server common binary f
ii  libmagic1               5.04-5           File type determination library us
ii  lsb-base                3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii  mime-support            3.48-1           MIME files 'mime.types' & 'mailcap
ii  perl                    5.10.1-17        Larry Wall's Practical Extraction 
ii  procps                  1:3.2.8-9        /proc file system utilities

Versions of packages apache2.2-common recommends:
pn  ssl-cert                      <none>     (no description available)

Versions of packages apache2.2-common suggests:
pn  apache2-doc                 <none>       (no description available)
pn  apache2-suexec | apache2-su <none>       (no description available)
ii  lynx-cur [www-browser]      2.8.8dev.5-1 Text-mode WWW Browser with NLS sup

Versions of packages apache2.2-common is related to:
pn  apache2-mpm-event             <none>     (no description available)
pn  apache2-mpm-itk               <none>     (no description available)
ii  apache2-mpm-prefork           2.2.16-6   Apache HTTP Server - traditional n
pn  apache2-mpm-worker            <none>     (no description available)

-- Configuration Files:
/etc/apache2/mods-available/authnz_ldap.load changed:
# NOTE: This must be loaded before mod_authnz_default to avoid messages like this:
# unknown require directive:"ldap-attribute myacl=unix"
# 2011-03-23
# bpkroth

# Depends: ldap
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so

-- no debconf information

Reply to:

Follow-Ups:
- Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default
  - From: Stefan Fritsch <sf@sfritsch.de>

Prev by Date: apache2_2.2.17-2_i386.changes ACCEPTED into unstable
Next by Date: Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default
Previous by thread: apache2_2.2.17-2_i386.changes ACCEPTED into unstable
Next by thread: Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default
Index(es):
- Date
- Thread