Bug#619408: apache2.2-common: mod_authnz_ldap require directives unrecognized if loaded after mod_authnz_default
Package: apache2.2-common
Version: 2.2.16-6
Severity: normal
In the default configuration mod_authnz_ldap.load is symlinked from
mods-available to mods-enabled but that orders it (lexicographically)
after the symlink to load mod_authnz_default. This causes a number of
ldap specific arguments to the Require definition to be unrecognized and
logged as follows:
[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:"ldap-user bpktest bpkroth"
[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:"ldap-group cn=bpk-test,ou=Group,o=ORG"
[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: unknown require directive:"ldap-attribute myacl=unix"
[Wed Mar 23 11:04:48 2011] [error] [client 10.10.10.10] access to /auth failed, reason: user bpktest not allowed access
The relevant tidbits from my .htaccess file are as follows:
# Allow authenticated access
AuthType Basic
AuthName "Restricted Access"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL "ldap://ldapauth.mydomain.com:389/ou=People,o=ORG?uid" STARTTLS
AuthLDAPRemoteUserIsDN Off
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-user bpktest bpkroth
Require ldap-group cn=bpk-test,ou=Group,o=ORG
Require ldap-attribute myacl=unix
Adding another symlink to mod_authnz_ldap.load in mods-enabled as
01-mod_authnz_ldap.load corrects this behavior, albeit with a warning
message on startup (probably avoidable with an if statement around the
load).
Let me know if you need anything else.
Thanks,
Brian
-- Package-specific info:
List of /etc/apache2/mods-enabled/*.load:
01-authnz_ldap alias auth_basic auth_kerb auth_pam auth_plain
auth_sys_group authn_file authnz_ldap authz_default authz_groupfile
authz_host authz_user autoindex cgi deflate dir env include info
ldap mime mod-security negotiation php5 reqtimeout rewrite rpaf
setenvif ssl status unique_id vhost_alias wsgi
List of enabled php5 extensions:
adodb apc curl ffmpeg gd geoip gmp idn imagick interbase lasso ldap
mcrypt memcache ming mssql mysql mysqli odbc pam_auth pdo pdo_dblib
pdo_mysql pdo_odbc pdo_pgsql pdo_sqlite pgsql ps pspell radius
recode redland sasl snmp sqlite sqlite3 ssh2 suhosin tidy uuid
xmlrpc xsl
-- System Information:
Debian Release: 6.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages apache2.2-common depends on:
ii apache2-utils 2.2.16-6 utility programs for webservers
ii apache2.2-bin 2.2.16-6 Apache HTTP Server common binary f
ii libmagic1 5.04-5 File type determination library us
ii lsb-base 3.2-23.2squeeze1 Linux Standard Base 3.2 init scrip
ii mime-support 3.48-1 MIME files 'mime.types' & 'mailcap
ii perl 5.10.1-17 Larry Wall's Practical Extraction
ii procps 1:3.2.8-9 /proc file system utilities
Versions of packages apache2.2-common recommends:
pn ssl-cert <none> (no description available)
Versions of packages apache2.2-common suggests:
pn apache2-doc <none> (no description available)
pn apache2-suexec | apache2-su <none> (no description available)
ii lynx-cur [www-browser] 2.8.8dev.5-1 Text-mode WWW Browser with NLS sup
Versions of packages apache2.2-common is related to:
pn apache2-mpm-event <none> (no description available)
pn apache2-mpm-itk <none> (no description available)
ii apache2-mpm-prefork 2.2.16-6 Apache HTTP Server - traditional n
pn apache2-mpm-worker <none> (no description available)
-- Configuration Files:
/etc/apache2/mods-available/authnz_ldap.load changed:
# NOTE: This must be loaded before mod_authnz_default to avoid messages like this:
# unknown require directive:"ldap-attribute myacl=unix"
# 2011-03-23
# bpkroth
# Depends: ldap
LoadModule authnz_ldap_module /usr/lib/apache2/modules/mod_authnz_ldap.so
-- no debconf information
Reply to: