debugging mod_authnz_external with apache-2.2

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Upgrading my subversion server from apache-2.0 to 2.2 I decided to try
replace from mod_auth_pam with  mod_authnz_external+pwauth+pam

pwauth works, apache works, but mod_authnz_external doesn't

The apache log shows this error when I try to log in: 
                                    
                  ==> /var/log/apache2/error.log <== 
   [Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] Invalid
                     AuthExternal keyword (pwauth) 
    [Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] access
   to /DataMart/ failed, reason: verification of user id 'johns' not
                              configured 
                                    
What does it mean? 

I built pwauth to use pam & allow 2 users to run it (apache and jstile),
and command line tests succeed. 
                                    
  echo 'PWAUTH_SERVERUIDS="81,1000"' >> /etc/make.conf  # Must specify
                      UIDs allowed to run pwauth 
        echo 'www-apache/pwauth pam' >> /etc/portage/package.use 
     echo 'www-apache/pwauth ~x86' >> /etc/portage/package.keywords 
                        emerge www-apache/pwauth 
                         vi  /etc/pam.d/pwauth 
                                 #%PAM-1.0 
                   auth    required        pam_winbind.so 
                   account required        pam_winbind.so

Test pwauth as non-root user, testing Active Directory account. 
                                    
                              su - jstile 
                            /usr/sbin/pwauth 
                                   johns 
                              <good password> 
                                 echo $? 
                        0  # this means good passwd 
                            /usr/sbin/pwauth 
                                   johns 
                                    foo 
                                 echo $? 
                        1   # this means bad passwd

This gives me confidence the problem is not with pwauth. 

Install mod_authnz_external. 
                                    
               echo 'www-apache/mod_authnz_external ~x86'
                   >> /etc/portage/package.keywords 
   emerge --update --newuse --deep -ta www-apache/mod_authnz_external

Append '-D AUTHNZ_EXTERNAL' to APACHE2_OPTS in /etc/conf.d/apache2. 
Resulting line: 
                                    
      APACHE2_OPTS="-D INFO -D LANGUAGE -D SSL -D DEFAULT_VHOST -D
SSL_DEFAULT_VHOST -D SUEXEC -D SVN -D SVN_AUTHZ -D DAV -D DAV_FS -D PHP5
                          -D AUTHNZ_EXTERNAL"

I edited /etc/apache2/modules.d/10_mod_authnz_external.conf, 
and uncomment/changed 2 lines: 
                                    
                AddExternalAuth  pwauth /usr/sbin/pwauth 
                    SetExternalAuthMethod  pwauth pipe

Then for the apache configs. 
The file /etc/apache2/httpd.conf 
loads default modules, 
loads /etc/apache2/modules.d/*.conf 
loads /etc/apache2/vhosts.d/*.conf 
I have one vhost for port 80, one for 443, and one for common items. 
                                 Code:
                        00_default_ssl_vhost.conf 
                          00_default_vhost.conf 
                           default_vhost.include

The file /etc/apache2/modules.d/10_mod_authnz_external.conf contains: 
                                    
                      <IfDefine AUTHNZ_EXTERNAL> 
                    <IfModule !mod_authnz_external.c> 
     #LoadModule authnz_external_module modules/mod_authnz_external.so 
                                 LoadModule
authnz_external_module /usr/lib/apache2/modules/mod_authnz_external.so 
                               </IfModule> 
                              </IfDefine> 
                   <IfModule mod_authnz_external.c> 
               AddExternalAuth  pwauth /usr/sbin/pwauth 
                  SetExternalAuthMethod  pwauth pipe 
                              </IfModule>

The file /etc/apache2/modules.d/47_mod_dav_svn.conf contains: 
                                    
   LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so 
 LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so 
                         <Location /DataMart> 
                                 DAV svn 
                       SVNPath /svn/repos/DataMart 
                      SVNIndexXSLT "/svnindex.xsl" 
                             AuthType Basic 
               AuthName "Subversion Repository: DataMart" 
                       #AuthBasicAuthoritative Off 
                       AuthBasicProvider external 
                           AuthExternal pwauth 
                           Require valid-user 
                AuthzSVNAccessFile /svn/acls/DataMart.acl 
                              </Location>

Finall I restart apache. 
                                    
                      /etc/init.d/apache2 restart

I can access both the 443 and 80 default pages, so Apache is serving
pages. 

When "AuthBasicAuthoritative Off" is uncommented and I access DataMart,
I am prompted for a password over and over, which generates the apache
logs: 
                                    
                  ==> /var/log/apache2/error.log <== 
   [Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] Invalid
                     AuthExternal keyword (pwauth) 
    [Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] access
   to /DataMart/ failed, reason: verification of user id 'johns' not
                              configured 
                                    

When "AuthBasicAuthoritative Off" is commented out and I access
DataMart, apache logs show: 
                                    
                  ==> /var/log/apache2/access.log <== 
   192.168.60.30 - johns [17/Sep/2007:14:19:54 -0700] "GET /DataMart/
     HTTP/1.1" 500 540 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US;
              rv:1.8.1.6) Gecko/20070815 Firefox/2.0.0.6" 
                                    
                  ==> /var/log/apache2/error.log <== 
   [Mon Sep 17 14:19:54 2007] [error] [client 192.168.60.30] Invalid
                     AuthExternal keyword (pwauth)

I am using Gentoo Linux with the following package versions:
  www-apache/mod_authnz_externa 1.3.0
  app-admin/apache-tools-2.2.6
  www-servers/apache-2.2.6


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx


[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux