Upgrading my subversion server from apache-2.0 to 2.2 I decided to try
replace from mod_auth_pam with mod_authnz_external+pwauth+pam
pwauth works, apache works, but mod_authnz_external doesn't
The apache log shows this error when I try to log in:
==> /var/log/apache2/error.log <==
[Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] Invalid
AuthExternal keyword (pwauth)
[Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] access
to /DataMart/ failed, reason: verification of user id 'johns' not
configured
What does it mean?
I built pwauth to use pam & allow 2 users to run it (apache and jstile),
and command line tests succeed.
echo 'PWAUTH_SERVERUIDS="81,1000"' >> /etc/make.conf # Must specify
UIDs allowed to run pwauth
echo 'www-apache/pwauth pam' >> /etc/portage/package.use
echo 'www-apache/pwauth ~x86' >> /etc/portage/package.keywords
emerge www-apache/pwauth
vi /etc/pam.d/pwauth
#%PAM-1.0
auth required pam_winbind.so
account required pam_winbind.so
Test pwauth as non-root user, testing Active Directory account.
su - jstile
/usr/sbin/pwauth
johns
<good password>
echo $?
0 # this means good passwd
/usr/sbin/pwauth
johns
foo
echo $?
1 # this means bad passwd
This gives me confidence the problem is not with pwauth.
Install mod_authnz_external.
echo 'www-apache/mod_authnz_external ~x86'
>> /etc/portage/package.keywords
emerge --update --newuse --deep -ta www-apache/mod_authnz_external
Append '-D AUTHNZ_EXTERNAL' to APACHE2_OPTS in /etc/conf.d/apache2.
Resulting line:
APACHE2_OPTS="-D INFO -D LANGUAGE -D SSL -D DEFAULT_VHOST -D
SSL_DEFAULT_VHOST -D SUEXEC -D SVN -D SVN_AUTHZ -D DAV -D DAV_FS -D PHP5
-D AUTHNZ_EXTERNAL"
I edited /etc/apache2/modules.d/10_mod_authnz_external.conf,
and uncomment/changed 2 lines:
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
Then for the apache configs.
The file /etc/apache2/httpd.conf
loads default modules,
loads /etc/apache2/modules.d/*.conf
loads /etc/apache2/vhosts.d/*.conf
I have one vhost for port 80, one for 443, and one for common items.
Code:
00_default_ssl_vhost.conf
00_default_vhost.conf
default_vhost.include
The file /etc/apache2/modules.d/10_mod_authnz_external.conf contains:
<IfDefine AUTHNZ_EXTERNAL>
<IfModule !mod_authnz_external.c>
#LoadModule authnz_external_module modules/mod_authnz_external.so
LoadModule
authnz_external_module /usr/lib/apache2/modules/mod_authnz_external.so
</IfModule>
</IfDefine>
<IfModule mod_authnz_external.c>
AddExternalAuth pwauth /usr/sbin/pwauth
SetExternalAuthMethod pwauth pipe
</IfModule>
The file /etc/apache2/modules.d/47_mod_dav_svn.conf contains:
LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so
LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so
<Location /DataMart>
DAV svn
SVNPath /svn/repos/DataMart
SVNIndexXSLT "/svnindex.xsl"
AuthType Basic
AuthName "Subversion Repository: DataMart"
#AuthBasicAuthoritative Off
AuthBasicProvider external
AuthExternal pwauth
Require valid-user
AuthzSVNAccessFile /svn/acls/DataMart.acl
</Location>
Finall I restart apache.
/etc/init.d/apache2 restart
I can access both the 443 and 80 default pages, so Apache is serving
pages.
When "AuthBasicAuthoritative Off" is uncommented and I access DataMart,
I am prompted for a password over and over, which generates the apache
logs:
==> /var/log/apache2/error.log <==
[Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] Invalid
AuthExternal keyword (pwauth)
[Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] access
to /DataMart/ failed, reason: verification of user id 'johns' not
configured
When "AuthBasicAuthoritative Off" is commented out and I access
DataMart, apache logs show:
==> /var/log/apache2/access.log <==
192.168.60.30 - johns [17/Sep/2007:14:19:54 -0700] "GET /DataMart/
HTTP/1.1" 500 540 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US;
rv:1.8.1.6) Gecko/20070815 Firefox/2.0.0.6"
==> /var/log/apache2/error.log <==
[Mon Sep 17 14:19:54 2007] [error] [client 192.168.60.30] Invalid
AuthExternal keyword (pwauth)
I am using Gentoo Linux with the following package versions:
www-apache/mod_authnz_externa 1.3.0
app-admin/apache-tools-2.2.6
www-servers/apache-2.2.6
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
" from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|