View Issue Details

IDProjectCategoryView StatusLast Update
0018053CentOS-7httpdpublic2021-02-08 17:40
Reporterkr-hansen Assigned To 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Summary0018053: Apache authorization using require dbd-group from SQL Server database
DescriptionI have an app running behind a reverse proxy on Apache 2.4.6 on CentOS 7. I am doing authentication using Shibboleth and am currently doing authorization via a whitelist using AuthGroupFile /path/to/authfile and Require group authGroup. This currently works with my setup. I'm trying to change this process to do authorization against a whitelist stored in a SQL Server database, and this is proving to be difficult.

Currently in conf.d/shib.conf I have the following:

DBDriver odbc
DBDParams "DATASOURCE=ODBCconn,USER=myUser,PASSWORD=myPwd"

<Location /authLocation>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require dbd-group myApp
  AuthzDBDQuery "SELECT appName FROM authTable WHERE UserLogin = %s"
</Location>

My with my DSM ODBCconn I am using ODBC Driver 17 for SQL Server and I can use that DSM to connect using those credentials via pyodbc in python, so I think I have that setup correctly. In the database, the column appName will return the name of the applications the user is authorized to use as stored in authTable, or essentially the groups the user is a part of. Hence, if a user has a row for myApp they will be authorized to use myApp. My understanding of the documentation (https://httpd.apache.org/docs/trunk/mod/mod_authz_dbd.html) is this is how my query should work for defining a group.

However, when running this I get a stack smashing error in my httpd/logs/error_log that looks something like:

*** stack smashing detected ***: /usr/sbin/httpd terminated
======= Backtrace: =========
...
...
Long long list of files
...
...
[Thu Jan 28 09:36:53.306151 2021] [core:notice] [pid 10621] AH00052: child pid 24810 exit signal Aborted (6)
[Thu Jan 28 09:36:53.306215 2021] [core:notice] [pid 10621] AH00052: child pid 28192 exit signal Aborted (6)
[Thu Jan 28 09:36:53.306238 2021] [core:notice] [pid 10621] AH00052: child pid 31928 exit signal Aborted (6)
Any help on what might be going wrong with my setup that is preventing authorization in this way?

Posted on StackOverflow at this link: https://stackoverflow.com/questions/65945922/apache-authorization-using-require-dbd-group-from-sql-server-database/66071859#66071859
Steps To ReproduceMy Apache Version was 2.4.6 but the most recent RHEL Version, httpd-2.4.6-97.el7.centos

Use AuthzDBDQuery to require group from within .conf file. My example info is included above, re-copied here:

DBDriver odbc
DBDParams "DATASOURCE=ODBCconn,USER=myUser,PASSWORD=myPwd"

<Location /authLocation>
  AuthType shibboleth
  ShibRequestSetting requireSession 1
  Require dbd-group myApp
  AuthzDBDQuery "SELECT appName FROM authTable WHERE UserLogin = %s"
</Location>
Additional InformationMy solution which was posted to StackOverflow is copied below for help. It seems to be an issue with the CentOS httpd package, rather than httpd itself.

Looking at the Change Log for apache 2.4 (https://www.apachelounge.com/Changelog-2.4.html) most of the mod_authz_dbd changes were included in the CentOS version except for the one integrated in Apache 2.4.17 entitled

*) mod_authz_dbd: Avoid a crash when lacking correct DB access permissions.
PR 57868. [Jose Kahan < jose w3.org>, Yann Ylavic]
Interestingly, this type of crash seemed to similarly describe the type of crash I was observing, though my DB access permissions were correct.

I followed the instructions here (https://crosp.net/blog/administration/install-latest-apache-server-centos-7/) to install Apache 2.4.46. Getting this updated version of Apache solved my problem using the exact same .conf file listed above. Unfortunately, my Apache now doesn't have the benefits of RHEL if I go this route, but I'm assuming this bug fix in Apache 2.4.17 is tied to the error I was seeing.

Either way, I figured it was worth mentioning the solution I was able to obtain in case anyone else runs into a similar issue.
TagsNo tags attached.
abrt_hash
URL

Activities

kr-hansen

kr-hansen

2021-02-08 17:40

reporter   ~0038235

It was pointed out to me that there are likely two 2.4 changes related to this that I thought I would add:
- http://svn.apache.org/r1701404
- http://svn.apache.org/r1701405

Issue History

Date Modified Username Field Change
2021-02-08 16:22 kr-hansen New Issue
2021-02-08 17:40 kr-hansen Note Added: 0038235