View Issue Details

IDProjectCategoryView StatusLast Update
0007514CentOS-7httpdpublic2014-08-20 07:12
ReporterCrupuk Assigned To 
PriorityhighSeveritymajorReproducibilityalways
Status newResolutionopen 
OSCentOsOS Version7 
Product Version7.0-1406 
Summary0007514: authzprovideralias-defined authz provider can't be used in virtualhost
Descriptionauthzprovideralias-defined authz provider can't be used in virtualhost .

A patch exist ( https://issues.apache.org/bugzilla/show_bug.cgi?id=56870 )

httpd can't be used in production because of this ( Ldap user can't logged in )
Steps To Reproduce- Install httpd and openldap-server
- Configure openldap
- create a vhost with ldap auth

<AuthnProviderAlias ldap zzzldap>
    AuthLDAPBindDN cn=Manager,dc=Domain,dc=be
    AuthLDAPBindPassword xxx
    AuthLDAPURL ldap://localhost/ou=Users,o=Domain,dc=Domain,dc=be?uid??
</AuthnProviderAlias>

<AuthzProviderAlias ldap-group ldap-group-admin cn=Admin,ou=Groups,o=Domain,dc=Domain,dc=be>
    AuthLDAPBindDN cn=Manager,dc=Domain,dc=be
    AuthLDAPBindPassword xxx
    AuthLDAPURL ldap://localhost/ou=Users,o=Domain,dc=Domain,dc=be?uid??
    AuthLDAPGroupAttribute member
    AuthLDAPGroupAttributeIsDN on
    Require ldap-group cn=Admin,ou=Groups,o=Domain,dc=Domain,dc=be
</AuthzProviderAlias>

    AuthType Basic
    AuthName "Private access"
    AuthBasicProvider ldap-user

    Require ldap-group-admin

Result on an error :

[Tue Aug 19 12:44:02.948451 2014] [authz_core:debug] [pid 21410] mod_authz_core.c(802): [client 109.133.130.18:52734] AH01626: authorization result of Require ldap-group-warez : denied
[Tue Aug 19 12:44:02.948454 2014] [authz_core:debug] [pid 21410] mod_authz_core.c(802): [client 109.133.130.18:52734] AH01626: authorization result of <RequireAny>: denied
[Tue Aug 19 12:44:20.230719 2014] [authz_core:error] [pid 21409] [client 109.133.130.18:50217] AH02305: no alias provider found for 'ldap-group-warez' (BUG?)

( C.F httpd mailing list : http://mail-archives.apache.org/mod_mbox/httpd-users/201408.mbox/%3C53F33099.8060204%40gmail.com%3E )
Tagshttpd
abrt_hash
URL

Activities

Crupuk

Crupuk

2014-08-19 13:26

reporter   ~0020705

Please change category to "httpd"
Crupuk

Crupuk

2014-08-19 13:59

reporter  

httpd-2.4.6-r1618851.patch (970 bytes)   
# ./pullrev.sh r1618851
http://svn.apache.org/viewvc?view=revision&revision=r1618851

--- httpd-2.4.2/modules/aaa/mod_authz_core.c
+++ httpd-2.4.2/modules/aaa/mod_authz_core.c
@@ -168,6 +168,13 @@
     return (void*)conf;
 }

+/* Only per-server directive we have is GLOBAL_ONLY */
+static void *merge_authz_core_svr_config(apr_pool_t *p,
+                                         void *basev, void *newv)
+{
+    return basev;
+}
+
 static void *create_authz_core_svr_config(apr_pool_t *p, server_rec *s)
 {
     authz_core_srv_conf *authcfg;
@@ -1150,7 +1157,7 @@
     create_authz_core_dir_config,   /* dir config creater */
     merge_authz_core_dir_config,    /* dir merger */
     create_authz_core_svr_config,   /* server config */
-    NULL,                           /* merge server config */
+    merge_authz_core_svr_config ,   /* merge server config */
     authz_cmds,
     register_hooks                  /* register hooks */
 };
httpd-2.4.6-r1618851.patch (970 bytes)   
toracat

toracat

2014-08-19 20:14

manager   ~0020710

Because CentOS is a rebuild of RHEL, the issue needs to be reported upstream and fixed there. Then CentOS will inherit the patch. Would you mind filing a bug report upstrem at http://bugzilla.redhat.com ?
Crupuk

Crupuk

2014-08-20 07:12

reporter   ~0020719

Done > https://bugzilla.redhat.com/show_bug.cgi?id=1131847

Thanks

Issue History

Date Modified Username Field Change
2014-08-19 13:24 Crupuk New Issue
2014-08-19 13:26 Crupuk Note Added: 0020705
2014-08-19 13:26 Crupuk Tag Attached: httpd
2014-08-19 13:59 Crupuk File Added: httpd-2.4.6-r1618851.patch
2014-08-19 20:10 toracat Category help2man => httpd
2014-08-19 20:14 toracat Note Added: 0020710
2014-08-20 07:12 Crupuk Note Added: 0020719