Bug 1131847

Summary: authzprovideralias and authnprovideralias-defined provider can't be used in virtualhost .
Product: Red Hat Enterprise Linux 7 Reporter: Sébastien Andreatta <sebastien.andreatta>
Component: httpdAssignee: Luboš Uhliarik <luhliari>
Status: CLOSED ERRATA QA Contact: Martin Frodl <mfrodl>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.0CC: isenfeld, jkaluza, john.lalande, jorton, mfrodl, rik.theys, toracat
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: httpd-2.4.6-26.el7 Doc Type: Bug Fix
Doc Text:
Cause: Server config of mod_authn_core and mod_authz_core modules was not merged across the different config file sections. Consequence: Providers defined in AuthnProviderAlias and AuthzProviderAlias we not usable under in virtual hosts. Fix: Server config is now merged properly for mod_authn_core and mod_authz_core modules. Result: Providers defined in AuthnProviderAlias and AuthzProviderAlias can be used under in virtual hosts.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2015-03-05 07:13:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch for mod_authn_core
none
Patch for mod_authz_corez none

Description Sébastien Andreatta 2014-08-20 07:11:46 UTC 
Created attachment 928658 [details]
Patch for mod_authn_core

Description of problem:


Version-Release number of selected component (if applicable):

httpd-2.4.6-18
mod_ldap-2.4.6-18

How reproducible:

Always


Steps to Reproduce:
1. Install httpd
2. Install openldap server
3. Configure openldap server and create groups and user
4. Configure apache with a vhost and add Ldap Auth with provider ( example : http://pastebin.com/VvvmYHPj )
5. Restart apache and try to login 

Actual results:

Unable to login 

[Wed Aug 20 08:05:20.751473 2014] [authz_core:error] [pid 25021] [client 91.179.47.14:49557] AH02305: no alias provider found for 'cn=yyy,ou=Groups,o=zzz.com' (BUG?)

Expected results:

No error 

[Wed Aug 20 08:56:27.941321 2014] [authnz_ldap:debug] [pid 28681] mod_authnz_ldap.c(501): [client 91.179.47.14:57326] AH01691: auth_ldap authenticate: using URL ldap://localhost/ou=Users,o=soez,dc=soez,dc=be?uid??, referer: https://soez.be/transmission/web/
[Wed Aug 20 08:56:27.941344 2014] [authnz_ldap:debug] [pid 28681] mod_authnz_ldap.c(593): [client 91.179.47.14:57326] AH01697: auth_ldap authenticate: accepting Crupuk, referer: https://soez.be/transmission/web/

Additional info:

Patch already exist in httpd master branch

diff -up ./httpd.spec.orig ./httpd.spec
--- ./httpd.spec.orig   2014-08-20 00:36:28.075540540 +0200
+++ ./httpd.spec        2014-08-20 00:35:59.212539493 +0200
@@ -73,6 +73,8 @@ Patch57: httpd-2.4.6-ldaprefer.patch
 Patch58: httpd-2.4.6-r1507681+.patch
 Patch59: httpd-2.4.6-r1556473.patch
 Patch60: httpd-2.4.6-r1553540.patch
+Patch61: httpd-2.4.6-r1618851.patch
+Patch62: httpd-2.4.6-r1556818.patch
 # Security fixes
 Patch200: httpd-2.4.6-CVE-2013-6438.patch
 Patch201: httpd-2.4.6-CVE-2014-0098.patch
@@ -214,6 +216,8 @@ rm modules/ssl/ssl_engine_dh.c
 %patch58 -p1 -b .r1507681+
 %patch59 -p1 -b .r1556473
 %patch60 -p1 -b .r1553540
+%patch61 -p1 -b .r1618851
+%patch62 -p1 -b .r1556818

 %patch200 -p1 -b .cve6438
 %patch201 -p1 -b .cve0098
@@ -652,6 +656,9 @@ rm -rf $RPM_BUILD_ROOT
 %{_sysconfdir}/rpm/macros.httpd

 %changelog
+* Tue Aug 19 2014 Sebastien Andreatta <crupuk> - 2.4.6-19.el7.centos
+- httpd: fix authzprovideralias
+- httpd: fix authnprovideralias
+
 * Wed Jul 23 2014 Johnny Hughes <johnny> - 2.4.6-18.el7.centos
 - Roll in CentOS Branding
Comment 2 Sébastien Andreatta 2014-08-25 09:05:28 UTC 
Created attachment 930390 [details]
Patch for mod_authz_corez
Comment 11 errata-xmlrpc 2015-03-05 07:13:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-0325.html