Bug 125960 - mod_authz_ldap doesn't understand directives in VirtualHost stanzas when it should
mod_authz_ldap doesn't understand directives in VirtualHost stanzas when it s...
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: mod_authz_ldap (Show other bugs)
3.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-06-14 12:03 EDT by nathan r. hruby
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-09-01 22:42:07 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description nathan r. hruby 2004-06-14 12:03:57 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040207 Firefox/0.8

Description of problem:
Hi,

The docs for mod_authz_ldap say that it should work in a VirtualHost
context.  However, this is not the case:

--- START Config snippet
<VirtualHost 1.2.3.4:443>
  ServerAdmin helpdesk@foo.edu
  DocumentRoot "/var/www/html/"
  ServerName test.foo.edu
  ErrorLog logs/ssl-test.foo.edu-error_log
  CustomLog logs/ssl-test.foo.edu-access_log common

  # Enable LDAP Auth! (leave in vhost as mod_authz_ldap only works in 
  # VirtualHost and Directory contexts, not DirectoryMatch :)
  AuthzLDAPEngine on
  AuthzLDAPAuthoritative off
  AuthzLDAPServer localhost:636
  AuthzLDAPUserKey cn
  AuthzLDAPUserBase ou=users,o=uga
  AuthzLDAPUserScope onelevel
---- END Config snippet

The above yeilds:
  test.foo# service httpd configtest
  Syntax error on line 23 of /etc/httpd/conf.d/test.foo.edu.conf:
  AuthzLDAPEngine not allowed here

The docs say that this is perfectly acceptable:
(From /usr/share/doc/mod_authz_ldap-0.22/reference.html )
--- START DOC
Syntax: AuthzLDAPEngine { on | off }
Context: virtual host, directory
Default: off 
Set to on if the module should become active.
---- END DOC

Umm, so either I'm retarted or it is.  After some other rollout issues
we've had with this, I'm pointing the finger at mod_authz_ldap :)

Note that I can't put this into a Directory directive either as a
workaround (as I've done on other machines) because I'm using
DirectoyMatch and it plain doesn't work there at all.  Whee!


Version-Release number of selected component (if applicable):
mod_authz_ldap-0.22-3

How reproducible:
Always

Steps to Reproduce:
1. See above
2.
3.
    

Actual Results:  httpd fails to start

Expected Results:  httpd starts and processes mod_authz_ldap config
syntax in VirtualHost directives.

Additional info:
Comment 1 Joe Orton 2004-06-14 12:12:18 EDT
Thanks for the report.
Comment 2 Joe Orton 2004-06-18 11:28:17 EDT
Packages which fix this issue are now available for testing from the
following location:

http://people.redhat.com/jorton/Taroon-mazl/

Tested successfully with AuthzLDAP* configured inside a vhost
container and AuthType/require etc in a LocationMatch inside that
vhost.  Please report back results of any testing (success or failure)
with these packages.
Comment 3 nathan r. hruby 2004-06-25 12:16:56 EDT
Verify working in VHost context.

Also note that I wasn't clear in orginal bug report.  mod_authz_ldap
doesn't seem to work when config statements (Eg: AuthzLDAPEngine on)
are placed inside DirectoryMatch and Location stanzas (obviously,
"require vaild-user" will work :)  

This, I think, is me reading the sets of documentation incorrectly.
The mod_authz_ldap states it works in Directory stanzas, and the
apache docs seems to indicate that DirectoryMatch and Directory are
eqivalent leading me to think that AuthzLDAP* config statements will
work in DirectoryMatch'es which, I guess, is false.  At any rate, now
that it works in VHost context, I can work around this easily.

Thanks!
Comment 4 Jay Turner 2004-09-01 22:42:07 EDT
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-277.html

Note You need to log in before you can comment on or make changes to this bug.