Bug 125960 - mod_authz_ldap doesn't understand directives in VirtualHost stanzas when it should
Summary: mod_authz_ldap doesn't understand directives in VirtualHost stanzas when it s...
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: mod_authz_ldap   
(Show other bugs)
Version: 3.0
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2004-06-14 16:03 UTC by nathan r. hruby
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-02 02:42:07 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2004:277 normal SHIPPED_LIVE Updated mod_authz_ldap package 2004-09-01 04:00:00 UTC

Description nathan r. hruby 2004-06-14 16:03:57 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040207 Firefox/0.8

Description of problem:

The docs for mod_authz_ldap say that it should work in a VirtualHost
context.  However, this is not the case:

--- START Config snippet
  ServerAdmin helpdesk@foo.edu
  DocumentRoot "/var/www/html/"
  ServerName test.foo.edu
  ErrorLog logs/ssl-test.foo.edu-error_log
  CustomLog logs/ssl-test.foo.edu-access_log common

  # Enable LDAP Auth! (leave in vhost as mod_authz_ldap only works in 
  # VirtualHost and Directory contexts, not DirectoryMatch :)
  AuthzLDAPEngine on
  AuthzLDAPAuthoritative off
  AuthzLDAPServer localhost:636
  AuthzLDAPUserKey cn
  AuthzLDAPUserBase ou=users,o=uga
  AuthzLDAPUserScope onelevel
---- END Config snippet

The above yeilds:
  test.foo# service httpd configtest
  Syntax error on line 23 of /etc/httpd/conf.d/test.foo.edu.conf:
  AuthzLDAPEngine not allowed here

The docs say that this is perfectly acceptable:
(From /usr/share/doc/mod_authz_ldap-0.22/reference.html )
Syntax: AuthzLDAPEngine { on | off }
Context: virtual host, directory
Default: off 
Set to on if the module should become active.
---- END DOC

Umm, so either I'm retarted or it is.  After some other rollout issues
we've had with this, I'm pointing the finger at mod_authz_ldap :)

Note that I can't put this into a Directory directive either as a
workaround (as I've done on other machines) because I'm using
DirectoyMatch and it plain doesn't work there at all.  Whee!

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. See above

Actual Results:  httpd fails to start

Expected Results:  httpd starts and processes mod_authz_ldap config
syntax in VirtualHost directives.

Additional info:

Comment 1 Joe Orton 2004-06-14 16:12:18 UTC
Thanks for the report.

Comment 2 Joe Orton 2004-06-18 15:28:17 UTC
Packages which fix this issue are now available for testing from the
following location:


Tested successfully with AuthzLDAP* configured inside a vhost
container and AuthType/require etc in a LocationMatch inside that
vhost.  Please report back results of any testing (success or failure)
with these packages.

Comment 3 nathan r. hruby 2004-06-25 16:16:56 UTC
Verify working in VHost context.

Also note that I wasn't clear in orginal bug report.  mod_authz_ldap
doesn't seem to work when config statements (Eg: AuthzLDAPEngine on)
are placed inside DirectoryMatch and Location stanzas (obviously,
"require vaild-user" will work :)  

This, I think, is me reading the sets of documentation incorrectly.
The mod_authz_ldap states it works in Directory stanzas, and the
apache docs seems to indicate that DirectoryMatch and Directory are
eqivalent leading me to think that AuthzLDAP* config statements will
work in DirectoryMatch'es which, I guess, is false.  At any rate, now
that it works in VHost context, I can work around this easily.


Comment 4 Jay Turner 2004-09-02 02:42:07 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.