Bug 125960 - mod_authz_ldap doesn't understand directives in VirtualHost stanzas when it should
Summary: mod_authz_ldap doesn't understand directives in VirtualHost stanzas when it s...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: mod_authz_ldap
Version: 3.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Joe Orton
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-06-14 16:03 UTC by nathan r. hruby
Modified: 2007-11-30 22:07 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2004-09-02 02:42:07 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2004:277 0 normal SHIPPED_LIVE Updated mod_authz_ldap package 2004-09-01 04:00:00 UTC

Description nathan r. hruby 2004-06-14 16:03:57 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)
Gecko/20040207 Firefox/0.8

Description of problem:
Hi,

The docs for mod_authz_ldap say that it should work in a VirtualHost
context.  However, this is not the case:

--- START Config snippet
<VirtualHost 1.2.3.4:443>
  ServerAdmin helpdesk
  DocumentRoot "/var/www/html/"
  ServerName test.foo.edu
  ErrorLog logs/ssl-test.foo.edu-error_log
  CustomLog logs/ssl-test.foo.edu-access_log common

  # Enable LDAP Auth! (leave in vhost as mod_authz_ldap only works in 
  # VirtualHost and Directory contexts, not DirectoryMatch :)
  AuthzLDAPEngine on
  AuthzLDAPAuthoritative off
  AuthzLDAPServer localhost:636
  AuthzLDAPUserKey cn
  AuthzLDAPUserBase ou=users,o=uga
  AuthzLDAPUserScope onelevel
---- END Config snippet

The above yeilds:
  test.foo# service httpd configtest
  Syntax error on line 23 of /etc/httpd/conf.d/test.foo.edu.conf:
  AuthzLDAPEngine not allowed here

The docs say that this is perfectly acceptable:
(From /usr/share/doc/mod_authz_ldap-0.22/reference.html )
--- START DOC
Syntax: AuthzLDAPEngine { on | off }
Context: virtual host, directory
Default: off 
Set to on if the module should become active.
---- END DOC

Umm, so either I'm retarted or it is.  After some other rollout issues
we've had with this, I'm pointing the finger at mod_authz_ldap :)

Note that I can't put this into a Directory directive either as a
workaround (as I've done on other machines) because I'm using
DirectoyMatch and it plain doesn't work there at all.  Whee!


Version-Release number of selected component (if applicable):
mod_authz_ldap-0.22-3

How reproducible:
Always

Steps to Reproduce:
1. See above
2.
3.
    

Actual Results:  httpd fails to start

Expected Results:  httpd starts and processes mod_authz_ldap config
syntax in VirtualHost directives.

Additional info:

Comment 1 Joe Orton 2004-06-14 16:12:18 UTC
Thanks for the report.

Comment 2 Joe Orton 2004-06-18 15:28:17 UTC
Packages which fix this issue are now available for testing from the
following location:

http://people.redhat.com/jorton/Taroon-mazl/

Tested successfully with AuthzLDAP* configured inside a vhost
container and AuthType/require etc in a LocationMatch inside that
vhost.  Please report back results of any testing (success or failure)
with these packages.

Comment 3 nathan r. hruby 2004-06-25 16:16:56 UTC
Verify working in VHost context.

Also note that I wasn't clear in orginal bug report.  mod_authz_ldap
doesn't seem to work when config statements (Eg: AuthzLDAPEngine on)
are placed inside DirectoryMatch and Location stanzas (obviously,
"require vaild-user" will work :)  

This, I think, is me reading the sets of documentation incorrectly.
The mod_authz_ldap states it works in Directory stanzas, and the
apache docs seems to indicate that DirectoryMatch and Directory are
eqivalent leading me to think that AuthzLDAP* config statements will
work in DirectoryMatch'es which, I guess, is false.  At any rate, now
that it works in VHost context, I can work around this easily.

Thanks!

Comment 4 Jay Turner 2004-09-02 02:42:07 UTC
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-277.html



Note You need to log in before you can comment on or make changes to this bug.