Apache dbd auth configuration error

Bug #1698806 reported by John Bester on 2017-06-19
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)

Bug Description

OS: Ubuntu 1604
Apache2: 2.4.18-2ubuntu

Using DBD authentication using a Postgresql database for specific files seems impossible. The following configuration entries seems only to be allowed in global area (VirtualHost element) of a host definition. Putting it in a <Directory> element causes Apache not to start up:

DBDriver pgsql
DBDParams "host= port=5432 dbname=userdb user=www password=www"
DBDMin 2
DBDKeep 4
DBDMax 10
DBDExptime 300

The AuthDBDUserPWQuery parameter is not allowed in VirtualHost element. It causes "AuthDBDUserPWQuery not allowed here" on apache startup. Putting it in a <Directory> element is allowed, but if I then try to activate this authentication via a .htaccess file, It produces "AH01654: No AuthDBDUserPWQuery has been specified" in error log.

I AuthDBDUserPWQuery is defined in either the global section or in a <FilesMatch> element causes
".htaccess: AuthDBDUserPWQuery not allowed here" in error log.

Adding any of DB... parameters listed earlier in .htaccess also does not work. So it seems there is no way to configure DBD authentication.

Andreas Hasenack (ahasenack) wrote :

According to https://httpd.apache.org/docs/2.4/mod/mod_authn_dbd.html:

You have global DBD options, and then you have to use further Auth* options inside <Directory> elements. The dbd module is used by other mod_auth_* modules such as mod_auth_basic.

Check out https://httpd.apache.org/docs/2.4/mod/mod_authn_dbd.html#example and see if that helps.

It shows, for example, all DBD.* options inside the "global" area, and the rest, including AuthDBDUserPWQuery, inside <Directory>. In fact, that's the only place it can be used according to https://httpd.apache.org/docs/2.4/mod/mod_authn_dbd.html#authdbduserpwquery

Hope this helps. If you still have issues, please update this bug with an actual configuration snippet that fails.

Changed in apache2 (Ubuntu):
status: New → Incomplete
Andreas Hasenack (ahasenack) wrote :

This module seems a valid alternative to mod-auth-pgsql that you tried before, and filed bug #1698758. With DBD + pgsql, you can use your {SHA} style password hashes.

I just tried the following hashes (all "secret"):
 andreas-clear | secret
 andreas-crypt | 5TGnWmWlHTJ/2
 andreas-sha | {SHA}5en6G6MezRroT3XKqkdPOmY/BfQ=
 andreas-md5 | 5ebe2294ecd0e0f08eab7690d2a6ee69
 andreas-apr | $apr1$ankAzNEM$E.G05coY75THzISaOkZLj/
 andreas-crypt-sha2 | $5$.oyALiVLtCvfBa$cvNlH7IxsirDkBN/vIvHB54p0MPwqxSyiulqnYVMxt/
 andreas-crypt-md5 | $1$0UiJQbpc$QoJQqJIT1DCHtQYGwJHZh0
 andreas-crypt-sha5 | $6$mbXQ/gDvUCn$Hs6sz8LAWN3fX1I/MoaJjsYSIYs8tqOUjgoQnXLY4X1dTSlBhbyiJYpTZZDEALXw.hRL97e7l/.xI7qZi0Phe.

Of these, only "clear" and "md5" did not work.

Launchpad Janitor (janitor) wrote :

[Expired for apache2 (Ubuntu) because there has been no activity for 60 days.]

Changed in apache2 (Ubuntu):
status: Incomplete → Expired
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers