libapache2-mod-shib module doesn't work with 2.4.52

Bug #1974251 reported by mesiu84
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
apache2 (Ubuntu)
In Progress
Undecided
Bryce Harrington
Jammy
Incomplete
Undecided
Unassigned
Kinetic
Won't Fix
Undecided
Bryce Harrington

Bug Description

ubuntu release: Jammy
apache version: 2.4.52-1ubuntu4
libapache2-mod-shib: 3.3.0+dfsg1-1

Apache 2.4.52 is unable to connect to shibboleth - shibd (version 3.3.0) process. Downgrade of shibboleth package (compiled from sources - 3.2.2) doesn't resolve the issue. Apache returns Error 302 each time when trying to open some webpage and in error log there is only this message:

Cannot connect to shibd process, a site adminstrator should be notified

Apache upgrade to 2.4.53 from PPA solves the problem.
Didn't found anything in apache changelog regarding that issue, but probably related to one of found bugs in 2.4.52

Tags: packaging

Related branches

Revision history for this message
Lena Voytek (lvoytek) wrote :

Thank you for providing this report and helping to make Ubuntu better. I was unable to reproduce this when trying to set up an apache webserver alongside shibd on Jammy. Would you be able to provide a list of the commands you used when setting up your system to help us debug the issue?

Thanks!

Changed in apache2 (Ubuntu):
status: New → Incomplete
Revision history for this message
mesiu84 (mesiu84) wrote :

Unfortunately you need to have a website with already running configuration for shibboleth. I'm working with very complex configuration that we have for our customers and wasn't able to make it working after upgrading Ubuntu from 18.04 (that part is running in docker), but since apache upgrade solves the issue I guess this bug here can stay for others who would be facing similar issues

Revision history for this message
Lucas Kanashiro (lucaskanashiro) wrote :

Considering that version 2.4.53 is fixed, this should land in Kinetic soon. In order to fix this issue in Jammy, we need to follow the SRU process [1], and to do that we would need to have a test case with reproduction steps. Another thing that is needed here is to bisect the changes between 2.4.52 and 2.4.53 to find the specific fix for this issue, and backport it to the Jammy version.

[1] https://wiki.ubuntu.com/StableReleaseUpdates

Bryce Harrington (bryce)
tags: added: packaging
Changed in apache2 (Ubuntu Jammy):
status: New → Incomplete
Changed in apache2 (Ubuntu Kinetic):
status: Incomplete → In Progress
assignee: nobody → Bryce Harrington (bryce)
milestone: none → ubuntu-22.05
milestone: ubuntu-22.05 → none
Revision history for this message
mesiu84 (mesiu84) wrote :

Found what is the issue, looks like libpam-systemd package was missing in the system, discovered that while installing other libraries, after installation communication between shibboleth and apache works as expected

Revision history for this message
mesiu84 (mesiu84) wrote (last edit ):

After more digging I've found that it's not the libpem-systemd package itself, but one of commands that comes from systemd.

systemd-tmpfiles --create

That command is executed during package installation in postinst script and it sets permissions on a lot of system directories, according to some configuration file. One of those directories is this one:

root@apache:~# ls -ld /run/shibboleth/
drwxr-x--- 2 _shibd _shibd 4096 May 27 12:18 /run/shibboleth/

After running the systemd-tmpfiles --create permissions of that directory are changed to following:

root@apache:~# ls -ld /run/shibboleth/
drwxr-xr-x 2 _shibd _shibd 4096 May 27 12:18 /run/shibboleth/

so in the end running

chmod 755 on /run/shibboleth solves the issue

Revision history for this message
Brian Murray (brian-murray) wrote :

Ubuntu 22.10 (Kinetic Kudu) has reached end of life, so this bug will not be fixed for that specific release.

Changed in apache2 (Ubuntu Kinetic):
status: In Progress → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.