Ubuntu
libapache2-mod-authnz-external package

authnz_external module load order matters for GroupExternal and Require file-group

Bug #781036 reported by Richard Mitchell
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libapache2-mod-authnz-external (Ubuntu)
New
Undecided
Unassigned

Bug Description

Binary package hint: apache2

With this example configuration:
{{{
<VirtualHost *:443>
    AddExternalAuth auth_script /bin/true
    SetExternalAuthMethod auth_script pipe

    AddExternalGroup group_script /bin/true
    SetExternalGroupMethod group_script pipe

    <Directory /foo>
        AuthType Basic
        AuthName Protected
        AuthBasicProvider external
        AuthExternal auth_script
        GroupExternal group_script
        GroupExternalAuthoritative On
        Require file-group
        Satisfy All
    </DirectoryMatch>
</VirtualHost>
}}}

and modules:
{{{
alias
auth_basic
authn_file
authnz_external
authz_default
authz_groupfile
authz_host
authz_owner
authz_user
autoindex
cgid
deflate
dir
env
headers
mime
negotiation
proxy
proxy_http
reqtimeout
rewrite
setenvif
ssl
status
}}}
using standard apache2 & required modules from Lucid repositories.

Requests that require authentication will fail with the error:
{{{
[Fri May 06 18:14:59 2011] [error] [client 123.123.123.123] access to /foo/bar/baz failed, reason: require directives present and no Authoritative handler., referer:
http://example.com/qux/
}}}

Renaming '/etc/apache2/mods-enabled/authnz_external.load' to '/etc/apache2/mods-enabled/zz-authnz_external.load' and restarting results in a successful request.

Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Hi Richard. Thanks for taking the time to file a bug report and help us make Ubuntu better!

This appears to be a configuration issue. Without an external authenticator defined, mod_authnz_external is going to fail. So it is performing its duties properly. If you are going to use it, you need to configure it.. see this link for more info on configuring it:

http://code.google.com/p/mod-auth-external/wiki/Configuration

Also this is not really a problem with apache2, but with libapache2-mod-authnz-external , so redirecting to that source package, and closing as Invalid. You may want to just remove and maybe even purge that package if you're not using it.

If you have more information that suggests this is a bug and not a misconfiguration, please feel free to reopen the bug by changing its status back to "new", or opening a new bug with more information.

affects: apache2 (Ubuntu) → libapache2-mod-authnz-external (Ubuntu)
Changed in libapache2-mod-authnz-external (Ubuntu):
status: New → Invalid
Revision history for this message
Clint Byrum (clint-fewbar) wrote :

Richard, I think I mis-read your description, and totally missed that you had configured mod_authnz_external properly. I probably shouldn't triage bugs at 4:30am.

I suspect that the order matters because some of the other modules you are loading override mod_authnz_external's authoritative status after it is configured. Possibly mod_authz_default is the culprit... as it defaults to authoritative:

http://httpd.apache.org/docs/current/mod/mod_authz_default.html

I wonder, if you put mod_authz_default last, does it have the same enabling effect?

Re-opening as New, leaving set to mod_authnz_external for now, though it may be that mod_authz_default needs to always load last, which would be a bug in apache2.

Changed in libapache2-mod-authnz-external (Ubuntu):
status: Invalid → New
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.