Opened 8 years ago

Closed 8 years ago

#4437 closed (fixed)

Apache auth recipe does not work in Apache 2.2

Reported by: Paul Bx <pb@…> Owned by: nobody
Component: Documentation Version: 0.96
Severity: Keywords:
Cc: Triage Stage: Ready for checkin
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

I'm still sorting this out, but I believe that changes in Apache 2.2 have broken the auth recipe here: http://www.djangoproject.com/documentation/apache_auth/

The error produced is Internal error: pcfg_openfile() called with NULL filename.

A bit of information on the changes (along with a suggestion for a related change) is here: https://issues.apache.org/jira/browse/MODPYTHON-169

Attachments (2)

apache_auth.diff (658 bytes) - added by Paul <pb@…> 8 years ago.
apache_auth.2.diff (1.1 KB) - added by pb@… 8 years ago.
revised patch

Download all attachments as: .zip

Change History (14)

comment:1 Changed 8 years ago by anonymous

  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

That MODPYTHON-169 issue is not really relevant to the problem.

What you probably need to do is simply add:

AuthBasicAuthoritative Off

to your Apache configuration.

This tells Apache that it is okay for Apache not to perform the actual basic authorisation and for it to be handed off to the authenhandler() supplied by mod_python without complaint.

For more details see:

http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html

comment:2 Changed 8 years ago by Paul <pb@…>

  • Has patch set

OK, that's correct, thanks. I'll attach a documentation patch.

Changed 8 years ago by Paul <pb@…>

comment:3 Changed 8 years ago by Simon G. <dev@…>

  • Triage Stage changed from Unreviewed to Ready for checkin

comment:4 Changed 8 years ago by Paul Bx <pb@…>

For what it's worth, even though the above change did get auth functioning as noted, I just noticed that I'm still getting those

Internal error: pcfg_openfile() called with NULL filename

errors in my Apache log on every request. The documentation patch is probably still a good idea, but someone else will have to chime in on whether that's sufficient for error-free operation or not. I'm out of troubleshooting time for now and don't want to turn this ticket into a help thread.

comment:5 Changed 8 years ago by anonymous

The full list of such directives is:

AuthBasicAuthoritative
AuthDefaultAuthoritative
AuthzLDAPAuthoritative
AuthzDBMAuthoritative
AuthzDefaultAuthoritative
AuthzGroupFileAuthoritative
AuthzOwnerAuthoritative
AuthzUserAuthoritative

Which you actually have to turn Off depends a bit on which authentication/authorisation features of Apache you are using. Since you didn't actually provide your Apache configuration snippet I made a guess, but likely you need one of the others. As a second guess I would say:

AuthzGroupFileAuthoritative Off

If updating Django documentation, just make sure you are quite specific that these are Apache 2.2 options as they do not exist in Apache 2.0.

comment:6 Changed 8 years ago by mtredinnick

  • Patch needs improvement set
  • Triage Stage changed from Ready for checkin to Accepted

Probably a bit optimistic to call this ready for checkin now, in light of comment 5. Let's improve the patch a bit first.

comment:7 Changed 8 years ago by pb@…

OK, here's a revised patch that reflects my current understanding of the issue.

Changed 8 years ago by pb@…

revised patch

comment:8 Changed 8 years ago by anonymous

  • Patch needs improvement unset

With hopefulness I'm unchecking the "patch needs improvement" box, but I'd appreciate some review to ensure I've explained things correctly.

comment:9 follow-up: Changed 8 years ago by SmileyChris

  • Triage Stage changed from Accepted to Ready for checkin

We should be more authoritative and actually tell people which to turn off rather than just a vague "turn off some of these". This will need someone doing some testing obviously.

For now, it's probably worth just checking this in so that people have something to refer to in the docs and then opening another ticket.

comment:10 Changed 8 years ago by mtredinnick

More in the "note to self" department for when it comes time to check this in: adding a link to the Apache issue article Paul referred to initially is worthwhile.

comment:11 in reply to: ↑ 9 Changed 8 years ago by anonymous

Replying to SmileyChris:

We should be more authoritative and actually tell people which to turn off rather than just a vague "turn off some of these". This will need someone doing some testing obviously.

My understanding is that which of those off-directives you need to include depends on which auth modules you have loaded in your httpd.conf; but this is one of those details I was hoping for some confirmation on.

comment:12 Changed 8 years ago by jacob

  • Resolution set to fixed
  • Status changed from new to closed

(In [6309]) Fixed #4437: added notes to the modpython auth handler documentation about using the handler with Apache 2.2. Thanks to Paul Bissex for the beginnings of the patch, and Graham Dumpleton for the rest of the info.

Note: See TracTickets for help on using tickets.
Back to Top