能与Apache2.4.x AuthnProviderAlias LDAP的工作? [英] Can AuthnProviderAlias ldap work with Apache2.4.x?
问题描述
这完全在的Apache2.2,但不是在2.4(和我的需求的到现在使用2.4):
This works perfectly in Apache2.2, but not in 2.4 (and I need to use 2.4 now):
<AuthnProviderAlias ldap myldap>
AuthLDAPBindDN cn=Manager,dc=example,dc=com
AuthLDAPBindPassword xxxx
AuthLDAPURL ldap://localhost:9011/dc=example,dc=com?uid?sub?(objectClass=*)
</AuthnProviderAlias>
Listen 48443
<VirtualHost myserver:48443>
<Directory /path/to/a/folder>
Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
AllowOverride All
order allow,deny
Allow from all
AuthBasicProvider myldap mySecondLdap myThirdLdap ...
AuthType Basic
AuthName "LDAP authentication for folder"
Require valid-user
...
</Directory>
</VirtualHost>
直接使用从的Apache 2.4 mod_authnz_ldap模块在工作指令的 &LT;名录及GT;
部分:
AuthLDAPBindDN cn=Manager,dc=example,dc=com
AuthLDAPBindPassword xxx
AuthLDAPURL ldap://localhost:9011/dc=example,dc=com?uid?sub?(objectClass=*)
AuthBasicProvider ldap
但是,允许一个认证的只针对的有一个的LDAP服务器,然后我不得不对至少两个身份验证。结果
因此,使用<一个href=\"http://httpd.apache.org/docs/current/mod/mod_authn_core.html#authnprovideralias\"><$c$c>AuthnProviderAlias$c$c>,现在是(2.4) mod_authn_core
核心认证模块,而不是旧的 2.2 LDAP验证模块 mod_authn_alias
。
But that allows an authentication against only one LDAP server, and I have to authenticate against at least two.
Hence the use of AuthnProviderAlias
, which is now (2.4) part of mod_authn_core
core authentication module, instead of the old 2.2 LDAP authentication module mod_authn_alias
.
我已经编译所有的2.4.x版本(2.4.1从2.4.6到,甚至电流),与 APR 1.4.8,和APR-UTIL 1.5.2 ,在调试模式下( -g -O0
)
I have compiled all 2.4.x versions (from 2.4.1 to 2.4.6, and even current), with APR 1.4.8, and APR-util 1.5.2, in debug mode (-g -O0
)
我试过是调试会话( GDB --command =调试
与调试
一GDB参数文件如下):
What I tried is a debug session ( gdb --command=debug
, with 'debug
' a gdb parameter file as follow):
file /home/vonc/usr/local/apps/apache/bin/httpd
set logging file /home/vonc/gdb.txt
set logging on
set args -X
show args
set breakpoint pending on
# authn_alias_check_password
b mod_authn_core.c:115
# authaliassection
b mod_authn_core.c:203
b mod_authn_core.c:255
run
wh
fs next
where
我看到的是:
- 的<一个href=\"https://github.com/apache/httpd/blame/trunk/modules/aaa/mod_authn_core.c#L194-L207\"><$c$c>authaliassection$c$c>
mod_authn_core
的功能叫的两次的,可能是因为的服务器/ main.c中
通话ap_process_config_tree
两次的(曾经在这里和的once那里)在相同的的main()
功能。
- the
authaliassection
function ofmod_authn_core
is called twice, probably because ofserver/main.c
callsap_process_config_tree
twice (once here, and once there) in the samemain()
function.
这功能得到 authcfg
authn_alias_srv_conf *authcfg =
(authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
&authn_core_module);
和设置提供商用正确的名称' LDAP
和右的别名 myldap的
And sets the provider with the right name 'ldap
' and right alias 'myldap
'
apr_hash_set(authcfg->alias_rec, provider_alias, APR_HASH_KEY_STRING, prvdraliasrec);
但是:当密码需要检查(在<一href=\"https://github.com/apache/httpd/blob/trunk/modules/aaa/mod_authn_core.c#L107-L108\"><$c$c>authn_alias_check_password$c$c>,它得到 authcfg
一遍,的获取供应商:
provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
provider_name, APR_HASH_KEY_STRING);
它使用权 PROVIDER_NAME
myldap的
',......这总是返回空
。结果
这意味着<一个href=\"https://github.com/apache/httpd/blob/trunk/modules/aaa/mod_authn_core.c#L128-L131\"><$c$c>prvdraliasrec->provider->check_password$c$c>从来没有被调用。
It uses the right provider_name
'myldap
', ... and that always returns null
.
that means prvdraliasrec->provider->check_password
never get called.
在 HTTP-dev邮件列表类似的问题(<一个href=\"http://mail-archives.apache.org/mod_mbox/httpd-dev/201308.mbox/%3C5215672C.8090304@aldan.algebra.com%3E\">August 23日,2013正AuthnProviderAlias巧妙地在2.4坏了吗?)是......回答。
A similar question in the http-dev mailing list (August 23, 2013 "Is AuthnProviderAlias subtly broken in 2.4?") was... unanswered.
你会如何解决这个bug?
How would you troubleshoot this bug?
推荐答案
该缺陷是由于供应商在不同的服务器环境及其使用之中。
The bug is due to the providers and their usage being in different server contexts.
- mod_authn_core提供AuthType选项,这会导致在authn_core创建了VH 每个服务器配置
- 该模块实现无合并功能
- 服务器 - > module_config这将永远是空的。
- mod_authn_core provides AuthType, which causes a per-server config to be created for authn_core in for the VH
- The module implements no merge function
- server->module_config which will always be empty.
解决方法:定义你的权威性VH背景之外,或尝试这个补丁,如果你可以很容易地重建:的 http://people.apache.org/~covener/patches/authprovider.diff
Workaround: Define your auth outside of VH context, or try this patch if you can rebuild easily: http://people.apache.org/~covener/patches/authprovider.diff
Index: modules/aaa/mod_authn_core.c
===================================================================
--- modules/aaa/mod_authn_core.c (revision 40703)
+++ modules/aaa/mod_authn_core.c (working copy)
@@ -179,6 +179,12 @@
return (void *) authcfg;
}
+/* Only per-server directive we have is GLOBAL_ONLY */
+static void *merge_authn_alias_svr_config(apr_pool_t *p, void *basev, void *overridesv)
+{
+ return basev;
+}
+
static const authn_provider authn_alias_provider =
{
&authn_alias_check_password,
@@ -373,7 +379,7 @@
create_authn_core_dir_config, /* dir config creater */
merge_authn_core_dir_config, /* dir merger --- default is to override */
create_authn_alias_svr_config, /* server config */
- NULL, /* merge server config */
+ merge_authn_alias_svr_config, /* merge server config */
authn_cmds,
register_hooks /* register hooks */
};
这篇关于能与Apache2.4.x AuthnProviderAlias LDAP的工作?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!