AuthnProviderAlias ldap 可以与 Apache2.4.x 一起使用吗? [英] Can AuthnProviderAlias ldap work with Apache2.4.x?

问题描述

这在 Apache2.2 中完美运行，但在 2.4 中却不行(我现在需要使用 2.4):

This works perfectly in Apache2.2, but not in 2.4 (and I need to use 2.4 now):

<AuthnProviderAlias ldap myldap>
  AuthLDAPBindDN cn=Manager,dc=example,dc=com
  AuthLDAPBindPassword xxxx
  AuthLDAPURL ldap://localhost:9011/dc=example,dc=com?uid?sub?(objectClass=*)
</AuthnProviderAlias>

Listen 48443
<VirtualHost myserver:48443>
 <Directory /path/to/a/folder>
        Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
        AllowOverride All
        order allow,deny
        Allow from all

        AuthBasicProvider myldap mySecondLdap myThirdLdap ...

        AuthType Basic
        AuthName "LDAP authentication for folder"
        Require valid-user
        ...
  </Directory>
</VirtualHost>

<小时>

直接使用 Apache 2.4 mod_authnz_ldap 中的指令在 <代码><目录>部分:

AuthLDAPBindDN cn=Manager,dc=example,dc=com
AuthLDAPBindPassword xxx
AuthLDAPURL ldap://localhost:9011/dc=example,dc=com?uid?sub?(objectClass=*)
AuthBasicProvider ldap

但这允许仅针对一个 LDAP 服务器进行身份验证，并且我必须针对至少两个进行身份验证.
因此使用 AuthnProviderAlias，现在是 (2.4) mod_authn_core 核心认证模块的一部分，而不是旧的 2.2 LDAP 认证模块 mod_authn_alias.

But that allows an authentication against only one LDAP server, and I have to authenticate against at least two.
Hence the use of AuthnProviderAlias, which is now (2.4) part of mod_authn_core core authentication module, instead of the old 2.2 LDAP authentication module mod_authn_alias.

我已经用 APR 编译了所有 2.4.x 版本(从 2.4.1 到 2.4.6，甚至是当前版本)1.4.8 和 APR-util 1.5.2，处于调试模式 (-g -O0)

I have compiled all 2.4.x versions (from 2.4.1 to 2.4.6, and even current), with APR 1.4.8, and APR-util 1.5.2, in debug mode (-g -O0)

我尝试的是调试会话(gdb --command=debug，带有 'debug' 的 gdb 参数文件如下):

What I tried is a debug session ( gdb --command=debug, with 'debug' a gdb parameter file as follow):

file /home/vonc/usr/local/apps/apache/bin/httpd
set logging file /home/vonc/gdb.txt
set logging on
set args -X
show args
set breakpoint pending on

# authn_alias_check_password
b mod_authn_core.c:115
# authaliassection
b mod_authn_core.c:203
b mod_authn_core.c:255

run
wh
fs next
where

我看到的是:

• authaliassection mod_authn_core 的函数被调用两次，可能是因为 server/main.c 调用 ap_process_config_tree 两次 (一次在这里，和 once there) 在同一个 main() 函数.

• the authaliassection function of mod_authn_core is called twice, probably because of server/main.c calls ap_process_config_tree twice (once here, and once there) in the same main() function.

那个函数 获取 authcfg

authn_alias_srv_conf *authcfg =
    (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
                                                 &authn_core_module);

并且设置提供者具有正确的名称ldap"和正确的别名myldap"

And sets the provider with the right name 'ldap' and right alias 'myldap'

apr_hash_set(authcfg->alias_rec, provider_alias, APR_HASH_KEY_STRING, prvdraliasrec);

但是:当需要检查密码时(在 authn_alias_check_password，它再次获得 authcfg，然后 获取提供者:

BUT: when the password needs to be checked (in authn_alias_check_password, it gets authcfg again, and fetch the provider:

    provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
                                                     provider_name, APR_HASH_KEY_STRING);

它使用正确的 provider_name 'myldap', ... 并且总是返回 null.
这意味着 prvdraliasrec->provider->check_password 永远不会被调用.

It uses the right provider_name 'myldap', ... and that always returns null.
that means prvdraliasrec->provider->check_password never get called.

http-dev 邮件列表中的类似问题(2013 年 8 月 23 日 "是AuthnProviderAlias 在 2.4 中被巧妙地破坏了?") 是......没有答案.

A similar question in the http-dev mailing list (August 23, 2013 "Is AuthnProviderAlias subtly broken in 2.4?") was... unanswered.

您将如何解决此错误?

推荐答案

该错误是由于提供程序及其使用在不同的服务器上下文中造成的.

The bug is due to the providers and their usage being in different server contexts.

• mod_authn_core 提供 AuthType，这会导致为 VH 中的 authn_core 创建每个服务器的配置
• 模块没有实现合并功能
• server->module_config 永远为空.

解决方法:在 VH 上下文之外定义您的身份验证，或者如果您可以轻松重建，请尝试此补丁:http://people.apache.org/~covener/patches/authprovider.diff

Workaround: Define your auth outside of VH context, or try this patch if you can rebuild easily: http://people.apache.org/~covener/patches/authprovider.diff

Index: modules/aaa/mod_authn_core.c
===================================================================
--- modules/aaa/mod_authn_core.c    (revision 40703)
+++ modules/aaa/mod_authn_core.c    (working copy)
@@ -179,6 +179,12 @@
     return (void *) authcfg;
 }

+/* Only per-server directive we have is GLOBAL_ONLY */
+static void *merge_authn_alias_svr_config(apr_pool_t *p, void *basev, void *overridesv)
+{
+    return basev;
+}
+
 static const authn_provider authn_alias_provider =
 {
     &authn_alias_check_password,
@@ -373,7 +379,7 @@
     create_authn_core_dir_config,   /* dir config creater */
     merge_authn_core_dir_config,    /* dir merger --- default is to override */
     create_authn_alias_svr_config,  /* server config */
-    NULL,                           /* merge server config */
+    merge_authn_alias_svr_config,   /* merge server config */
     authn_cmds,
     register_hooks                  /* register hooks */
 };

这篇关于AuthnProviderAlias ldap 可以与 Apache2.4.x 一起使用吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！