Sunday, July 22, 2007

Ubuntu 6.10 -> 7.04 upgrade: Apache 2.2 ldap changes

Just suffered through some lame apache module syntax changes on Ubuntu after upgrading to 7.0.4.  This is why I don't skip major versions...

Here is my functioning template on Ubuntu 7.04 Feisty:

AuthBasicProvider ldap
AuthName "Secret Website"
AuthType Basic
AuthzLDAPAuthoritative on # prevent other mods from authenticating this user on failure
# protocol://server:port/base?attribute?scope?filter
AuthLDAPURL ldap://localhost:389/blah
AuthLDAPBindDN blah
AuthLDAPBindPassword "secret"
# require membership in LDAP group for access
require ldap-group cn=mygroup,ou=Groups,dc=example,dc=com
There were several major changes that kept my site from working after the upgrade:

Deprecated directives:

AuthLDAPAuthoritative (now AuthzLDAPAuthoritative)

New directive required:

AuthBasicProvider ldap

This tells the mod_auth_basic module to defer to the mod_authnz_ldap module for authentication instead of handling it on its own.  If you don't specify it, you get this lovely cryptic error in your server error log: 
[error] Internal error: pcfg_openfile() called with NULL filename
require group now only is used for local UNIX groups.  For LDAP, you have to use require ldap-group.

No comments:

Post a Comment