Can AuthnProviderAlias ldap work with Apache2.4.x?

Question

This works perfectly in Apache2.2, but not in 2.4 (and I need to use 2.4 now):

<AuthnProviderAlias ldap myldap>
  AuthLDAPBindDN cn=Manager,dc=example,dc=com
  AuthLDAPBindPassword xxxx
  AuthLDAPURL ldap://localhost:9011/dc=example,dc=com?uid?sub?(objectClass=*)
</AuthnProviderAlias>

Listen 48443
<VirtualHost myserver:48443>
 <Directory /path/to/a/folder>
        Options +ExecCGI +FollowSymLinks +SymLinksIfOwnerMatch
        AllowOverride All
        order allow,deny
        Allow from all

        AuthBasicProvider myldap mySecondLdap myThirdLdap ...

        AuthType Basic
        AuthName "LDAP authentication for folder"
        Require valid-user
        ...
  </Directory>
</VirtualHost>

---

Using directly the directives from Apache 2.4 mod_authnz_ldap works in the <Directory > section:

AuthLDAPBindDN cn=Manager,dc=example,dc=com
AuthLDAPBindPassword xxx
AuthLDAPURL ldap://localhost:9011/dc=example,dc=com?uid?sub?(objectClass=*)
AuthBasicProvider ldap

But that allows an authentication against only one LDAP server , and I have to authenticate against at least two.
Hence the use of AuthnProviderAlias , which is now (2.4) part of mod_authn_core core authentication module , instead of the old 2.2 LDAP authentication module mod_authn_alias .

---

I have compiled all 2.4.x versions (from 2.4.1 to 2.4.6, and even current), with APR 1.4.8, and APR-util 1.5.2 , in debug mode ( -g -O0 )

What I tried is a debug session ( gdb --command=debug , with ' debug ' a gdb parameter file as follow):

file /home/vonc/usr/local/apps/apache/bin/httpd
set logging file /home/vonc/gdb.txt
set logging on
set args -X
show args
set breakpoint pending on

# authn_alias_check_password
b mod_authn_core.c:115
# authaliassection
b mod_authn_core.c:203
b mod_authn_core.c:255

run
wh
fs next
where

What I see is:

• the authaliassection function of mod_authn_core is called twice , probably because of server/main.c calls ap_process_config_tree twice ( once here , and once there ) in the same main() function .

That function gets the authcfg

authn_alias_srv_conf *authcfg =
    (authn_alias_srv_conf *)ap_get_module_config(r->server->module_config,
                                                 &authn_core_module);

And sets the provider with the right name ' ldap ' and right alias ' myldap '

apr_hash_set(authcfg->alias_rec, provider_alias, APR_HASH_KEY_STRING, prvdraliasrec);

BUT: when the password needs to be checked (in authn_alias_check_password , it gets authcfg again, and fetch the provider :

    provider_alias_rec *prvdraliasrec = apr_hash_get(authcfg->alias_rec,
                                                     provider_name, APR_HASH_KEY_STRING);

It uses the right provider_name ' myldap ', ... and that always returns null .
that means prvdraliasrec->provider->check_password never get called.

A similar question in the http-dev mailing list ( August 23, 2013 "Is AuthnProviderAlias subtly broken in 2.4?" ) was... unanswered.

How would you troubleshoot this bug?

Answer 1

The bug is due to the providers and their usage being in different server contexts.

• mod_authn_core provides AuthType, which causes a per-server config to be created for authn_core in for the VH
• The module implements no merge function
• server->module_config which will always be empty.

Workaround: Define your auth outside of VH context, or try this patch if you can rebuild easily: http://people.apache.org/~covener/patches/authprovider.diff

Index: modules/aaa/mod_authn_core.c
===================================================================
--- modules/aaa/mod_authn_core.c    (revision 40703)
+++ modules/aaa/mod_authn_core.c    (working copy)
@@ -179,6 +179,12 @@
     return (void *) authcfg;
 }

+/* Only per-server directive we have is GLOBAL_ONLY */
+static void *merge_authn_alias_svr_config(apr_pool_t *p, void *basev, void *overridesv)
+{
+    return basev;
+}
+
 static const authn_provider authn_alias_provider =
 {
     &authn_alias_check_password,
@@ -373,7 +379,7 @@
     create_authn_core_dir_config,   /* dir config creater */
     merge_authn_core_dir_config,    /* dir merger --- default is to override */
     create_authn_alias_svr_config,  /* server config */
-    NULL,                           /* merge server config */
+    merge_authn_alias_svr_config,   /* merge server config */
     authn_cmds,
     register_hooks                  /* register hooks */
 };

Answer 2

The only working solution I found is to patch mod_authn_core.c , adding 2 global variables, one for each LDAP alias I want to work with.

That seems ugly: the two LDAP alias names are hardcoded in the code.

See commit 2f691a6

provider_alias_rec *prvdraliasrec_myldap;
provider_alias_rec *prvdraliasrec_companyldap;

That way, merge_authn_core_dir_config() looks for those two alias names specifically to register them.

if (!prvdraliasrec && strcmp(provider_name,"myldap")==0) {
  prvdraliasrec=prvdraliasrec_myldap; 
}
if (!prvdraliasrec && strcmp(provider_name,"companyldap")==0) {
  prvdraliasrec=prvdraliasrec_companyldap;
}

And authaliassection() get those alias definition back

if ( strcmp(provider_alias,"myldap") == 0 ) { 
  prvdraliasrec_myldap = prvdraliasrec;
}
if ( strcmp(provider_alias,"companyldap") == 0 ) {
  prvdraliasrec_companyldap = prvdraliasrec;
}

It works, but it certainly isn't the "right" solution.