zenprojects / apache-authmemcookie-module Goto Github PK

Hello,

In the changelog you talk about Apache 2.4 partial support.
Is there still something missing to have a full / clean support of Apache 2.4 ?

Thank you very much !

Ben

Hello,

Thanks for writing this apache module - hopefully this will allow us to use simplesamlphp as an SP for our mod_wsgi python webapps! I have authentication working ok, but am struggling with authorization.

Just trying to get group authentication working. Here is my config:
<Location /ssp>
Auth_memCookie_SessionTableSize "40"
Auth_memCookie_Authoritative on
Auth_memCookie_GroupAuthoritative on
Require valid-user
Require group blah

When starting up apache, I see the following error message:
Nov 12 10:23:23 webapps-dr apache2[20440]: * The apache2 configtest failed.
Nov 12 10:23:23 webapps-dr apache2[20440]: Output of config test was:
Nov 12 10:23:23 webapps-dr apache2[20440]: AH00526: Syntax error on line 49 of /etc/apache2/conf-enabled/auth_memcookie.conf:
Nov 12 10:23:23 webapps-dr apache2[20440]: Unknown Authz provider: group
Nov 12 10:23:23 webapps-dr apache2[20440]: Action 'configtest' failed.

I am running apache2 version 2.4.10-9ubuntu1.1 on Ubuntu 15.04 (vivid) with patched (inline bug) version of libmemcache 1.4.0rc2.

Any thoughts?

The function get_Auth_memCookie_grp returns incorrect result if the required group appears as a substring of another group.

groups for a user = group10:group2:group1:group3
required group = group1

A suggestion to fix this :

static int get_Auth_memCookie_grp(request_rec *r, char *szGroup, char *szGroups)
 {
    char *szMyGroups;
    char *szMyGroup;

    /* Add delimiters at start and end of groups string */
    /* and search group with delimiters */
    szMyGroups=apr_pstrcat(r->pool,":",szGroups,":",0);
    szMyGroup=apr_pstrcat(r->pool,":",szGroup,":",0);

    if (!strstr(szMyGroups,szMyGroup))
        return DECLINED;

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r, ERRTAG "group found=%s", szGroup);
    return OK;
}

URL cannot be set as 401 errordocument.

ErrorDocument 401 "/gestionuser/login.php"

This is ignored.

Do you have any alternative solution?

One question.

Does this module support "Replaying POST Requests" when user isn't logged in?

Hello,

Is Authmemcookie module thread safe ?
https://httpd.apache.org/docs/2.4/developer/thread_safety.html

Thank you very much !

Ben

It looks as if simplesamlphp is storing the session in memcached as .session. and not just , but authmemcookie is only searching for in memcached. Is there a way to define a prefix to have the module search with a prefix to the session ID? Or did I miss something that I should have changed in simplesamlphp? Thanks!

Hey

I tried to install this module, but I can't seem to configure it in Linux.

I've installed libevent-2.1.8, memcached-1.4.36 and libmemcached-1.0.18

And then when I run ...
./configure --with-libmemcached=/usr/local/include/libmemcached/

... I get this

checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes
checking whether we are cross compiling... no
checking for suffix of executables...
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for libmemcached library... configure: error: /usr/local/include/libmemcached/ not found.

When i check its contents ...
ls -la /usr/local/include/libmemcached/

... I get this

total 20
drwxr-xr-x 2 root root 4096 may 4 15:37 .
drwxr-xr-x 8 root root 4096 may 4 15:37 ..
-rw-r--r-- 1 root root 1713 may 4 15:37 memcached.h
-rw-r--r-- 1 root root 1717 may 4 15:37 memcached.hpp
-rw-r--r-- 1 root root 1714 may 4 15:37 util.h

I've tried with /usr as the configure path, and some other paths, but it can't seem to find it.

Thanks for any support

In mod_auth_memcookie.c on line 507 the module checks wether the username is not equal the required username and then authenticates.

Example:

• Username: a / Require: b c / Authenticates: true
• Username: a / Require: a c / Authenticates: true
• Username: a / Require: a / Authenticates: false

I have been trying to install this module on Apache 2.4 in Ubuntu 14.04. Here are the steps I followed.

$ sudo apt-get update && apt-get install -y apache2-dev memcached libmemcached-dev autoconf

$ autoconf -f
$ ./configure --with-apxs=/usr/bin/apxs --with-libmemcached=/usr/local
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for libmemcached library... found!
checking for Apache apxs script... found!
configure: creating ./config.status
config.status: creating Makefile
$ make
/usr/bin/apxs -lmemcached -L/usr/local/lib -I/usr/local/include -c mod_auth_memcookie.c
/usr/share/apr-1.0/build/libtool --silent --mode=compile --tag=disable-static x86_64-linux-gnu-gcc -std=gnu99 -prefer-pic -pipe -g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security  -D_FORTIFY_SOURCE=2   -DLINUX -D_REENTRANT -D_GNU_SOURCE  -pthread  -I/usr/include/apache2  -I/usr/include/apr-1.0   -I/usr/include/apr-1.0 -I/usr/include -I/usr/local/include  -c -o mod_auth_memcookie.lo mod_auth_memcookie.c && touch mod_auth_memcookie.slo
/usr/share/apr-1.0/build/libtool --silent --mode=link --tag=disable-static x86_64-linux-gnu-gcc -std=gnu99 -Wl,--as-needed -Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now    -o mod_auth_memcookie.la  -L/usr/local/lib -lmemcached -rpath /usr/lib/apache2/modules -module -avoid-version    mod_auth_memcookie.lo
$ make install
/usr/bin/apxs -i -n mod_auth_memcookie mod_auth_memcookie.la
/usr/share/apache2/build/instdso.sh SH_LIBTOOL='/usr/share/apr-1.0/build/libtool' mod_auth_memcookie.la /usr/lib/apache2/modules
/usr/share/apr-1.0/build/libtool --mode=install install mod_auth_memcookie.la /usr/lib/apache2/modules/
libtool: install: install .libs/mod_auth_memcookie.so /usr/lib/apache2/modules/mod_auth_memcookie.so
libtool: install: install .libs/mod_auth_memcookie.lai /usr/lib/apache2/modules/mod_auth_memcookie.la
libtool: finish: PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/sbin" ldconfig -n /usr/lib/apache2/modules
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/lib/apache2/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,-rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 644 /usr/lib/apache2/modules/mod_auth_memcookie.so
Enabling module auth_memcookie.
To activate the new configuration, you need to run:
  service apache2 restart
$ apache2ctl configtest
apache2: Syntax error on line 140 of /etc/apache2/apache2.conf: Syntax error on line 2 of /etc/apache2/mods-enabled/auth_memcookie.load: Cannot load /usr/lib/apache2/modules/mod_auth_memcookie.so into server: /usr/lib/apache2/modules/mod_auth_memcookie.so: undefined symbol: memcached_destroy_sasl_auth_data
Action 'configtest' failed.
The Apache error log may have more information.

Any suggestions?

P.S. I was able to follow the same steps as above and get it working on Ubuntu 16.04.

I have an setup with Apache running as a reverse proxy, sending various user information as HTTP headers. To make things interesting, some sites require different headers than others, so the Apache RequestHeader directive is used to map only the required information to the needed header name.

To allow this to work better, and not pollute the back-end request with all session data in headers that will never be used, the the subprocess_env and headers_in handling need separated.

When the RemoteIp changes after user has authenticated, authMemcookie does not prevent user from accessing URLs.

This behaviour seems to happen only on apache 2.4.

I've narred down the issue to the hook definition

Apparently, according to apache dev doc, this hook only executes if the configuration is different from the first access, but I couldn't make it work, even using different locations, one for authentication and another one with the "requires".

Hello,

I get these warnings compiling the module under FreeBSD 10.2 / Apache 2.4.16_1.

# make
/usr/local/sbin/apxs -lmemcache -L/usr/local/lib/  -c mod_auth_memcookie.c
/usr/local/share/apr/build-1/libtool --silent --mode=compile cc -prefer-pic -O2 -pipe -I/usr/include -DLIBICONV_PLUG -fstack-protector -fno-strict-aliasing    -I/usr/local/include/apache24  -I/usr/local/include/apr-1   -I/usr/local/include/apr-1 -I/usr/include -I/usr/local/include -I/usr/local/include/db5  -c -o mod_auth_memcookie.lo mod_auth_memcookie.c && touch mod_auth_memcookie.slo
mod_auth_memcookie.c:266:54: warning: missing sentinel in function call [-Wsentinel]
    szMyGroups=apr_pstrcat(r->pool,":",szGroups,":",0);
                                                     ^
                                                     , NULL
/usr/local/include/apr-1/apr_strings.h:147:28: note: function has been explicitly marked sentinel here
APR_DECLARE_NONSTD(char *) apr_pstrcat(apr_pool_t *p, ...)
                           ^
mod_auth_memcookie.c:267:52: warning: missing sentinel in function call [-Wsentinel]
    szMyGroup=apr_pstrcat(r->pool,":",szGroup,":",0);
                                                   ^
                                                   , NULL
/usr/local/include/apr-1/apr_strings.h:147:28: note: function has been explicitly marked sentinel here
APR_DECLARE_NONSTD(char *) apr_pstrcat(apr_pool_t *p, ...)
                           ^
2 warnings generated.
/usr/local/share/apr/build-1/libtool --silent --mode=link cc -L/usr/lib -fstack-protector   -o mod_auth_memcookie.la  -L/usr/local/lib/ -lmemcache -rpath /usr/local/libexec/apache24 -module -avoid-version    mod_auth_memcookie.lo

Could they be corrected ?

Thank you !

Ben

Hi
Two questions:
In the Session data, which is the format of the Expiration field?
Of the "not mandatory" fields, which ones does your module use?

Best regards, Sala

I'm having issues getting authmemcookie going on RHEL 7. When i run

./configure --with-apxs=/usr/bin/apxs --with-libmemcached=/usr/

when it checks for the libmemcached library, it can't find it.

[root@ctstageextweb2 Apache-Authmemcookie-Module-master]# locate libmemcached /usr/bin/Apache-Authmemcookie-Module-master/m4/ax_libmemcached.m4 /usr/lib64/libmemcached-1.0.18 /usr/lib64/libmemcached-1.0.18.tar.gz /usr/share/doc/man-pages-overrides-7.9.0/libmemcached /usr/share/doc/man-pages-overrides-7.9.0/libmemcached/COPYING

I've tried /usr/lib64/ as well for the directory but I'm not sure why it's not finding it. I installed 'libmemcached.x86_64 : Client library and command line tools for memcached server' using yum install libmemcached. Is this the correct way to add it to a RHEL 7 machine, or is something else amiss?

Thank you.

Hello,

I just noticed that REMOTE_USER is not available to mod_rewrite.
%{REMOTE_USER} is empty when used in RewriteCond / RewriteRule.
Even %{LA-U:REMOTE_USER} is empty.

Thank you !

Ben