Forgive me, I'm having a "you have to be shitting me" moment.
I have an apache 1.3.33 server running a few dozen virtual hosts. (2.6.8-2-686-smp #1 SMP, if it matters.) Each of these hosts has at least one directory that's protected by basic auth, using a configuration section that looks like this:
This works swimmingly, and has for several years now.
This morning we decided that we needed *one* of these password-protected areas to use mod_auth_mysql. So, I downloaded 3.0.0, compiled it, and installed it.
The database namedin AuthMySQLDB was also created and populated with a single administration user to test. I confirmed that user nobody had access to this database on the command line, using mysql -u nobody -p [database_name].
After restarting the server process, nothing worked. First off, I saw this error in my logs:
[Mon May 7 11:44:03 2007] [error] MySQL ERROR: Access denied for user 'nobody'@'localhost' (using password: NO)
[Mon May 7 11:44:03 2007] [error] MySQL user adminuser not found: /admin/
Fantastic. Well, perhaps I have a bit of a problem in there somewhere. However, when I started tracking it down, I came across a more substantial problem: When I have this line:
in httpd.conf, all of the *other* password-protected areas, on all of the *other* virtual hosts become inaccessible, throwing the same error in the logs. Is this the expected behavior? It certainly doesn't seem like it should be.
thanks!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It sounds like you built mod_auth_mysql as enabled by default.
When you do this, Apache will attempt to call mod_auth_mysql (and any other authorization modules) to process your request. This is what's breaking the other directories.
The easiest way is to recompile mod_auth_mysql, specifying -DENABLE=0. This will disable it by default and you can enable it for the directories you wish.
Otherwise, you can add the line
AuthMySQLEnable Off
to those directories with non-mod_auth_mysql authentication.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Also - your first error indicates nobody does not have access to MySQL. When you tried it from the command line, were you on that machine, or were you logging on from another machine?
The reason I ask - nobody@localhost is not the same as nobody@somplace_else.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You would have to look into the Apache documentation as to how it authentication/authoriation works. We don't try to document every possibility in mod_auth_mysql; rather you should have a working knowledge of how Apache works its magic.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
My understanding of the Apache request cycle is really, really not the problem here. I wish I had more time to dicksize our respective nerd qualifications, it'd be fun.
The behavior I'm talking about is the "Activate this module after compiling it using the documented instructions, and it will trample the authentication and authorization methods used by every virtual host on the server." That's unexpected, and should be documented.
A quick poke at Google indicates that RedHat (et al) seems to think that this behavior is a bug. I'm inclined to agree with them. You might not. Either way, putting a little note in the documentation about this would probably be helpful to those of us who run multiple virtual hosts with different authentication schemes.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Some people, i.e. some Red Hat users, may consider it a bug. However, that is the way the Apache Foundation designed the authentication mechanism and they're the one which rules.
The same thing would happen if you were using mod_auth_mysql and added a LoadModule statement for mod_auth or any other authentication module. Apache, by default, calls each authentication module for every directory requesting authentication. mod_auth_mysql is still being called. The compile-time (or configuration file) flag just tells us to ignore this request.
And one more time. This is how Apache was designed. We do not document Apache operations in our documentation. You are expected to have a basic understanding of how Apache Authentication/Authorization works.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Forgive me, I'm having a "you have to be shitting me" moment.
I have an apache 1.3.33 server running a few dozen virtual hosts. (2.6.8-2-686-smp #1 SMP, if it matters.) Each of these hosts has at least one directory that's protected by basic auth, using a configuration section that looks like this:
<Directory /www/[vhost_directory]/htdocs/admin/>
AllowOverride AuthConfig
AuthName "Client Administration Area"
AuthType Basic
AuthUserFile /[path elided]/adminusers
AuthGroupFile /[path elided]/admingroups
require group [vhost_group]
</Directory>
This works swimmingly, and has for several years now.
This morning we decided that we needed *one* of these password-protected areas to use mod_auth_mysql. So, I downloaded 3.0.0, compiled it, and installed it.
# /usr/local/apache-light-ssl/bin/apxs -c -I/usr/include/mysql/ -lmysqlclient -lm -lz mod_auth_mysql.c
# /usr/local/apache-light-ssl/bin/apxs -i mod_auth_mysql.so
It compiled and installed without error.
Following the directions in the packages, I inserted this line into httpd.conf:
LoadModule mysql_auth_module libexec/mod_auth_mysql.so
in the main section, where I load all my other modules, like mod_php4, mod_ssl, and mod_perl.
I also updated the Directory entry for the virtual host in question so that it read as follows:
<Directory /www/[vhost_directory]/htdocs/admin/>
AuthType Basic
AuthName "Administration Area"
AuthMySQLHost localhost
AuthMySQLUser nobody
AuthMySQLPassword [password elided]
AuthMySQLDB [database name elided]
AuthMySQLPasswordTable adminusers
AuthMySQLUsername_Field username
AuthMySQLPassword_Field password
AuthMySQLGroup_Field groupname
AuthMySQLScrambled_Passwords On
</Directory>
The database namedin AuthMySQLDB was also created and populated with a single administration user to test. I confirmed that user nobody had access to this database on the command line, using mysql -u nobody -p [database_name].
After restarting the server process, nothing worked. First off, I saw this error in my logs:
[Mon May 7 11:44:03 2007] [error] MySQL ERROR: Access denied for user 'nobody'@'localhost' (using password: NO)
[Mon May 7 11:44:03 2007] [error] MySQL user adminuser not found: /admin/
Fantastic. Well, perhaps I have a bit of a problem in there somewhere. However, when I started tracking it down, I came across a more substantial problem: When I have this line:
LoadModule mysql_auth_module libexec/mod_auth_mysql.so
in httpd.conf, all of the *other* password-protected areas, on all of the *other* virtual hosts become inaccessible, throwing the same error in the logs. Is this the expected behavior? It certainly doesn't seem like it should be.
thanks!
Todd,
It sounds like you built mod_auth_mysql as enabled by default.
When you do this, Apache will attempt to call mod_auth_mysql (and any other authorization modules) to process your request. This is what's breaking the other directories.
The easiest way is to recompile mod_auth_mysql, specifying -DENABLE=0. This will disable it by default and you can enable it for the directories you wish.
Otherwise, you can add the line
AuthMySQLEnable Off
to those directories with non-mod_auth_mysql authentication.
Jerry
Also - your first error indicates nobody does not have access to MySQL. When you tried it from the command line, were you on that machine, or were you logging on from another machine?
The reason I ask - nobody@localhost is not the same as nobody@somplace_else.
> It sounds like you built mod_auth_mysql as enabled by default.
Ok, it's working now, but I still can't seem to find the part of the documentation that mentions this behavior. Can you point it out to me?
Todd,
You would have to look into the Apache documentation as to how it authentication/authoriation works. We don't try to document every possibility in mod_auth_mysql; rather you should have a working knowledge of how Apache works its magic.
Jerry
My understanding of the Apache request cycle is really, really not the problem here. I wish I had more time to dicksize our respective nerd qualifications, it'd be fun.
The behavior I'm talking about is the "Activate this module after compiling it using the documented instructions, and it will trample the authentication and authorization methods used by every virtual host on the server." That's unexpected, and should be documented.
A quick poke at Google indicates that RedHat (et al) seems to think that this behavior is a bug. I'm inclined to agree with them. You might not. Either way, putting a little note in the documentation about this would probably be helpful to those of us who run multiple virtual hosts with different authentication schemes.
There is no need to get nasty here.
Some people, i.e. some Red Hat users, may consider it a bug. However, that is the way the Apache Foundation designed the authentication mechanism and they're the one which rules.
The same thing would happen if you were using mod_auth_mysql and added a LoadModule statement for mod_auth or any other authentication module. Apache, by default, calls each authentication module for every directory requesting authentication. mod_auth_mysql is still being called. The compile-time (or configuration file) flag just tells us to ignore this request.
And one more time. This is how Apache was designed. We do not document Apache operations in our documentation. You are expected to have a basic understanding of how Apache Authentication/Authorization works.