# [solved] apache-2.2+mod_authnz_external+pwauth+pam

## johnny99

I need help to make mod_authnz_external work with pam in apache-2.2.

This is an upgrade from apache-2.0+mod_auth_pam+pam+pam_winbind.so+samba+Acttive Directory, where everything worked.

Now I am trying apache-2.2+mod_authnz_external+pwauth+pam+pam_winbind.so+samba+Acttive Directory.

The apache log shows this error when I try to log in:

```
==> /var/log/apache2/error.log <==

[Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] Invalid AuthExternal keyword (pwauth)

[Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] access to /DataMart/ failed, reason: verification of user id 'johns' not configured

```

What does it mean?

I built pwauth to use pam & allow 2 users to run it (apache and jstile), and command line tests succeed.

```
 echo 'PWAUTH_SERVERUIDS="81,1000"' >> /etc/make.conf  # Must specify UIDs allowed to run pwauth

 echo 'www-apache/pwauth pam' >> /etc/portage/package.use

 echo 'www-apache/pwauth ~x86' >> /etc/portage/package.keywords

 emerge www-apache/pwauth

 vi  /etc/pam.d/pwauth

     #%PAM-1.0

     auth    required        pam_winbind.so

     account required        pam_winbind.so
```

Test pwauth as non-root user, testing Active Directory account.

```
 su - jstile

  /usr/sbin/pwauth

    johns

    <good password>

  echo $?

    0  # this means good passwd

  /usr/sbin/pwauth

    johns

    foo

  echo $?

    1   # this means bad passwd
```

This gives me confidence the problem is not with pwauth.

Install mod_authnz_external.

```
 echo 'www-apache/mod_authnz_external ~x86' >> /etc/portage/package.keywords

 emerge --update --newuse --deep -ta www-apache/mod_authnz_external
```

Append '-D AUTHNZ_EXTERNAL' to APACHE2_OPTS in /etc/conf.d/apache2.

Resulting line:

```
APACHE2_OPTS="-D INFO -D LANGUAGE -D SSL -D DEFAULT_VHOST -D SSL_DEFAULT_VHOST -D SUEXEC -D SVN -D SVN_AUTHZ -D DAV -D DAV_FS -D PHP5 -D AUTHNZ_EXTERNAL"
```

I edited /etc/apache2/modules.d/10_mod_authnz_external.conf,

and uncomment/changed 2 lines:

```
  AddExternalAuth  pwauth /usr/sbin/pwauth

  SetExternalAuthMethod  pwauth pipe
```

Then for the apache configs.

  The file /etc/apache2/httpd.conf 

    loads default modules,

    loads /etc/apache2/modules.d/*.conf

    loads /etc/apache2/vhosts.d/*.conf

I have one vhost for port 80, one for 443, and one for common items.

```
   00_default_ssl_vhost.conf

   00_default_vhost.conf

   default_vhost.include
```

The file /etc/apache2/modules.d/10_mod_authnz_external.conf contains:

```
<IfDefine AUTHNZ_EXTERNAL>

  <IfModule !mod_authnz_external.c>

    #LoadModule authnz_external_module modules/mod_authnz_external.so

    LoadModule authnz_external_module /usr/lib/apache2/modules/mod_authnz_external.so

  </IfModule>

</IfDefine>

<IfModule mod_authnz_external.c>

AddExternalAuth  pwauth /usr/sbin/pwauth

SetExternalAuthMethod  pwauth pipe

</IfModule>
```

 The file /etc/apache2/modules.d/47_mod_dav_svn.conf contains:

```
LoadModule dav_svn_module /usr/lib/apache2/modules/mod_dav_svn.so

LoadModule authz_svn_module /usr/lib/apache2/modules/mod_authz_svn.so

<Location /DataMart>

  DAV svn

  SVNPath /svn/repos/DataMart

  SVNIndexXSLT "/svnindex.xsl"

  AuthType Basic

  AuthName "Subversion Repository: DataMart"

  #AuthBasicAuthoritative Off

  AuthBasicProvider external

  AuthExternal pwauth

  Require valid-user

  AuthzSVNAccessFile /svn/acls/DataMart.acl

</Location>
```

Finall I restart apache.

```
/etc/init.d/apache2 restart
```

I can access both the 443 and 80 default pages, so Apache is serving pages.

When "AuthBasicAuthoritative Off" is uncommented and I access DataMart, I am prompted for a password over and over, which generates the apache logs:

```
==> /var/log/apache2/error.log <==

[Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] Invalid AuthExternal keyword (pwauth)

[Sun Sep 16 19:01:00 2007] [error] [client 192.168.50.96] access to /DataMart/ failed, reason: verification of user id 'johns' not configured

```

When "AuthBasicAuthoritative Off" is commented out and I access DataMart, apache logs show:

```
==> /var/log/apache2/access.log <==

192.168.60.30 - johns [17/Sep/2007:14:19:54 -0700] "GET /DataMart/ HTTP/1.1" 500 540 "-" "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.6) Gecko/20070815 Firefox/2.0.0.6"

==> /var/log/apache2/error.log <==

[Mon Sep 17 14:19:54 2007] [error] [client 192.168.60.30] Invalid AuthExternal keyword (pwauth)
```

From the clinet I get:

I have the following packages installed:

```
[I] www-apache/mod_authnz_external

     Available versions:  (2)  (~)3.1.0

     Installed versions:  3.1.0(2)(18:38:34 09/16/07)

     Homepage:            http://www.unixpapa.com/mod_auth_external.html

     Description:         An Apache2 authentication DSO using external programs

[I] www-apache/pwauth

     Available versions:  (~)2.3.1-r4 (~)2.3.2 {domain-aware faillog ignore-case pam}

     Installed versions:  2.3.2(13:16:30 09/16/07)(-domain-aware -faillog -ignore-case pam)

     Homepage:            http://www.unixpapa.com/pwauth/

     Description:         A Unix Web Authenticator

[I] app-admin/apache-tools

     Available versions:  2.2.4-r4 2.2.6 {ssl}

     Installed versions:  2.2.6(14:20:43 09/15/07)(ssl)

     Homepage:            http://httpd.apache.org/

     Description:         Useful Apache tools - htdigest, htpasswd, ab, htdbm

[I] www-servers/apache

     Available versions:  (2)  2.0.58-r2 2.0.59-r5 ~2.0.61 2.2.4-r12 2.2.6

        {apache2 debug doc ldap mpm-event mpm-itk mpm-leader mpm-peruser mpm-prefork mpm-threadpool mpm-worker no-suexec selinux ssl static-modules threads}

     Installed versions:  2.2.6(2)(14:20:04 09/15/07)(-debug -doc -ldap -mpm-event -mpm-itk -mpm-peruser mpm-prefork -mpm-worker -no-suexec -selinux ssl -static-modules -threads)

     Homepage:            http://httpd.apache.org/

     Description:         The Apache Web Server.
```

Last edited by johnny99 on Thu Sep 20, 2007 5:14 pm; edited 1 time in total

----------

## Fibbs

did you get any solution on this?

i have the exactly same problem here... read all documentation and nothing! Seems to be a bug...

----------

## johnny99

Thank you for your reply.  

I did figure it out.  Authentication is working.

Not sure I would call it a bug, but the documentation on post install steps is lacking. 

With apache's config files all over the place in gentoo, it would be helpful to see a few hints about what to do, and where to do it.

To start, 

pwauth was installed and tested (as stated in the first previous post).

mod_authnz_external was also installed (as stated in the first previous post).

Not related to the auth problem, but I needed to generate entropy for apache to start

```
emerge rng-tools

rc-update add rngd default

/etc/init.d/rngd start
```

Then we come to the Oh So Important configuration that works:

/etc/apache2/modules.d/10_mod_authnz_external.conf

```
<IfDefine AUTHNZ_EXTERNAL>

  <IfModule !mod_authnz_external.c>

    LoadModule authnz_external_module modules/mod_authnz_external.so

  </IfModule>

</IfDefine>

<IfModule mod_authnz_external.c>

</IfModule>
```

/etc/apache2/modules.d/47_mod_dav_svn.conf 

```
<Location /DataMart>

  DAV svn

  SVNPath /svn/repos/DataMart

  SVNIndexXSLT "/svnindex.xsl"

  AuthType Basic

  AuthName "Subversion Repository: DataMart"

  AuthBasicProvider external

  AuthExternal pwauth

  Require valid-user

  AuthzSVNAccessFile /svn/acls/DataMart.acl

</Location>
```

At the top of /etc/apache2/vhosts.d/00_default_ssl_vhost.conf, 

but inside the VirtualHost block:

```
  Include /etc/apache2/vhosts.d/default_vhost.include
```

At the top of /etc/apache2/vhosts.d/default_vhost.include,

I added:

```
<IfModule authnz_external_module>

    AddExternalAuth pwauth  /usr/sbin/pwauth

    SetExternalAuthMethod   pwauth  pipe

</IfModule>
```

Restart apache, and then log in while watching all the logs.

If this works for you, we can add [FIXED] to the title of this post.

----------

