[patch] metamail and apache-mod_auth_pam

Jérôme Augé jerome.auge at cesamnet.fr
Sat Sep 9 20:32:40 CEST 2006 

Marcin Król a écrit :
>> apache-mod_auth_pam is not compatible with Apache >= 2.1, as they have
>> changed the authn/authz mechanism.
> 
> It is compatible. I'm using it successfully on some systems and it works
> perfectly.
> 
> [...]
> 
> "AuthBasicAuthoritative off" is required to get it working with Apache
> 2.x. No code changes are required.

You're right. I gave it a try, and it works.

But my error_log is now filled with these error messages:

[error] Internal error: pcfg_openfile() called with NULL filename
[error] [client 192.168.253.32] (9)Bad file descriptor: Could not open 
password file: (null), referer: http://pldmachine/what/

Don't you get these errors ?

The "noprov" patch from Fedora might be the best way afterall, as it 
allows you to upgrade from Apache 2.0 to 2.2 without touching to your 
conf files and it does not generate error messages on each 
authentication (even if the authentication is sucessfull).

Anyway, if you want to package apache-mod_authn_pam, here is the spec 
file (shamelessly copied from apache-mod_auth_pam) with the pam service 
selector I use.

Note: mod_authn_pam sources are not distributed in a tarball format, so 
you must check it out from their cvs.
- http://mod-auth.sourceforge.net/docs/mod_authn_pam/

Regards,
Jérôme Augé
-------------- next part --------------
# $Revision$, $Date$
%define		mod_name	authn_pam
%define 	apxs		/usr/sbin/apxs
Summary:	This is the PAM authentication module for Apache 2.2
Summary(es):	Este módulo proporciona autenticación PAM para Apache 2.2
Summary(pl):	Modu³ uwierzytelnienia PAM dla Apache
Summary(pt_BR):	Este módulo provê autenticação PAM para o Apache
Name:		apache-mod_%{mod_name}
Version:	0.0.1
Release:	1
Epoch:		1
License:	Apache Group License
Group:		Networking/Daemons
Source0:	mod_%{mod_name}.tar.gz
# Source0-md5:	d7e2601f226c0319e3178f00406537b7
Source1:	apache-mod_authn_pam.conf
Source2:	httpd.pam
Patch0:		apache-mod_authn_pam-AuthnPAMService.patch
URL:		http://cvs.sourceforge.net/viewcvs.py/mod-auth/mod_authn_pam/
BuildRequires:	%{apxs}
BuildRequires:	apache-devel >= 2.2
BuildRequires:	pam-devel
BuildRequires:	rpmbuild(macros) >= 1.268
Requires:	apache >= 2.2
Requires:	apache(modules-api) = %apache_modules_api
BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
Provides:	apache-mod_auth_pam

%define		_pkglibdir	%(%{apxs} -q LIBEXECDIR 2>/dev/null)
%define		_sysconfdir	%(%{apxs} -q SYSCONFDIR 2>/dev/null)

%description
This is an authentication module for Apache that allows you to
authenticate HTTP clients using PAM (pluggable authentication module).

%description -l es
Este módulo permite autenticar clientes HTTP usando el directorio PAM.

%description -l pl
To jest modu³ uwierzytelnienia dla Apache pozwalaj±cy na
uwierzytelnianie klientów HTTP przez PAM.

%description -l pt_BR
Este módulo permite que você autentique clientes HTTP usando o
diretório PAM.

%prep
%setup -q -n mod_%{mod_name}
%patch0 -p1

%build
cd src
%{apxs} -c mod_%{mod_name}.c	-o mod_%{mod_name}.la	 -lpam

%install
cd src
rm -rf $RPM_BUILD_ROOT
install -d $RPM_BUILD_ROOT{%{_pkglibdir},/etc/pam.d,%{_sysconfdir}/httpd.conf}

install .libs/mod_*.so $RPM_BUILD_ROOT%{_pkglibdir}
install %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/httpd.conf/52_mod_authn_pam.conf
install %{SOURCE2} $RPM_BUILD_ROOT/etc/pam.d/httpd

%clean
rm -rf $RPM_BUILD_ROOT

%post
%service -q httpd restart

%postun
if [ "$1" = "0" ]; then
	%service -q httpd restart
fi

%files
%defattr(644,root,root,755)
%attr(640,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/httpd.conf/*_mod_authn_pam.conf
%attr(755,root,root) %{_pkglibdir}/*.so
%config(noreplace) /etc/pam.d/httpd

%define date	%(echo `LC_ALL="C" date +"%a %b %d %Y"`)
%changelog
* %{date} PLD Team <feedback at pld-linux.org>
All persons listed below can be reached at <cvs_login>@pld-linux.org

$Log$
-------------- next part --------------
LoadModule authn_pam_module		modules/mod_authn_pam.so
-------------- next part --------------
#%PAM-1.0
auth       required     /lib/security/pam_unix.so
account    required     /lib/security/pam_unix.so
-------------- next part --------------
--- mod_authn_pam.orig/src/mod_authn_pam.c	2003-11-11 10:16:17.000000000 +0100
+++ mod_authn_pam/src/mod_authn_pam.c	2006-04-26 19:05:21.000000000 +0200
@@ -92,6 +92,7 @@
 
 typedef struct {
     int fail_delay;		/* fail delay in ms -- needs library support */
+    const char *service;	/* service name to use for PAM authentication */
 }      authn_pam_dir_config;
 
 static
@@ -114,6 +115,7 @@
     (authn_pam_dir_config *) apr_palloc(p, sizeof(authn_pam_dir_config));
 
     new->fail_delay = 0;	/* 0 ms */
+    new->service = pam_servicename;	/* httpd */
     return new;
 }
 
@@ -125,6 +127,11 @@
 	"number of micro seconds to wait after failed authentication "
 	"attempt. (default is 0.)"),
 
+    AP_INIT_TAKE1("AuthnPAMService",
+	ap_set_string_slot, (void *) APR_OFFSETOF(authn_pam_dir_config, service),
+	OR_AUTHCFG,
+	"PAM service name to use for authentication. (default is httpd.)"),
+
     {NULL}
 };
 
@@ -216,7 +223,7 @@
     userinfo.name = (char*)user;
     userinfo.pw = (char*)password;
 
-    if ((res = pam_start(pam_servicename,
+    if ((res = pam_start(conf->service,
 			 userinfo.name,
 			 &conv_info,
 			 &pamh)) != PAM_SUCCESS) {

More information about the pld-devel-en mailing list