Package: apache2.2-common Version: 2.2.3-3 Severity: important
In short: config syntax for LDAP authorization changed a LOT, and is not well described anywhere. While updating from apache 2.0, the user should be warned about necessary configuration changes. A bit longer: I use LDAP-authorization for my apache2 installation. Today I tried upgrading my apache from 2.0 to 2.2. And ... 1) First surprise happened while updating Preparing to replace apache2-mpm-prefork 2.0.55-4.1 (using .../apache2-mpm-prefork_2.2.3-3_i386.deb) ... Stopping apache 2.0 web server...Syntax error on line 1 of /etc/apache2/mods-enabled/auth_ldap.load: Cannot load /usr/lib/apache2/modules/mod_ldap.so into server: /usr/lib/apache2/modules/mod_ldap.so: cannot open shared object file: No such file or directory failed! And of course any attempts to start apache2 after update finished resulted in the same problem. Solving this costed me about 15 minutes (first I thought that the ldap module was splitted to some package), but I finally found that I should a2dismod ldap and a2enmod authnz_ldap Nevertheless, this is surely the thing I could be warned before upgrade. Also, disabling ldap module automatically is really worth consideration. 2) OK, I enabled the module above, restarted apache. Now every access to my pages resulted in Internal Server Error, with fantasy errors in logfile: [Thu Nov 09 12:01:12 2006] [error] Internal error: pcfg_openfile() called with NULL filename [Thu Nov 09 12:01:12 2006] [error] [client 16.193.144.107] (9)Bad file descriptor: Could not open password file: (null) Some googling shown PLENTY of people desperately seeking for the solution of this problem on different mailing lists and forums, usually without any reply. Finally I found the solution, one must add the following lines to the configuration file AuthBasicProvider ldap AuthUserFile /dev/null 3) Finally, there were no more internal errors, but my authorizations were not accepted for some reason. I did not analyse it into detail, but it seems 'require valid-user' no longer works. Fortunately there is new syntax which works correctly - 'require ldap-group'. My suggestions: a) during upgrade disable ldap module before stopping apache to avoid syntax error b) before upgrade show to the user message, warning him about important config changes in case he is using ldap authorization and refering him to some doc file c) in the doc file advise him to: - a2enmod authnz_ldap - add clauses AuthBasicProvider ldap AuthUserFile /dev/null in all <Location> blocks which refer to ldap authorization - review require clauses and change require user and require group to new require ldap-group, require ldap-user etc -- System Information: Debian Release: testing/unstable APT prefers testing APT policy: (500, 'testing'), (50, 'unstable') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.15-1-686 Locale: LANG=pl_PL, LC_CTYPE=pl_PL (charmap=ISO-8859-2) Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.3-3 utility programs for webservers ii libmagic1 4.17-4 File type determination library us ii lsb-base 3.1-15 Linux Standard Base 3.1 init scrip ii mime-support 3.37-1 MIME files 'mime.types' & 'mailcap ii net-tools 1.60-17 The NET-3 networking toolkit apache2.2-common recommends no packages. -- no debconf information -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]