[mpm-itk] problem with authentication (AuthType Basic...)

Patrick Proniewski patpro at patpro.net
Fri Mar 29 08:25:16 CET 2013


On 29 mars 2013, at 07:54, Alex Domoradov wrote:

>> but I need a way out, a workaround, to allow my users to use authentication...
> 
> 1 virtual host = 1 web site = 1 user ?

Unfortunately, not possible. It would need a major reengineering of this hosting and related services (dns...). Many web sites are also dependent on their domain name / base URL (badly coded CMS), and would need reconfiguration to work properly.

Do you have any explanation why would a call to mod_auth* in a directory trigger a call to the root level of parent virtual host?

And quite important too: is there any other mod_* that will eventually fail the same way in this context?

> 
> On Thu, Mar 28, 2013 at 6:13 PM, Patrick Proniewski <patpro at patpro.net> wrote:
>> Hello,
>> 
>> I've just deployed apache 2.2 with mpm-itk in production (~35 vhosts, 250 web sites) and discovered a serious issue.
>> As you can read, I've got more web sites than vhosts, so basically, for some vhosts I have many web sites:
>> 
>> <vhost number 1>
>>        # global directives
>>        ...
>>        # default user:group
>>        AssignUserID www www
>> 
>>        <directory #1>
>>                # local user:group
>>                AssignUserID user1 www
>>        </directory>
>>        <directory #2>
>>                # local user:group
>>                AssignUserID user2 www
>>        </directory>
>>        # and so on
>>        ...
>> 
>> Works great, until some user tries to use authentication (.htaccess for example). Something quite simlpe like this will fail:
>> 
>>        AuthType Basic
>>        AuthName "foo bar"
>>        AuthUserFile /tmp/patpro.passwd
>>        AuthGroupFile /tmp/patpro.group
>>        Require group admin
>> 
>> The symptom is quite clear:
>> 
>> [warn] Couldn't set uid/gid/priority, closing connection.
>> [warn] (itkmpm: pid=82842 uid=1002, gid=80) itk_post_perdir_config(): initgroups(www, 80): Operation not permitted
>> 
>> When I GET a web page into http://vhost #1/directory #1/ httpd process takes UID user1 and GID www (80), then the process tries to trigger authentication. This authentication process seems to relate to vhost #1, so httpd process tries to switch to UID www, and fails.
>> I understand it's perfectly "legal", but I need a way out, a workaround, to allow my users to use authentication...
>> 
>> Any idea?
>> 
>> regards,
>> Patrick
>> _______________________________________________
>> mpm-itk mailing list
>> mpm-itk at err.no
>> http://lists.err.no/mailman/listinfo/mpm-itk




More information about the mpm-itk mailing list