Apache auth recipe does not work in Apache 2.2

[Paul Bx <pb@…>]

I'm still sorting this out, but I believe that changes in Apache 2.2 have broken the auth recipe here: ​http://www.djangoproject.com/documentation/apache_auth/

The error produced is Internal error: pcfg_openfile() called with NULL filename.

A bit of information on the changes (along with a suggestion for a related change) is here: ​https://issues.apache.org/jira/browse/MODPYTHON-169

[anonymous]

That MODPYTHON-169 issue is not really relevant to the problem.

What you probably need to do is simply add:

AuthBasicAuthoritative Off

to your Apache configuration.

This tells Apache that it is okay for Apache not to perform the actual basic authorisation and for it to be handed off to the authenhandler() supplied by mod_python without complaint.

For more details see:

​http://httpd.apache.org/docs/2.2/mod/mod_auth_basic.html

[Paul <pb@…>]

OK, that's correct, thanks. I'll attach a documentation patch.

[Paul Bx <pb@…>]

For what it's worth, even though the above change did get auth functioning as noted, I just noticed that I'm still getting those

Internal error: pcfg_openfile() called with NULL filename

errors in my Apache log on every request. The documentation patch is probably still a good idea, but someone else will have to chime in on whether that's sufficient for error-free operation or not. I'm out of troubleshooting time for now and don't want to turn this ticket into a help thread.

[anonymous]

The full list of such directives is:

AuthBasicAuthoritative
AuthDefaultAuthoritative
AuthzLDAPAuthoritative
AuthzDBMAuthoritative
AuthzDefaultAuthoritative
AuthzGroupFileAuthoritative
AuthzOwnerAuthoritative
AuthzUserAuthoritative

Which you actually have to turn Off depends a bit on which authentication/authorisation features of Apache you are using. Since you didn't actually provide your Apache configuration snippet I made a guess, but likely you need one of the others. As a second guess I would say:

AuthzGroupFileAuthoritative Off

If updating Django documentation, just make sure you are quite specific that these are Apache 2.2 options as they do not exist in Apache 2.0.

[Malcolm Tredinnick]

Probably a bit optimistic to call this ready for checkin now, in light of comment 5. Let's improve the patch a bit first.

[pb@…]

OK, here's a revised patch that reflects my current understanding of the issue.

[pb@…]

revised patch

[anonymous]

With hopefulness I'm unchecking the "patch needs improvement" box, but I'd appreciate some review to ensure I've explained things correctly.

[Chris Beaven]

We should be more authoritative and actually tell people which to turn off rather than just a vague "turn off some of these". This will need someone doing some testing obviously.

For now, it's probably worth just checking this in so that people have something to refer to in the docs and then opening another ticket.

[Malcolm Tredinnick]

More in the "note to self" department for when it comes time to check this in: adding a link to the Apache issue article Paul referred to initially is worthwhile.

[anonymous]

Replying to SmileyChris:

We should be more authoritative and actually tell people which to turn off rather than just a vague "turn off some of these". This will need someone doing some testing obviously.

My understanding is that which of those off-directives you need to include depends on which auth modules you have loaded in your httpd.conf; but this is one of those details I was hoping for some confirmation on.

[Jacob]

(In [6309]) Fixed #4437: added notes to the modpython auth handler documentation about using the handler with Apache 2.2. Thanks to Paul Bissex for the beginnings of the patch, and Graham Dumpleton for the rest of the info.