Authenticate/Authorize user based on group with apache and mysql - mysql

I am trying to get authorization to work on my apache installation. I want to authorize depending on what group the user belongs to.
I am using
Apache 2.2.15
Centos 6.2 (Running as guest in VB)
My setup is working if I only want to authenticate/authorize based on the user.
Here is the significant part (I think...) of my httpd.conf:
<Directory "/var/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
AuthType Basic
AuthName "Restricted Files"
AuthBasicProvider dbd
Require dbd-group 1
Require valid-user
AuthzDBDQuery "SELECT group_id FROM groupsusers JOIN user ON groupsusers.user_id = user.id WHERE groupsusers.group_id = 1 AND user.users = %s"
AuthDBDUserPWQuery "SELECT password FROM user WHERE users = %s"
</Directory
AuthzDBDQuery doesn't work since, as I understand it, it is not part of any stable version yet. This is the error message I get while starting httpd:
Invalid command 'AuthzDBDQuery', perhaps misspelled or defined by a module not included in the server configuration httpd not running, trying to start
My question is, how can I use groups for authorization when using mysql for storing the groups? I guess it must be possible without re-compiling apache?
Since everything around this is pretty poor documented it would be greate to get some detailed instructions. Of course, anything that can help me in the rigth direction is appreciated.
Thanks!

I think it is not possible at this stage. I think it will come support for this in the next stable version of httpd.

The problem was solved after I enabled authz_dbd mod in apache 2.4.

Related

Unable to resolve .local domains with getent even though avahi-resolve-host-name succeeds

Trying to set up a network printer with CUPS.
Followed online documentation that stated:
To discover or share printers using DNS-SD/mDNS, setup .local hostname
resolution with Avahi and restart cups.service.
Followed directions for setting up Avahi to the point where avahi-browse --all --ignore-local --resolve --terminate and avahi-resolve-host-name my-domain.local are both working.
But getent hosts my-domain.local fails to resolve. This results in CUPS failing to print because it can't find my-printer.local.
I read the mdns Github page and saw a note that made me think I didn't need a /etc/mdns.allow file.
nss-mdns has a simple configuration file /etc/mdns.allow for enabling
name lookups via mDNS in other domains than .local.
Note: The "minimal" version of nss-mdns does not read /etc/mdns.allow under any circumstances. It behaves as if the file
does not exist.
In the recommended configuration, no /etc/mdns.allow file is present.
But then I saw the last note in that section:
If, during a request, the system-configured unicast DNS (specified in
/etc/resolv.conf) reports an SOA record for the top-level local name,
the request is rejected. Example: host -t SOA local returns something
other than Host local not found: 3(NXDOMAIN). This is the unicast SOA
heuristic.
I tested that out on my machine and sure enough, I was getting something OTHER than Host local not found....
Adding a /etc/mdns.allow file with a line for .local. and for .local and now I can ping my-printer.local.

How to connect to local MySQL Server 8.0 with DBIish in Perl6

I'm working on a Perl6 project, but having difficulty connecting to MySQL. Even when using the DBIish (or perl6.org tutorial) example code, the connection fails. Any suggestions or advice is appreciated! User credentials have been confirmed accurate too.
I'm running this on Windows 10 with MySQL Server 8.0 and standard Perl6 with Rakudo Star. I have tried modifying the connection string in numerous ways like :$password :password<> :password() etc. but can't get a connection established. Also should note that I have the ODBC, C, C++, and.Net connectors installed.
#!/usr/bin/perl6
use v6.c;
use lib 'lib';
use DBIish;
use Register::User;
# Windows support
%*ENV<DBIISH_MYSQL_LIB> = "C:/Program Files/MySQL/MySQL Server 8.0/liblibmysql.dll"
if $*DISTRO.is-win;
my $dbh = DBIish.connect('mysql', :host<localhost>, :port(3306), :database<dbNameHere>, :user<usernameHere>, :password<pwdIsHere>) or die "couldn't connect to database";
my $sth = $dbh.prepare(q:to/STATEMENT/);
SELECT *
FROM users
STATEMENT
$sth.execute();
my #rows = $sth.allrows();
for #rows { .print }
say #rows.elems;
$sth.finish;
$dbh.dispose;
This should be connecting to the DB. Then the app runs a query, followed by printing out each resulting row. What actually happens is the application hits the 'die' message every time.
This is more of a work around, but being unable to use use a DB is crippling. So even when trying to use the NativeLibs I couldn't get a connection via DBIish. Instead I have opted to using DB::MySQL which is proving to be quite helpful. With a few lines of code this module has your DB needs covered:
use DB::MySQL;
my $mysql = DB::MySQL.new(:database<databaseName>, :user<userName>, :password<passwordHere>);
my #users = $mysql.query('select * from users').arrays;
for #users { say "user #$_[0]: $_[1] $_[2]"; }
#Results would be:
#user #1: FirstName LastName
#user #2: FirstName LastName
#etc...
This will print out a line for each user formatted as shown above. It's not as familiar as DBIish, but this module gets the job done as needed. There's plenty more you can do with it to, so I highly recommend reading the docs.
According to this github DBIish issue 127
The environmental variable DBIISH_MYSQL_LIB was removed. I don't know if anyone brought it back.
However if you add the library's path, and the file is named mysql.dll, it will work. Not a good result for the scientific method.
So more testing is needed - and perhaps
C:\Program Files\MySQL\MySQL Server 8.0\lib>mklink mysql.dll .\libmysql.dll
Oviously you can create your own lib directory and add that to your path and then add this symlink to that directory.
Hope this helps. I've spent hours..
EDIT: Still spending time - accounting later.
Something very transitory is going on. I reset the machine (perhaps always do this from now on), and still got the missing mysql.dll errors. Tried going into the MySQL lib directory to execute raku from there.. worked. changed directories.. didn't work.
Launched administrator cmd - from home directory, tried the raku command. Worked. Ok - not good, but perhaps consistent. Launched non admin cmd, tried it from the MySQL lib directory, worked. And just for giggles, tried it outside of that directory.. worked.
Now I can't get it not to work. Will explore NativeLibs::Searcher as Valle Lukas suggested!
Maybe the example in the dbiish repository is not valid anymore.
The DBIISH_MYSQL_LIB Env seems to be replaced by NativeLibs::Searcher with commit 9bc4191
Looking at NativeLibs::Searcher may help to find the root cause of the problem.

Nagios / check_mk - Duplicate host

I've been having a dupliate host problem with nagios3 and check_mk from the Jessie repos.
After installing and config nagios3, I added my web.cfg for nagios.
I wanted to additional chekcs done by check_mk, so added the hosts to main.mk.
Then check_mk -I, -II and finally -U
-U will generate the first check_mk_commands but it contains an "host" definition. If I remove it and cat check_mk_commands > web.cfg it has depenceies problems.
If I remove the host definition from my web.cfg of nagios, there is still the same problem: duplicate host entry in "web.cfg"
I checked cfg_dir and nothing is included twice.
I am doing the same thing #work and it works.
Is there a way to tell check_mk not to do the host definition, I've spent 5 days of this.
Let me know if want some pasties, but I nailed the problem: check_mk does an host definition that is already in my nagios webserver monitoring configuration.
Removing the definition from one or the other doesn't work.
Even copyiing check_mk_commands.cfg without the host into my nagios3 config won't work due to missing templates.
Anyone encountered this problem ?
Please let me know, 6th day on this..
/usr/share/check_mk/modules/config.py has a variable that's called 'generate_hostconf' which is True by default.
If you change this to False, check_mk will not generate the host_config.
EDIT: This should be done in main.mk or any conf.d/*.mk files since it's not nice to edit core files.
/etc/check_mk/conf.d/no_host_config.mk:
generate_hostconf = False

SVN Authentication using MySQL

I'm trying to setup per repository SVN authentication via MySQL but I'm having a few problems.
Firstly what is the difference between mod_authn_dbd and mod_auth_mysql?
Secondly I already have a MySQL database setup with a table for users, groups and permissions. Is it possible using either of these mods to link into my current permission system where by a username, password and permission is required to access the repository (Preferable with a read permission and write permission per repository)
tbl_users: user_id, user_name, user_hash
tbl_group: group_id, group_name
tbl_permission: permission_id, permission_name
tbl_user_group: user_id, group_id
tbl_group_permission: group_id, permission_id
tbl_user_permission: user_id, permission_id
Firstly the difference.
mod_authn_dbd provides authentication front-ends such as mod_auth_digest and mod_auth_basic to authenticate users by looking up users in SQL tables.
mod_auth_mysql is an Apache module that allows authentication using user and group data stored in MySQL databases. The project seems to not have updated since 2005, so I'd go for mod_authn_dbd.
To set this up properly, first you need to configure mod_authn_dbd and mod_dbd up properly in your apache configuration, mod_dbd takes care of your database connection. Once you've done this (make sure your Apache is running with those modules active), then you can go ahead configuring them.
Add something like this to your apache configuration to configure the database connection:
<IfModule mod_dbd.c>
DBDriver mysql
DBDParams "host=(your_db_server, p.e. 127.0.0.1) dbname=your_db_name user=your_db_user pass=your_db_pass"
DBDMin 1
DBDKeep 8
DBDMax 20
DBDExptime 200
</IfModule>
Now add your desired authentication configuration into the apache configuration:
<Directory "/your/svn/repository/path/">
Options FollowSymLinks Indexes MultiViews
AuthType Basic
AuthName "Allowed users Only"
AuthBasicProvider dbd
AuthDBDUserPWQuery "SELECT pwd FROM tbl_users, tbl_user_group WHERE tbl_users.user_id=%s AND tbl_user.user_id=tbl_user_group.user_id"
Require valid-user
AllowOverride None
Order allow,deny
Allow from all
</Directory>
I've simplified the SELECT-statement for better readability, you have to expand this to get your configuration refined.
EDIT:
After typing I've found a very good example in the web, maybe read it here, too. It goes alot deeper than my simplified answer.

Request Entity Too Large

I get this message,
Request Entity Too Large
The requested resource
/index.php
does not allow request data with POST requests, or the amount of data provided in the request exceeds the capacity limit.
I set
php_value post_max_size 50M
php_value upload_max_filesize 50M
in .htaccess but not helped
How to overcome this?
Thanks
After you are over the raising of PHP's memory_limit, post_max_size and upload_max_filesize, I would like to recommend you some articles related to the topic, maybe one of them solves the problem.
I found this post on Server Fault:
https://serverfault.com/questions/79741/php-apache-post-limit/79745#79745
sybreon suggests to double-check the Content-Length, and - citing - "ensure that you are directly connecting to Apache and not through either a proxy or a reverse-proxy. Some reverse-proxies place a cap on the maximum size of a request as a sort of security measure. So, you may want to check that as well as your Apache logs to ensure that nothing else is going on."
sybreon also posted this link: Apache 413 error problems.
The following is only applicable if you have mod_ssl module turned on in Apache. (Otherwise this setting can cause a server crash.)
Citing the article:
"I was using Apache SSL client certificates, which have a limit of 128K, and if re-negotiation has to happen, a larger POST will fail.
This Bugzilla posting had the clues - You have to set the following as DEFAULTS for your SSL server, not just the directory.
SSLVerifyClient require
Otherwise it forces a renegotiation of some sort, and fails with a 413 error."
The previous article also mentioned the LimitRequestBody directive.
A guy says here that the appropriate setting of this directive solved his problem..
I hope one of these settings solves this problem!
The only thing that would work for me was to tune up the SSL Buffer Size. You can set this by...
<Directory /my/blah/blah>
...
# Set this to something big...
SSLRenegBufferSize 10486000
...
</Directory>
...and then just restart Apache for the change to take effect. (Found this at: http://forum.joomla.org/viewtopic.php?p=2085574)
You can also use "Location /" to simply apply the setting to a whole VirtualHost:
<VirtualHost *:443>
# ...
<Location />
SSLRenegBufferSize 101048600
</Location>
# ...
</VirtualHost>
My server is Apache. It was mod_security module which was preventing post of large data approximately 171 KB.
I did below configurations in mod_security.conf
SecRequestBodyNoFilesLimit 10486000
SecRequestBodyInMemoryLimit 10486000
If max_post_upload and max_file_upload in PHP has been set,
and there is a setting in Apache2.conf or ModSec config files of LimitRequestBody set high enough
then possibly a .htaccess file will work.
Go to the directory with the upload php file in it ( the file or page throwing the error.)
2 . Make or edit .htaccess
3 . Edit or create a line with
LimitRequestBody 20971520 in it.
Save the .htaccess. Set permissions. ( 644 and apache owner)
Possibly restart apache.
Tada . Hopefully fixed.
This setting sets that limit for this folder only - which is one way to avoid a global setting in php and apache which makes you open to large packet / load DOS attacks.
LimitRequestBody 0 gives you unlimited uploads.
I was struggling with this 413 - Request entity too large problem for last day or so, as I was trying to upload farely large (in MBs) images to the server.
My setup is apache (227) proxying requests to jboss eap (6.4.20) server for accessing rest endpoints.
2 Things worked for me.
Make SSLVerifyClient required at the virtual host level. This means all the resources need a valid client cert presented to be served. This was not an option for me as all the resources except /api should NOT be mutual auth protected. So, while it worked, this was not an option for me.
I removed the global level SSLVerifyClient required and kept it 'optional'. I re enabled required option only on <Location /api>...</Location>. Trick was to have the SSL renegotiation happen only after a certain threshold is reached - which would be our desired upload file size.
So, finally it turned out that I had to enable 'SSLRenegBufferSize' setting on a specific LocationMatch as follows:
<LocationMatch ^/api/v1/path/(.*)/to/(.*)/resource/endpoint$>
SSLRenegBufferSize 5242880 #allow upto 5MB for files to come through
</LocationMatch>
(.*) in the case above represents my path params in the endpoint. Hope this helps.
After raising of PHP's memory_limit, post_max_size and upload_max_filesize in php.ini, I still had the problem.
What was also needed was the following in apache2.conf:
LimitRequestBody 1000000000
That's for a max size of 1GB.
The docs say that 0 is the default, which means unlimited. However, until I set the directive, I couldn't upload large files.
Don't forget to restart apache2.