Not working with Apache 2.4

[mburtscher]

I've tested the module with both Apache 2.4 (Ubuntu 13.10) and Apache 2.2 (Ubuntu 12.04). Seems like it is not working with Apache 2.4. Although authentication works fine, authorization to view a location "Require valid-user" does not work.

My configuration:

<Directory /var/www/ad-test/>
    AuthType NTLM
    AuthName "AD-Test"

    PythonAuthenhandler pyntlm
    PythonOption Domain "TEST"
    PythonOption PDC 192.168.10.99

    Require valid-user
</Directory>

error.log

[Tue Nov 19 13:22:31.192499 2013] [:notice] [pid 31473] [client 127.0.0.1:36344] PYNTLM: User Administrator/TEST has been authenticated to access URI /ad-test/
[Tue Nov 19 13:22:31.192574 2013] [:error] [pid 31473] [client 127.0.0.1:36344] PYNTLM: Authorization failed for Administrator and URI /ad-test/.

I've tried printing the requires passed to pyntlm.py at line 279:

rules = ''.join(req.requires()).strip()
req.log_error('PyNTLM: %s' % (rules))
if rules=='valid-user' or cacheGroups.has(rules, username):

and it just outputs nothing more than 'PyNTLM: '

[DeathR0W]

Hi, I am also getting this problem with valid-user for 2.4 and I dont know how to solve it.. were you able to fix this issue?

[geshido]

It seems like we have old mod_python in ubuntu. There was ap_requires function removed from apache api in 2.4, so only new mod_python fixes this (3.5 version)

[Judokus]

ap_requires is indeed removed in apache 2.4.

I fixed it by replacing rules = ''.join(req.requires()).strip() with rules = ''.join(req.get_options()['Require'])

Did not test this with 2.2

[jurcello]

In my situation (ubuntu 14.04 apache 2.4) it is not working either. I used the fix from Judokus, but now, after a succesfull authentication, I end up with a 404 not found. Anyone any idea how to fix this?

[PiNotEqual3]

This fix did not work for me out of the box. I added @Judokus fix in pyntlm.py:

rules = ''.join(req.get_options()['Require'])

and in apache config for my page I added the line with the option he is getting:

PythonOption Require valid-user

This is missing above. I only had require valid-user and that does not work.

Finally you need to refresh everything:

python setup.py install -f
service apache2 restart

[Judokus]

That's correct, you need to change your apache config Require valid-user to PythonOption Require valid-user

[oetiker]

if you create a PR on https://github.com/oetiker/PyAuthenNTLM2 I'll be glad to merge it!

[Judokus]

not necessary, it's better to use mod_python 3.5 with apache 2.4.x

[peternewman]

From the docs I found on mod_python and elsewhere, .requires() calls ap_requires() ( https://github.com/grisha/mod_python/blob/master/src/requestobject.c#L1447 ). This has been removed in Apache 2.4 ( https://httpd.apache.org/docs/2.4/developer/new_api_2_4.html ) and "The core server now provides better infrastructure for handling Require configuration. Register an auth provider function for each supported entity using ap_register_auth_provider(). The function will be called as necessary during Require processing." Although ap_register_auth_provider() doesn't seem to exist in the mod_python code.

Given that lack of support, I think all of the req.requires() calls need updating at least, so line 283 as well for starters.

[oetiker]

last summer I went ahead and implemented this ... maybe that is of help .... https://github.com/oetiker/net-ldap-spnego

[peternewman]

Thanks for the note @oetiker . Unfortunately your module doesn't work for me at least, I'm essentially looking for a drop in replacement for mod_ntlm that does NTLMv2 and populates REMOTE_USER, whereas it looks like your code is primarily aimed at embedding into a Perl webserver.

[oetiker]

yes, my module is for embedding into a perl web app ... eg one based on mojolicious ... since you get a handle to access the users ad via ldap, this seems a good deal better than doing this outside of the process in apache which is rather rigid in this respect

[peternewman]

Yeah I guess they both have advantages. I'm mostly looking to just do a drop in replacement for existing functionality using NTLMv1 presented as a REMOTE_USER, so if we can swap out, as long as it populates REMOTE_USER the existing applications don't need any changes.

[ghost]

Hello

i'm trying the new Version in an Ubuntu 16.04 enviroment and it doesn't seem to load. I get no authentication Dialog and the log doesn't any events from PYNTLM.