Package: libapache2-mod-authnz-pam
Version: 1.0.1-1
Tags: patch
I have fixed a couple of issues with mod_authnz_pam's logging:
1. I've changed the log level for the "passed" message from
notice to info. "Notice" is special in Apache; it is included
in the log irrespective of the LogLevel setting. Successful
authentication isn't such an important event that it must be
logged unconditionally.
2. I've made the module name appear correctly in the log statements;
previously they looked like:
[Tue Nov 08 19:17:24.340078 2016] [:notice] [pid 13338:tid 140735843676592]
[client 192.168.1.42:51330] mod_authnz_pam: PAM authentication passed for user
phil
Now they look like:
[Tue Nov 08 19:17:24.340078 2016] [authnz_pam:notice] [pid 13338:tid
140735843676592] [client 192.168.1.42:51330] PAM authentication passed for user
phil
I think that this was a result of not using the AP_DECLARE_MODULE
macro. Or possibly of using ap_log_rerror() rather than ap_log_error().
I think that this correction of the module name also means that you
can successfully using the module name in a LogLevel statement, i.e.
LogLevel authnz_pam:Debug.
I've forwarded these as suggestions to mod_authnz_pam's author, Jan
Pazdziora, who replies:
> thank you for the suggestions and analysis. I will review and
> process them later but due to other work it might take some time
> for me to do another release incorporating these changes.
Not related to logging, nor submitted to Jan, I've also added a
configuration merge function so that configuration is inherited from
a parent directory to a subdirectory.
My patch follows. As this might be useful for other users, and as
upstream might be slow to catch up, please consider adding this to
the Debian version of the module.
Thanks, Phil.
--- mod_authnz_pam-1.0.1/mod_authnz_pam.c 2015-11-09 21:42:37.000000000
+0000
+++ libapache2-mod-authnz-pam-1.0.1/mod_authnz_pam.c 2016-11-10
13:49:20.702396637 +0000
@@ -40,6 +40,18 @@ static void * create_dir_conf(apr_pool_t
return cfg;
}
+static void *merge_dir_conf(apr_pool_t *pool, void *basev, void *overv)
+{
+ authnz_pam_config_rec * base = basev;
+ authnz_pam_config_rec * over = overv;
+ authnz_pam_config_rec * cfg = apr_pcalloc(pool,
sizeof(authnz_pam_config_rec));
+
+ cfg->pam_service = over->pam_service ? over->pam_service :
base->pam_service;
+ cfg->expired_redirect_url = over->expired_redirect_url ?
over->expired_redirect_url : base->expired_redirect_url;
+
+ return cfg;
+}
+
static const command_rec authnz_pam_cmds[] = {
AP_INIT_TAKE1("AuthPAMService", ap_set_string_slot,
(void *)APR_OFFSETOF(authnz_pam_config_rec, pam_service),
@@ -170,8 +182,8 @@ static authn_status pam_authenticate_wit
if (ret == PAM_NEW_AUTHTOK_REQD) {
authnz_pam_config_rec * conf =
ap_get_module_config(r->per_dir_config, &authnz_pam_module);
if (conf && conf->expired_redirect_url) {
- ap_log_error(APLOG_MARK, APLOG_ERR, 0,
r->server,
- "mod_authnz_pam:
PAM_NEW_AUTHTOK_REQD: redirect to [%s]",
+ ap_log_rerror(APLOG_MARK, APLOG_ERR, 0,
r,
+ "PAM_NEW_AUTHTOK_REQD: redirect
to [%s]",
conf->expired_redirect_url);
apr_table_addn(r->headers_out,
"Location", format_location(r, conf->expired_redirect_url, login));
return HTTP_TEMPORARY_REDIRECT;
@@ -181,14 +193,14 @@ static authn_status pam_authenticate_wit
}
if (ret != PAM_SUCCESS) {
const char * strerr = pam_strerror(pamh, ret);
- ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
"mod_authnz_pam: %s %s: %s", stage, param, strerr);
+ ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, "%s %s: %s",
stage, param, strerr);
apr_table_setn(r->subprocess_env,
_EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr));
pam_end(pamh, ret);
return AUTH_DENIED;
}
apr_table_setn(r->subprocess_env, _REMOTE_USER_ENV_NAME, login);
r->user = apr_pstrdup(r->pool, login);
- ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, r->server, "mod_authnz_pam:
PAM authentication passed for user %s", login);
+ ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "PAM authentication passed
for user %s", login);
pam_end(pamh, ret);
return AUTH_GRANTED;
}
@@ -270,10 +282,10 @@ static void register_hooks(apr_pool_t *
APR_REGISTER_OPTIONAL_FN(pam_authenticate_with_login_password);
}
-module AP_MODULE_DECLARE_DATA authnz_pam_module = {
+AP_DECLARE_MODULE(authnz_pam) = {
STANDARD20_MODULE_STUFF,
create_dir_conf, /* Per-directory configuration handler */
- NULL, /* Merge handler for per-directory
configurations */
+ merge_dir_conf, /* Merge handler for per-directory
configurations */
NULL, /* Per-server configuration handler */
NULL, /* Merge handler for per-server configurations
*/
authnz_pam_cmds, /* Any directives we may have for httpd */
