LDAP and Apache Permissions - Ubuntu

I have setup Virtualmin with LDAP and configured the system (mail, users, etc) to use the LDAP server for authentication. The issue I am having is apache's permissions on newly created virtual servers. In order for apache to successfully display an index page I must chmod 777 from the home folder all the way through the public folder. Somewhere along the lines the www-data group is not being allowed to serve the page. I get a Forbidden unless the permissions are changed.

LDAP seems to be configured and functioning properly. I can change users' passwords from the command line, users can login to usermin and email is working just fine.

Status: 
Closed (fixed)

Comments

It sounds like Apache's www-data user might not be getting added to the groups for new domains.

If you SSH in as root and run the command :

su -s /bin/sh www-data -c "id -a ; groups"

what does it output?

Hi JamieCameron,

The output is below.


root@control:/home/administrator# su -s /bin/sh www-data -c "id -a ; groups"
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data

Thanks

Ok, looks like www-data isn't in the domains' groups.

If you go to Webmin -> System -> LDAP Users and Groups -> Groups -> some domain's group, does www-data appear as a member?

www-data is a member in all of the groups listed.

Ok .. also check in /etc/nsswitch.conf that the group: line contains ldap

Amazingly fast responses!

The file does contain ldap on the group line. Below is the contents of the nsswitch.conf


passwd: compat ldap
group: compat ldap
shadow: compat ldap

hosts: files dns
networks: files

protocols: db files
services: db files
ethers: db files
rpc: db files

netgroup: nis

How about the users in your LDAP DB - are they showing up as regular Unix users? You could test with a command like :

id -a XXX

where XXX is the ID of a domain's username.

The command above gives me

uid=1003(outland) gid=1004(outland) groups=1004(outland)

Here is the error that shows in a sites error_log

.htaccess pcfg_openfile: unable to check htaccess file, ensure it is readable

and the page error when I try to visit:

Forbidden

You don't have permission to access / on this server.

Hope that helps, and thanks for your time.

Does it help if you delete the www-data user from your /etc/passwd and /etc/shadow files, then add it (with the same UID, GID and home directory) to your LDAP database using the LDAP Users and Groups module?

I have a feeling that a non-LDAP user cannot be in an LDAP group.

I removed both the user and the group and added them as a LDAP user and LDAP group. No change.

The funny thing is I usually log into the system via ssh, but this time I logged in via the console. When logging in through the console the system requests I enter my password twice to log in as administrator so one of the authentication methods is failing.

In reviewing one of the pam.d files I cam across

https://help.ubuntu.com/community/LDAPClientAuthentication

which indicates "a new tool to modify pam and nsswitch". I'm not sure if this could be the issue so I am pasting the output of the running profile below for review:

>$ auth-client-config -S
[2009-12-29_08:39:16]
nss_group=group: compat ldap
nss_passwd=passwd: compat ldap
nss_shadow=shadow: compat ldap
pam_account=account sufficient pam_ldap.so
account required pam_unix.so
pam_auth=auth sufficient pam_ldap.so
auth required   pam_unix.so nullok_secure
auth optional   pam_smbpass.so migrate missingok
pam_password=password sufficient pam_ldap.so
password optional   pam_smbpass.so nullok use_authtok use_first_pass missingok
password required   pam_unix.so nullok obscure min=4 max=8 md5
pam_session=session sufficient pam_ldap.so
session required pam_unix.so

I just thought of another possible cause - in your /etc/ldap.conf file, is there any pam_min_uid or pam_min_gid line set to something other than 0 ? If so, change it to 0.

Also check the files /etc/libnss-ldap.conf and /etc/pam_ldap.conf if they exist.

The lines in the ldap.conf file for those settings are commented out.

Both of the files you are referring to are not there. Should they be links of another file?

In ldap.conf, try commenting them in with the values :

pam_min_uid 0
pam_min_gid 0

I seem to recall that the min UID defaults to something like 1000, which excludes the www-data user.

Ok, I have added those settings to the config file and restarted, still no change.

In A and B'ing this LDAP box with a normal virtualmin install I did notice that when I run getent group on them, the groups on the LDAP are indicating they do not have a password set.

sitegroup:*:1002:www-data

Where as the normal install shows

sitegroup:x:1002:www-data

How about the pam_member_attribute line in ldap.conf - what is that set to? It should be like :

pam_member_attribute memberUid

The problem is trying to add the www-data to the site group. No matter what I try the www-data user will not show as a part of any other group.

uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data

If I add a site to the www-data group it shows correctly. Both are in LDAP so I'm not sure what the problem could be.

Just thought of another possible cause - in ldap.conf there is an nss_initgroups_ignoreusers line. Make sure that www-data isn't in that list.

This is the happiest day of my life. It's funny how something so simple can cause so much misery. Thanks for all your time and effort Jamie.

Great! I will add a mention of this to the Virtualmin LDAP documentation ..

Automatically closed -- issue fixed for 2 weeks with no activity.