Documentation for Crowd 2.9. Documentation for earlier versions of Crowd is available too.

Skip to end of metadata
Go to start of metadata

The following instructions have been tested on Red Hat Enterprise Linux 6 Server. Other platforms may require variations to this procedure.

Procedure

  1. Open a terminal on the system, change to a suitable working directory, and enter the following command:

    su -c "yum -y install autoconf automake gcc httpd-devel libcurl-devel libtool libxml2-devel mod_dav_svn subversion-devel"
    
  2. Enter the root password when prompted.
  3. Enter the following commands:

    wget http://downloads.atlassian.com/software/crowd/downloads/cwdapache/mod_authnz_crowd-2.2.2.tar.gz
    tar xzf mod_authnz_crowd-2.2.2.tar.gz
    cd mod_authnz_crowd-2.2.2
    autoreconf --install
    ./configure
    make
    su -c "make install"
    
  4. Enter the root password when prompted.
  5. Everything you need should now be installed and Apache should restart. If Apache fails to start, check the /var/log/httpd/error_log file.

Now that the software is installed, the next step is to configure Apache authentication.

38 Comments

  1. On Ubuntu 10.4 x64

    • apt-get install apache2-threaded-dev libsvn-dev libcurl4-gnutls-dev libxml2-dev
    • ln -s /usr/include/apache2 /usr/include/httpd (httpd.h)
    • ln -s /usr/lib/apache2/ /usr/lib64/httpd (mod_dav.so)
    • ln -s /etc/apache2/ /etc/httpd/conf (httpd.conf)
    • ln -s /usr/bin/apxs2 /usr/sbin/apxs (apxs)
    • ln -s /usr/sbin/apache2ctl /usr/sbin/apachectl (apachectl)

    But ends in segfault :(

    1. Hi TimmJD,

      Thanks for letting us know about this.

      I'm currently investigating the segfault. You can track progress here.

      Regards,
      Adrian Hempel
      Senior Developer, Integration
      ATLASSIAN

    2. I've reproduced this problem on 32 and 64-bit versions of Ubuntu 10.04, and I've also reproduced it on Ubuntu 10.10.

      Until we can fix this, Ubuntu users can continue to use version 1.3 of the connector with Crowd 2.1.

      Apologies for any inconvenience caused.

  2. Will there be Mac OS X instructions / binaries anytime soon?

    1. Hi Doug,

      We have no immediate plans to provide Mac OS X binaries, but I've created an issue to track this request. You might like to vote for it and watch it.

      The instructions above have been used to build the connector on Mac OS X, with the exception that MacPorts was used instead of yum.

  3. Anonymous

    We are waiting for the Ubuntu fix.  When will these be available?

  4. Anonymous

    The package libcurl-devel is not available in RHEL 5.4. I used curl-devel instead...

    1. Anonymous

  5. I got it to compile for FreeBSD. The big issue was that file paths were hardcoded. I do not understand the concept of using autoconf but hard-coding file paths in there. Anyway, here's the process:

    • Edit the configure.ac file and change the hardcoded paths in there to relative paths (let autoconf do the work of finding the paths to the files being searched for)
    • Add various library paths (LDFLAGS . I had to add /usr/local/lib)
    • do the autoreconf --install
    • do the ./configure
    • Make sure you install the FreeBSD ports which correspond to the RH RPMs (curl, etc)
    • It appears to work but I have to upgrade Crowd before I will know if it works :-)
  6. Anonymous

    Hi,
    I was able to install Crowd Apache connector 2.0.2 on MacOS X Snow Leopard and integrate it with SVN with following steps:
    1. Install XCode 3.2.6 (free from Apple site if you register)
    2. Install Macports 1.9.2 from http://www.macports.org/
    3. Download mod_authnz_crowd-2.0.2.tar.gz from  https://studio.plugins.atlassian.com/svn/CWDAPACHE/tags/2.0.2/
    untar the file and execute following:
    autoreconf --install
    ./configure
    make
    su "make install"
    Here are steps for svn authorization via crowd :
    1. Create /etc/apache2/httpd-subversion.conf and put following text:
    <Location /svn>
      DAV svn
      SVNParentPath /var/svn/
      AuthName "Authorization via Crowd"
      AuthType Basic
      PerlAuthenHandler Apache::CrowdAuth
      PerlSetVar CrowdAppName svn
      PerlSetVar CrowdAppPassword PUT_YOUR_SVN_CROWD_APP_PASS_HERE
      PerlSetVar CrowdSOAPURL https://XXX.XXX.XXX.XXX:8443/crowd/services/SecurityServer
      PerlSetVar CrowdCacheEnabled on
      PerlSetVar CrowdCacheLocation /tmp/CrowdAuth
      PerlSetVar CrowdCacheExpiry 300
      Require valid-user
    </Location>  
    If you have repo /var/svn/reponame you shall access it via:http://host/svn/reponame
    You must add svn application in crowd and to have valid CrowdSOAPURL. In this example this is:https://XXX.XXX.XXX.XXX:8443/crowd/services/SecurityServer
    2. Turn off WebDav from servers administration panel
    3. Include perl mode in /etc/apache2/httpd.conf:
    LoadModule perl_module     libexec/apache2/mod_perl.so 
    4. Download and install following perl modules from http://search.cpan.org/:
    Error-0.17016.tar.gz
    IPC-ShareLite-0.17.tar.gz
    Class-Inspector-1.25.tar.gz
    Task-Weaken-1.04.tar.gz
    SOAP-Lite-0.712.tar.gz
    Cache-Cache-1.02.tar.gz
    Note : install modules in this order because of dependency.
    Common steps for installations are:
    perl Makefile.PL
    make (In this step check for warning for missing modules. You must install them)
    make test (If tests are failed check for warnings in make step)
    sudo make install
    5. Download CrownAuth.pm from:https://jira.atlassian.com/secure/attachmentzip/unzip/51901/20859%5B6%5D/Apache-CrowdAuth-0.04/lib/Apache/CrowdAuth.pm
    and copy into /System/Library/Perl/USED_PERL_VERSION/Apache
    6. Set permissions in svn repo as root:
    chown www /var/svn/reponame/
    chmod -R go-rwx /var/svn/reponame/
    7. Restart apache:
    sudo /usr/sbin/apachectl restart
    Enjoy!
    Hi,

    I was able to install Crowd Apache connector 2.0.2 on MacOS X Snow Leopard and integrate it with SVN with following steps:

    1. Install XCode 3.2.6 (free from Apple site if you register)

    2. Install Macports 1.9.2 from http://www.macports.org/

    3. Download mod_authnz_crowd-2.0.2.tar.gz from  https://studio.plugins.atlassian.com/svn/CWDAPACHE/tags/2.0.2/

    untar the file and execute following:

    autoreconf --install

    ./configure

    make

    su "make install"

    Here are steps for svn authorization via crowd :

    1. Create /etc/apache2/httpd-subversion.conf and put following text:

    <Location /svn>

      DAV svn

      SVNParentPath /var/svn/

      AuthName "Authorization via Crowd"

      AuthType Basic

      PerlAuthenHandler Apache::CrowdAuth

      PerlSetVar CrowdAppName svn

      PerlSetVar CrowdAppPassword PUT_YOUR_SVN_CROWD_APP_PASS_HERE

      PerlSetVar CrowdSOAPURL https://XXX.XXX.XXX.XXX:8443/crowd/services/SecurityServer

      PerlSetVar CrowdCacheEnabled on

      PerlSetVar CrowdCacheLocation /tmp/CrowdAuth

      PerlSetVar CrowdCacheExpiry 300

      Require valid-user

    </Location>  

    If you have repo /var/svn/reponame you shall access it via:

    http://host/svn/reponame

    You must add svn application in crowd and to have valid CrowdSOAPURL. In this example this is:

    https://XXX.XXX.XXX.XXX:8443/crowd/services/SecurityServer

    2. Turn off WebDav from servers administration panel

    3. Include perl mode in /etc/apache2/httpd.conf:

    LoadModule perl_module     libexec/apache2/mod_perl.so 

    4. Download and install following perl modules from http://search.cpan.org/:

    Error-0.17016.tar.gz

    IPC-ShareLite-0.17.tar.gz

    Class-Inspector-1.25.tar.gz

    Task-Weaken-1.04.tar.gz

    SOAP-Lite-0.712.tar.gz

    Cache-Cache-1.02.tar.gz

    Note : install modules in this order because of dependency.

    Common steps for installations are:

    perl Makefile.PL

    make (In this step check for warning for missing modules. You must install them)

    make test (If tests are failed check for warnings in make step)

    sudo make install

    5. Download CrownAuth.pm from:

    https://jira.atlassian.com/secure/attachmentzip/unzip/51901/20859%5B6%5D/Apache-CrowdAuth-0.04/lib/Apache/CrowdAuth.pm

    and copy into /System/Library/Perl/USED_PERL_VERSION/Apache

    6. Set permissions in svn repo as root:

    chown www /var/svn/reponame/

    chmod -R go-rwx /var/svn/reponame/

    7. Restart apache:

    sudo /usr/sbin/apachectl restart

    Enjoy!

  7. I was able to compile and install the module to opensuse 11.3:

    

    sudo zypper in autoconf +checkinstall +automake +gcc +apache2-devel +libcurl-devel +libtool +libxml2-devel +subversion-devel +subversion-server +make
    ln -s /usr/include/apache2 /usr/include/httpd
    ln -s /usr/lib/apache2/ /usr/lib/httpd
    ln -s /usr/lib/apache2 /usr/lib/apache2/modules
    ln -s /usr/sbin/apxs2 /usr/sbin/apxs
    

    Kari

  8. Heya guys, after much banging my head against a brick wall I managed to get this compiled and installed on a cPanel server running CentOS, in theory this same procedure should work for any cPanel server.

    http://technicalnotebook.com/wiki/display/home/Compile+Atlassian%27s+Crowd+authenticator+on+CentOS+server+with+cPanel

    I have also logged a couple of support tickets in regards to improvements to the ./configure script as it has some incompatibilities that needed creative workarounds.

    Stuart

  9. Compiled and running on Solaris 5.10 (Generic_142901-03 i86pc i386 i86pc) using gcc 3.4.3

    but after spending half a day making it compile and doing some ugly things:

    1. edited configure.in (similar to what Viren Shah suggested) - for example:

      AC_CHECK_FILE([/opt/xxxxxx/build/httpd-2.2.21/include/httpd.h], [APACHE_INCLUDE_DIR="/opt/xxxxxx/build/httpd-2.2.21/include"], [
                  AC_MSG_ERROR([Could not locate Apache include directory])
      ])
      AC_SUBST([APACHE_INCLUDE_DIR])

      I replaced all the default hardcoded paths with the hardcoded paths that are correct for our environment. It would be better to let autoconf find everything like Viren suggested, but I didn't know how to do it (first time I edited a configure.in file..)

    2. Adding more hardcoded, our-server-specific paths to CFLAGS and LD_LIBRARY_PATH (can't remember if this was 100% necesary anymore, but i think it was to make apr incompatibiliy error messages go away - configure: error: apr_pool_pre_cleanup_register was not found in libapr-1)

      CFLAGS='-I/opt/gsb/include -I/usr/sfw/include -I/opt/xxxxxx/local/i386/SunOS-5.10/httpd-2.2.21/include'
      LD_LIBRARY_PATH=/opt/xxxxxx/usr/local/sqlite/lib:/opt/gsb/lib:/opt/GSBperl/lib:/opt/xxxxxx/local/i386/SunOS-5.10/httpd-2.2.21/lib
    3. Solved the #error "Use of <stdbool.h> is valid only in a c99 compilation environment." problem:
      Trying to make this error go away by using all sorts of CFLAGS (-xc99=all , -std=gnu99, -std=cc99) and/or trying to use Sun Studio compiler all didn't work.

      What did work was - copy my system's stdbool.h to mod_authnz_crowd-2.0.2/src/stdbool.h and modified it by removing the macro checks that were throwing the error, so it looks like this:

      ... more stuff
      #include <sys/feature_tests.h>
      
      #undef  bool
      #undef  true
      #undef  false
      #define bool    _Bool
      #define true    1
      #define false   0
      #define __bool_true_false_are_defined   1
      
      #ifdef  __cplusplus
      ... more stuff


      and edited mod_authnz_crowd.c to use the local stdbool.h file

      #include "stdbool.h" (it was #include <stdbool.h> before..)
    4. For some reason compiler couldn't find curl/curl.h (despite -I/opt/gsb/include CFLAGS ..)  so I edited crowd_client.c as well:

      #include "/opt/gsb/include/curl/curl.h" (it was #include <curl/curl.h>) before..)

    After running make, make install i copied httpd and subversion installations from our build server to our new svn server and tested it - it worked (i created a test repos, and it was indeed honoring the group memberships defined in our Atlassian Crowd instance).

    For sure not a pretty solution but I think we have it working now.

  10. Hi,

    Any plan to release a version compatible with/compilable against subversion 1.7.x ?

    Thx

    1. Also against httpd 2.4.x

      1. Sorry, there are no such current plans.

  11. Hi,

     

    For those interested, I made my best to port the current module to 2.4.3 of Apache HTTPD. I haven't tested the SVN sub-module, only the HTTPD one.

    Also, the configure.ac and Makefile (s) sucks once you have a customized httpd install.

    Note that your config files should be changed: 'Require group' becomes 'Require crowd-group'

    As I don't have perms to create attachs, here's the patch file below

    Crowd module for httpd 2.4.3
    diff -r -u mod_authnz_crowd-2.0.2/src/cache.c mod_authnz_crowd-2.0.2.mod/src/cache.c
    --- mod_authnz_crowd-2.0.2/src/cache.c    2011-03-29 07:51:32.000000000 +0200
    +++ mod_authnz_crowd-2.0.2.mod/src/cache.c    2013-01-30 18:31:25.000000000 +0100
    @@ -4,6 +4,8 @@
     
     #include "cache.h"
     
    +APLOG_USE_MODULE(authnz_crowd);
    +
     static apr_status_t cache_destroy(void *data) {
     }
     
    diff -r -u mod_authnz_crowd-2.0.2/src/crowd_client.c mod_authnz_crowd-2.0.2.mod/src/crowd_client.c
    --- mod_authnz_crowd-2.0.2/src/crowd_client.c    2011-03-29 07:51:32.000000000 +0200
    +++ mod_authnz_crowd-2.0.2.mod/src/crowd_client.c    2013-01-31 16:22:21.000000000 +0100
    @@ -27,6 +27,8 @@
     
     #include "crowd_client.h"
     
    +APLOG_USE_MODULE(authnz_crowd);
    +
     #define STATUS_CODE_UNKNOWN -1
     #define XML_PROLOG "<?xml version=\"1.0\" encoding=\"UTF-8\"?>"
     
    @@ -546,8 +548,8 @@
             switch (write_data.status_code) {
                 case HTTP_BAD_REQUEST:
                     if (!expect_bad_request) {
    -                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Unexpected status code: %d",
    -                        write_data.status_code);
    +                    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Unexpected status code: %d, url '%s'",
    +                        write_data.status_code, url);
                         success = false;
                     }
                     break;
    @@ -561,8 +563,8 @@
                     success = false;
                     break;
                 default:
    -                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Unexpected status code: %d",
    -                    write_data.status_code);
    +                ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "Unexpected status code: %d, url '%s'",
    +                    write_data.status_code, url);
                     success = false;
             }
         }
    @@ -608,7 +610,7 @@
     
     static char *make_session_cache_key(const char *token, const char *forwarded_for, const request_rec *r, const crowd_config *config) {
         return log_ralloc(r, apr_psprintf(r->pool, "%s\037%s\037%s\037%s\037%s", token,
    -        forwarded_for == NULL ? "" : forwarded_for, r->connection->remote_ip, config->crowd_app_name,
    +        forwarded_for == NULL ? "" : forwarded_for, r->useragent_ip, config->crowd_app_name,
             config->crowd_url));
     }
     
    @@ -741,7 +743,7 @@
     
     static const char *get_validation_factors(const request_rec *r, const char *forwarded_for) {
         const char *payload_beginning = log_ralloc(r, apr_pstrcat(r->pool,
    -        "<validation-factors><validation-factor><name>remote_address</name><value>", r->connection->remote_ip,
    +        "<validation-factors><validation-factor><name>remote_address</name><value>", r->useragent_ip,
             "</value></validation-factor>", NULL));
         if (payload_beginning == NULL) {
             return NULL;
    diff -r -u mod_authnz_crowd-2.0.2/src/mod_authnz_crowd.c mod_authnz_crowd-2.0.2.mod/src/mod_authnz_crowd.c
    --- mod_authnz_crowd-2.0.2/src/mod_authnz_crowd.c    2011-03-29 07:51:32.000000000 +0200
    +++ mod_authnz_crowd-2.0.2.mod/src/mod_authnz_crowd.c    2013-01-31 16:23:24.000000000 +0100
    @@ -11,6 +11,7 @@
     #include "http_core.h"
     #include "http_config.h"
     #include "http_log.h"
    +#include "http_request.h"
     #include "mod_auth.h"
     
     #undef PACKAGE_BUGREPORT
    @@ -60,6 +61,10 @@
      */
     static void *create_dir_config(apr_pool_t *p, char *dir)
     {
    +    if (dir == NULL) {
    +        return NULL; // do not create a config object when not in a directory context
    +    }
    +
         ap_log_perror(APLOG_MARK, APLOG_DEBUG, 0, p, "Creating Crowd config for '%s'", dir);
         authnz_crowd_dir_config *dir_config = log_palloc(p, apr_pcalloc(p, sizeof(authnz_crowd_dir_config)));
         if (dir_config == NULL) {
    @@ -237,11 +242,19 @@
         authnz_crowd_dir_config *config
             = (authnz_crowd_dir_config *) ap_get_module_config(r->per_dir_config, &authnz_crowd_module);
         if (config == NULL) {
    -        ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, "Configuration not found.");
    +        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, "Configuration not found.");
         }
         return config;
     }
     
    +apr_array_header_t *authnz_crowd_user_groups(const char *username, request_rec *r) {
    +    authnz_crowd_dir_config *config = get_config(r);
    +    if (config == NULL) {
    +        return NULL;
    +    }
    +    return crowd_user_groups(username, r, config->crowd_config);
    +}
    +
     typedef struct {
         request_rec *r;
         authnz_crowd_dir_config *config;
    @@ -287,8 +300,9 @@
         return 1;
     }
     
    -static int check_user_id(request_rec *r) {
    +static int crowd_access_checker(request_rec *r) {
         authnz_crowd_dir_config *config = get_config(r);
    +
         if (config == NULL || !(config->accept_sso)) {
             return DECLINED;
         }
    @@ -452,102 +466,74 @@
         return OK;
     }
     
    -apr_array_header_t *authnz_crowd_user_groups(const char *username, request_rec *r) {
    -    authnz_crowd_dir_config *config = get_config(r);
    -    if (config == NULL) {
    -        return NULL;
    -    }
    -    return crowd_user_groups(username, r, config->crowd_config);
    -}
     
    -/**
    - * This hook is used to check to see if the resource being requested
    - * is available for the authenticated user (r->user and r->ap_auth_type).
    - * It runs after the access_checker and check_user_id hooks. Note that
    - * it will *only* be called if Apache determines that access control has
    - * been applied to this resource (through a 'Require' directive).
    - *
    - * @param r the current request
    - * @return OK, DECLINED, or HTTP_...
    - */
    -static int auth_checker(request_rec *r) {
    +static authz_status crowdgroup_check_authorization(request_rec *r,
    +                                                   const char *require_args,
    +                                                   const void *parsed_require_args)
    +{
    +    const char *t;
    +    char *w;
     
         authnz_crowd_dir_config *config = get_config(r);
    -    if (config == NULL) {
    -        return HTTP_INTERNAL_SERVER_ERROR;
    -    }
    -
    -    if (r->user == NULL) {
    -        ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, "Authorisation requested, but no user provided.");
    -        return HTTP_INTERNAL_SERVER_ERROR;
    -    }
    -
    -    /* Iterate over requirements */
    -    const apr_array_header_t *requires = ap_requires(r);
    -    apr_array_header_t *user_groups = NULL;
    -    int x;
    -    for (x = 0; x < requires->nelts; x++) {
    -
    -        require_line require = APR_ARRAY_IDX(requires, x, require_line);
    -
    -        /* Ignore this requirement if it does not apply to the HTTP method used in the request. */
    -        if (!(require.method_mask & (AP_METHOD_BIT << r->method_number))) {
    -            continue;
    -        }
    -
    -        const char *next_word = require.requirement;
    -
    -        /* Only process group requirements */
    -        if (strcasecmp(ap_getword_white(r->pool, &next_word), "group") == 0) {
    -
    -            /* Fetch groups only if actually needed. */
    -            if (user_groups == NULL) {
    -                user_groups = crowd_user_groups(r->user, r, config->crowd_config);
    -                if (user_groups == NULL) {
    -                    return HTTP_INTERNAL_SERVER_ERROR;
    -                }
    -            }
    -
    -            /* Iterate over the groups mentioned in the requirement. */
    -            while (*next_word != '\0') {
    -                const char *required_group = ap_getword_conf(r->pool, &next_word);
    -                /* Iterate over the user's groups. */
    -                int y;
    -                for (y = 0; y < user_groups->nelts; y++) {
    -                    const char *user_group = APR_ARRAY_IDX(user_groups, y, const char *);
    -                    if (strcasecmp(user_group, required_group) == 0) {
    -                        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    -                            "Granted authorisation to '%s' on the basis of membership of '%s'.", r->user, user_group);
    -                        return OK;
    -                    }
    -                }
    +    if (config == NULL) {
    +        return HTTP_INTERNAL_SERVER_ERROR;
    +    }
    +
    +    if (!r->user) {
    +        ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "Authorisation requested, but no user provided.");
    +        return AUTHZ_DENIED_NO_USER;
    +    }
    +    
    +    /* Iterate over requirements */
    +    t = require_args;
    +    apr_array_header_t *user_groups = NULL;
    +    while ((w = ap_getword_white(r->pool, &t)) && w[0]) {
    +        /* Fetch groups only if actually needed. */
    +        if (user_groups == NULL) {
    +            user_groups = crowd_user_groups(r->user, r, config->crowd_config);
    +            if (user_groups == NULL) {
    +                return AUTHZ_DENIED;
    +            }
    +        }
    +        /* Iterate over the user's groups. */
    +        int y;
    +        for (y = 0; y < user_groups->nelts; y++) {
    +            const char *user_group = APR_ARRAY_IDX(user_groups, y, const char *);
    +            if (strcasecmp(user_group, w) == 0) {
    +                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
    +                    "Granted authorisation to '%s' on the basis of membership of '%s'.", r->user, user_group);
    +                return AUTHZ_GRANTED;
    +            }
    +        }
    +    }
    +    
    +    ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, "Denied authorisation to '%s'.", r->user);
    +    return AUTHZ_DENIED;
    +}
     
    -            }
    -        }
    +static const authz_provider authz_crowdgroup_provider =
    +{
    +    &crowdgroup_check_authorization,
    +    NULL,
    +};
     
    -    }
    -    
    -    ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, "Denied authorisation to '%s'.", r->user);
    -    return config->authoritative ? HTTP_UNAUTHORIZED : DECLINED;
    -}
     
     static void register_hooks(apr_pool_t *p)
     {
    -    static const char * const pre_auth_checker[]={ "mod_authz_user.c", NULL };
         ap_hook_post_config(post_config, NULL, NULL, APR_HOOK_MIDDLE);
    -    ap_hook_check_user_id(check_user_id, NULL, NULL, APR_HOOK_FIRST);
    -    ap_register_provider(
    -        p,
    -        AUTHN_PROVIDER_GROUP,
    -        "crowd",
    -        "0",                    /* Version of callback interface, not the version of the implementation. */
    -        &authn_crowd_provider
    -    );
    -    ap_hook_auth_checker(auth_checker, pre_auth_checker, NULL, APR_HOOK_MIDDLE);
    +    ap_hook_check_access(crowd_access_checker, NULL, NULL, APR_HOOK_FIRST, AP_AUTH_INTERNAL_PER_CONF);
    +    ap_register_auth_provider(p, AUTHN_PROVIDER_GROUP, "crowd",
    +                              AUTHN_PROVIDER_VERSION,
    +                              &authn_crowd_provider,
    +                              AP_AUTH_INTERNAL_PER_CONF);
    +    ap_register_auth_provider(p, AUTHZ_PROVIDER_GROUP, "crowd-group",
    +                              AUTHZ_PROVIDER_VERSION,
    +                              &authz_crowdgroup_provider,
    +                              AP_AUTH_INTERNAL_PER_CONF);
         ap_log_perror(APLOG_MARK, APLOG_NOTICE, 0, p, PACKAGE_STRING " installed.");
     }
     
    -module AP_MODULE_DECLARE_DATA authnz_crowd_module =
    +AP_DECLARE_MODULE(authnz_crowd) =
     {
         STANDARD20_MODULE_STUFF,
         create_dir_config,
    diff -r -u mod_authnz_crowd-2.0.2/src/svn/mod_authz_svn_crowd.c mod_authnz_crowd-2.0.2.mod/src/svn/mod_authz_svn_crowd.c
    --- mod_authnz_crowd-2.0.2/src/svn/mod_authz_svn_crowd.c    2011-03-29 07:51:32.000000000 +0200
    +++ mod_authnz_crowd-2.0.2.mod/src/svn/mod_authz_svn_crowd.c    2012-12-05 11:36:01.000000000 +0100
    @@ -390,7 +390,7 @@
         repos_path = NULL;
     
       if (repos_path)
    -    repos_path = svn_path_join("/", repos_path, r->pool);
    +    repos_path = svn_dirent_join("/", repos_path, r->pool);
     
       *repos_path_ref = apr_pstrcat(r->pool, repos_name, ":", repos_path, NULL);
     
    @@ -437,7 +437,7 @@
             }
     
           if (dest_repos_path)
    -        dest_repos_path = svn_path_join("/", dest_repos_path, r->pool);
    +        dest_repos_path = svn_dirent_join("/", dest_repos_path, r->pool);
     
           *dest_repos_path_ref = apr_pstrcat(r->pool, dest_repos_name, ":",
                                              dest_repos_path, NULL);
    @@ -556,8 +556,7 @@
      * ALLOWED is boolean.  REPOS_PATH and DEST_REPOS_PATH are information
      * about the request.  DEST_REPOS_PATH may be NULL. */
     static void
    -log_access_verdict(const char *file, int line,
    -                   const request_rec *r, int allowed,
    +log_access_verdict(const request_rec *r, int allowed,
                        const char *repos_path, const char *dest_repos_path)
     {
       int level = allowed ? APLOG_INFO : APLOG_ERR;
    @@ -566,22 +565,22 @@
       if (r->user)
         {
           if (dest_repos_path)
    -        ap_log_rerror(file, line, level, 0, r,
    +        ap_log_rerror(APLOG_MARK, level, 0, r,
                           "Access %s: '%s' %s %s %s", verdict, r->user,
                           r->method, repos_path, dest_repos_path);
           else
    -        ap_log_rerror(file, line, level, 0, r,
    +        ap_log_rerror(APLOG_MARK, level, 0, r,
                           "Access %s: '%s' %s %s", verdict, r->user,
                           r->method, repos_path);
         }
       else
         {
           if (dest_repos_path)
    -        ap_log_rerror(file, line, level, 0, r,
    +        ap_log_rerror(APLOG_MARK, level, 0, r,
                           "Access %s: - %s %s %s", verdict,
                           r->method, repos_path, dest_repos_path);
           else
    -        ap_log_rerror(file, line, level, 0, r,
    +        ap_log_rerror(APLOG_MARK, level, 0, r,
                           "Access %s: - %s %s", verdict,
                           r->method, repos_path);
         }
    @@ -635,7 +634,7 @@
             return DECLINED;
     
           if (!ap_some_auth_required(r))
    -        log_access_verdict(APLOG_MARK, r, 0, repos_path, dest_repos_path);
    +        log_access_verdict(r, 0, repos_path, dest_repos_path);
     
           return HTTP_FORBIDDEN;
         }
    @@ -643,7 +642,7 @@
       if (status != OK)
         return status;
     
    -  log_access_verdict(APLOG_MARK, r, 1, repos_path, dest_repos_path);
    +  log_access_verdict(r, 1, repos_path, dest_repos_path);
     
       return OK;
     }
    @@ -669,7 +668,7 @@
       if (status == OK)
         {
           apr_table_setn(r->notes, "authz_svn_crowd-anon-ok", (const char*)1);
    -      log_access_verdict(APLOG_MARK, r, 1, repos_path, dest_repos_path);
    +      log_access_verdict(r, 1, repos_path, dest_repos_path);
           return OK;
         }
     
    @@ -699,7 +698,7 @@
         {
           if (conf->authoritative)
             {
    -          log_access_verdict(APLOG_MARK, r, 0, repos_path, dest_repos_path);
    +          log_access_verdict(r, 0, repos_path, dest_repos_path);
               ap_note_auth_failure(r);
               return HTTP_FORBIDDEN;
             }
    @@ -709,7 +708,7 @@
       if (status != OK)
         return status;
     
    -  log_access_verdict(APLOG_MARK, r, 1, repos_path, dest_repos_path);
    +  log_access_verdict(r, 1, repos_path, dest_repos_path);
     
       return OK;
     }
    diff -r -u mod_authnz_crowd-2.0.2/src/util.c mod_authnz_crowd-2.0.2.mod/src/util.c
    --- mod_authnz_crowd-2.0.2/src/util.c    2011-03-29 07:51:32.000000000 +0200
    +++ mod_authnz_crowd-2.0.2.mod/src/util.c    2013-01-30 18:31:09.000000000 +0100
    @@ -2,6 +2,8 @@
     
     #include <http_log.h>
     
    +APLOG_USE_MODULE(authnz_crowd);
    +
     void *log_ralloc(const request_rec *r, void *alloc) {
       if (alloc == NULL) {
         ap_log_rerror(APLOG_MARK, APLOG_CRIT, 0, r, "Out of memory");
    
    
    1. 2.2 is still the widest deployed instance so we're not rushing to upgrade. However, if you'd like to put your changes in a fork or issue a pull request to the cwdapache project then it might make it easier for people who are upgrading to make use of these improvements.

      1. Hi, please find my pull request at https://bitbucket.org/atlassian/cwdapache/pull-request/22/refactoring-of-apache-httpd-module-to/diff

        It includes several fixes/improvements:

        • caching is now shared among all httpd workers (threads and processes)
        • do not create sso cookie when the targeted host does not match the cookie config domain setting
        • create sso cookie with httponly set by default
        • added new module setting to control duration of cookie config cache
        • add possibility to control the verification of ssl certificate globally (server scope) and/or locally (dir scope)
        • set default cache duration to 5 mins and 1 hour for the cookie config
        • removed password caching
        • usage fo M4 scripts to improve detection of dependencies when calling ./configure
        • compatible with httpd 2.4

        I did not keep the groups from env functionnality. It seemed not used in the code but I might be wrong...

    2. Anonymous

      Hi,

      Can you please share the compiled file if you have already or provide the steps to compile this code and how to use it? 

    3. Hey, I'm also interested in it. Can't use this patch with 2.2.2 of crowd connector

      1. Here's a patch based on Issa's work that applies to 2.2.2 and let's it work with apache httpd 2.4 (but breaks 2.2).

        https://bitbucket.org/yunake/cwdapache/commits/832bc2e2d51e3a4b078144051566033ca8b3b7f0

        This repo is a fork of the official repo with the patch applied so you can use it to compile the modules directly. I have initiated a pull request but I don't expect it to be accepted. 

        1. Thank you for the pull request; we will incorporate the fixes eventually. It's just a question of timing and process, as many of our customers are still running Apache 2.2.x (especially RHEL / CentOS customers, for whom it appears that Apache 2.4.x is not yet available in the official repositories).

          1. According to http://distrowatch.com/table.php?distribution=redhat , Apache 2.4.x will arrive with Red Hat Enterprise Linux 7. That may be a good time to move 2.2 support off into a branch and move master over to requiring 2.4.

  12. I am trying to get this to work on AIX 6.1 and currently stuck in a dependency hell. Anybody who managed to do it

  13. These steps also work great for the Amazon CentOs machines.

  14. For FreeBSD, I have created a port that installs everything you need with full dependencies. It is in the www/mod_authnz_crowd port directory.  See also http://www.freshports.org/www/mod_authnz_crowd/

  15. I seem to always get this error. The error comes after I run make install.

    Apache 2.2.22

    Ubuntu 12.04.2 LTS

     

    if [ -e /etc/apache2/mods-enabled/dav.load ]; then mv /etc/apache2/mods-enabled/dav.load /etc/apache2/mods-enabled/1dav.load; fi
    if [ -e /etc/apache2/mods-enabled/dav_svn.load ]; then mv /etc/apache2/mods-enabled/dav_svn.load /etc/apache2/mods-enabled/1dav_svn.load; fi
    /usr/sbin/apache2ctl configtest || mv /tmp/httpd.conf.bak /etc/apache2/httpd.conf
    apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/authz_svn_crowd.load: Cannot load /usr/lib/apache2/modules/mod_authz_svn_crowd.so into server: /usr/lib/apache2/modules/mod_authz_svn_crowd.so: undefined symbol: svn_urlpath__canonicalize
    Action 'configtest' failed.
    The Apache error log may have more information.
    /usr/sbin/apache2ctl graceful
    apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/authz_svn_crowd.load: Cannot load /usr/lib/apache2/modules/mod_authz_svn_crowd.so into server: /usr/lib/apache2/modules/mod_authz_svn_crowd.so: undefined symbol: svn_urlpath__canonicalize
    Action 'graceful' failed.
    The Apache error log may have more information.
    make[1]: *** [install] Error 1
    make[1]: Leaving directory `/home/ubuntu/cwdapache/src'
    make: *** [install-recursive] Error 1
    ubuntu@ip-10-31-224-69:~/cwdapache$ sudo /etc/init.d/apache2 restart
    apache2: Syntax error on line 210 of /etc/apache2/apache2.conf: Syntax error on line 1 of /etc/apache2/mods-enabled/authz_svn_crowd.load: Cannot load /usr/lib/apache2/modules/mod_authz_svn_crowd.so into server: /usr/lib/apache2/modules/mod_authz_svn_crowd.so: undefined symbol: svn_urlpath__canonicalize
    Action 'configtest' failed.
    The Apache error log may have more information.

     

    If I unlink the authz_svn_crowd, apache starts but does does not work properly.

     

    [Thu Nov 28 12:14:17 2013] [crit] [client xxx] Failed to send authentication request (CURLcode 60 - Peer certificate cannot be authenticated with given CA certificates)
    [Thu Nov 28 12:14:17 2013] [crit] [client xxxx] Failed to send authentication request (CURLcode 60 - Peer certificate cannot be authenticated with given CA certificates)
    [Thu Nov 28 12:14:17 2013] [crit] [client xxx] Crowd authentication failed due to system exception

  16. Thank you for this new version 2.2.2 with the option to remove ssl verification from curl. Any release notes ?

    Also, no httpd 2.4.x support ? no svn 1.7 / 1.8 support ?

    1. I just updated to 2.2.2 connector module for apache 2.2. Everything works just fine: my svn 1.8 clients authenticate and authorize just fine. I had to add "CrowdSSLVerifyPeer Off" to suppress the warnings about the certificate not being set.

      1. I meant server side support for svn 1.7/1.8...

        1. I have no idea what you mean by "server side support". The crowd adapter lives inside apache, and svn authenticates against it just fine when accessing the subversion http URLs.

          1. You need to build the crowd apache module against svn source (which are the server side)

            And I'm looking for httpd 2.4.x with svn 1.8.x support from this crowd module

            1. The 2.2.2 connector builds just fine against subversion 1.8. I just did that yesterday. And it doesn't need the sources, just the development headers properly installed. I don't know what magic you need in linux to make that happen, but in FreeBSD it is part of the normal subversion installation.

              1. I think you're able to compile it because the deprecated method

                is still available in svn headers v1.8. Crowd module, when giving support for svn 1.7+, should stop usage of that method (and any other cases I didn't cover)

              2. Anonymous

                Hi,

                Can you please share the compiled file if you have already or provide the steps to compile this code and how to use it? I am using RedHat Linux 6.

  17. Hello! I've published apache 2.4 crowd modules PPA for utopic and trusty. See the usage notes: https://bitbucket.org/adamansky/cwdapache/overview  

  18. Hi.

    Authentication seems to work, but a bunch of these errors occur during a request:

    [Sun May 31 09:33:41.117318 2015] [authnz_crowd:error] [pid 6241] [client w.x.y.z:59998] Unexpected node type: 15, referer: https://www.example.org/confluence/dashboard.action?updatesSelectedTab=popular
    [Sun May 31 09:33:41.117353 2015] [authnz_crowd:error] [pid 6241] [client w.x.y.z:59998] Unrecognised response from Crowd., referer: https://www.example.org/confluence/dashboard.action?updatesSelectedTab=popular

    Any clue where this comes from?