Ben Kulbertis

Development and Operations Engineer

Salt Lake City, Utah, USA

Changes in mod_authz_unixgroup from Apache 2.2 to 2.4

Mar 23, 2016

mod_authz_unixgroup is an Apache module that can be used to allow members of Unix groups on the server to access restricted content with their Unix user credentials. These groups are defined in a Require directive and therefore it can be used with essentially any AuthType. We utilize this extensively at my place of work, as all our users and groups are stored in our Active Directory, which are then mapped to Unix users and groups on all our machines via pam_ldap.

When switching from Apache 2.2 to 2.4, I experienced some issues with compatibility with our current implementation of the module. Under 2.2, the module had to be initialized with ‘AuthzUnixgroup On’ and the Require directive was ‘Require group mygroup’. The whole configuration looked something like this:

AuthType Basic
AuthzUnixgroup On
Require group mygroup

However, this resulted in a 500 error with the following in the logs on Apache 2.4:

Invalid command 'AuthzUnixgroup', perhaps misspelled or defined by a module not included in the server configuration

Surprisingly, I couldn’t find any sign of this error in Google searches. The module was definitely loaded but this directive was unrecognized with no further explanation. I was about to compile the module from source in an attempt to troubleshoot when I found the answer buried in the INSTALL file:

Previous versions of mod_authz_unixgroup needed a ‘AuthzUnixgroup on’ to tell Apache that the “Require file-group” (or “Require group”) directive was supposed to be handled by mod_authz_unixgroup. Now we have a distinct directive, “Require unix-file-group” (and “Require unix-group”) instead, so the ‘AuthzUnixgroup’ is no longer needed and no longer exists.

That certainly explained my error. Now, our configurations look more like this on Apache 2.4:

AuthType Basic
Require unix-group mygroup

Behavior is now identical to how it was on 2.2.