mod_auth_shadow on Apache 2.2.22 (upgrading from Fedora 15)

Here’s a gotcha for people upgrading from Apache 2.2.17 (on Fedora 15) to Apache 2.2.22 (on Fedora 16). Somewhere along the line the requirements for an auth config changed, and all of a sudden, directories protected using mod_auth_shadow would start spewing out 500 errors, and error logs filling up with errors like “AuthUserFile not specified in the configuration”. As I use mod_auth_shadow, I have no AuthUserFile (it authenticates against the system), but it appears that with AuthType Basic, it now expects a file by default, and complains when it doesn’t get one.

Adding AuthBasicAuthoritative Off to your config block, this defaults back to previous behaviour and you can continue authenticating your users by default. Although I hit this bug with mod_auth_shadow, other authentication plugins (such as mod_auth_mysql) may be vulnerable too.