mod_auth_radius AuthBasicProvider Directive Support

Michael Maul mike.maul at gmail.com
Thu Mar 13 19:00:53 CET 2008


Since mod_auth_radius didn't seem to be handling authorization requests in
apache 2.2 for me,
I added support for mod_auth's AuthBasicProvider directive in
mod_auth_radius. This allows you to direct mod_auth to use mod_auth_radius
as it's authentication provider.

A patch for mod_auth_radius-2.0.c is provided below. To use: build with
-DUSING_AUTHBASICPROVIDER and place
    AuthBasicProvider radius
in the httpd.conf file at the Directory or Location level
------------------------------------------------Patch
Follows------------------------------------
--- mod_auth_radius-1.5.7/mod_auth_radius-2.0.c 2003-03-24 14:16:
15.000000000 -0500
+++ mod_auth_radius-2.0.c 2008-03-13 13:42:54.000000000 -0400
@@ -92,7 +92,13 @@
   allows you to have mod_auth_radius authoritative by default, but NOT
   have it interfere with the rest of your configuration.  The
authentication
   methods are tried from the bottom of the list, on up.
-
+
+  If you are load mod_auth_radius before mod_auth or mod_auth_radius is
still
+  is not handling authentication requests, you can use the directive:
+        AuthBasicProvider radius
+  at the directory or Locatuion level. To use this you must have built this
module
+  with the -DUSING_AUTHBASICPROVIDER directive
+
   You must have at least one authentication method as authoritative.  If
   they all return "DECLINED", you get "server configuration error" message.

@@ -232,7 +238,9 @@

   Version History
   ===============
-
+  1.5.8 Support for mod_auth provider plugin from Mike Maul <
maul.mike at gmail.com>
+        AuthBasicProvider directive implemented value radius.
+
   1.5.4  Support for retries from John Lines <john.lines at integris.co.uk>
          Port to Apache 2.0 by Harrie Hazewinkel <harrie at mod-snmp.com>

@@ -290,7 +298,10 @@
 #include <netdb.h>
 #include <openssl/md5.h>
 #include <sys/stat.h>
-
+#ifdef USING_AUTHBASICPROVIDER
+#include "ap_provider.h"
+#include "mod_auth.h"
+#endif
 #include "httpd.h"
 #include "http_config.h"
 #include "http_core.h"
@@ -301,6 +312,8 @@
 #include "apr_tables.h"
 #include "apr_strings.h"

+
+
 module AP_MODULE_DECLARE_DATA radius_auth_module;


@@ -981,6 +994,12 @@
                               (STRING)[ATTR->length - 2] = 0;}


+
+
+
+                              /* authentication module utility functions */
+
+
 /* authentication module utility functions */
 static int
 check_pw(request_rec *r, radius_server_config_rec *scr, const char *user,
const char *passwd_in, const char *state, char *message, char *errstr)
@@ -1108,6 +1127,8 @@
    apr_pstrcat(r->pool, "Basic realm=\"", ap_auth_name(r), " for ", user, "
'", message, "'", NULL));
     }
 }
+
+
 /* These functions return 0 if client is OK, and proper error status
  * if not... either HTTP_UNAUTHORIZED, if we made a check, and it failed,
or
  * SERVER_ERROR, if things are so totally confused that we couldn't
@@ -1226,10 +1247,35 @@
   add_cookie(r, r->headers_out, cookie, expires);
   return OK;
 }
+#if USING_AUTHBASICPROVIDER
+/* suport function for authn_provider */
+static authn_status authenticate_auth_basic_provider (request_rec * r,
const char* user,
+                               const char* password)
+{
+    // Translate HTTP Response code into autn_status enum values
+    switch(authenticate_basic_user(r)) {
+        case DECLINED: return AUTH_DENIED;
+        case HTTP_UNAUTHORIZED: return AUTH_DENIED;
+        case OK: return AUTH_GRANTED;
+        case HTTP_NOT_FOUND: return AUTH_DENIED;
+    }
+}
+
+static const authn_provider authn_radius_provider = {
+    &authenticate_auth_basic_provider,
+    NULL
+};
+#endif

 static void register_hooks(apr_pool_t *p)
 {
-
ap_hook_check_user_id(authenticate_basic_user,NULL,NULL,APR_HOOK_MIDDLE);
+#if USING_AUTHBASICPROVIDER
+    ap_register_provider(p, AUTHN_PROVIDER_GROUP, "radius", "0",
+                         &authn_radius_provider);
+#else
+
ap_hook_check_user_id(authenticate_basic_user,NULL,NULL,APR_HOOK_MIDDLE);
+#endif
+
 }

 module AP_MODULE_DECLARE_DATA radius_auth_module =
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-devel/attachments/20080313/4e63cf4a/attachment.html>


More information about the Freeradius-Devel mailing list