mod_auth_radius-2.0.c patch to support Apache 2.2.x
Hi, I've tried sending this directly to the author, but there seems to be a problem somewhere, so I'm sending it to the list instead. Maybe I should file it as a bug report... This has been in the Debian package for a while now (http://packages.debian.org/libapache2-mod-auth-radius). ----- Forwarded message from Josip Rodin <joy@entuzijast.net> ----- Date: Sat, 31 May 2008 22:37:00 +0200 From: Josip Rodin <joy@entuzijast.net> To: Alan DeKok <aland@freeradius.org> Subject: mod_auth_radius-2.0.c patch to support Apache 2.2.x Hi, I'm resending the below e-mail just in case you didn't notice, it's been almost three months now. http://www.freeradius.org/mod_auth_radius/ is still only shipping the old versions... On Sun, Mar 09, 2008 at 09:12:19PM +0100, Josip Rodin wrote:
On Thu, Mar 06, 2008 at 03:36:27AM +0100, Josip Rodin wrote:
On Sat, Jul 21, 2007 at 06:08:23PM +0200, joy wrote:
Is the mod_auth_radius-2.0.c supposed to work properly with Apache 2.2.x?
I can compile it just fine, but can't get it to work on runtime.
Maybe, like LDAP, this module should become a an AuthBasicProvider?
I took a hint from mod_auth_xradius' changes for Apache 2.1+, and made the patch which is attached... but it still doesn't work. Apache is so annoying to debug, I need to compile the server with debugging symbols and run it through gdb... :(
Okay, I debugged it a bit further (no help from gdb), and managed to produce a working patch. The problem that threw me off was the early DECLINED handling in the authenticate_basic_user() function, which got activated both when the module was inactive and when the RADIUS server definition was missing. However, these two conditions are functionally quite different, so I split the handling in two, with the latter case leaving a warning in the log file.
The working patch is attached. It allows people to define: AuthBasicProvider radius and everything appears to be working well after that.
-- 2. That which causes joy or happiness.
--- libapache-mod-auth-radius-1.5.7.orig/mod_auth_radius-2.0.c +++ libapache-mod-auth-radius-1.5.7/mod_auth_radius-2.0.c @@ -300,6 +300,9 @@ #include "apr_general.h" #include "apr_tables.h" #include "apr_strings.h" +/* Apache 2.1+ */ +#include "ap_provider.h" +#include "mod_auth.h"
module AP_MODULE_DECLARE_DATA radius_auth_module;
@@ -1122,8 +1125,11 @@ * basic authentication... */
-static int -authenticate_basic_user(request_rec *r) +/* common stuff for both Apache 2.0 and 2.1+ */ +int +authenticate_basic_user_common(request_rec *r, + const char* user, + const char* sent_pw) { radius_dir_config_rec *rec = (radius_dir_config_rec *)ap_get_module_config (r->per_dir_config, &radius_auth_module); @@ -1131,21 +1137,25 @@ radius_server_config_rec *scr = (radius_server_config_rec *) ap_get_module_config (s->module_config, &radius_auth_module); conn_rec *c = r->connection; - const char *sent_pw; char errstr[MAX_STRING_LEN]; - int res, min; + int min; char *cookie; char *state = NULL; char message[256]; time_t expires; struct stat buf;
- if (!rec->active || !scr->radius_ip) /* not active here, or no radius */ - return DECLINED; /* server declared, decline */ + /* not active here, just decline */ + if (!rec->active) + return DECLINED; + + /* no server declared, decline but note for debugging purposes -joy */ + if (!scr->radius_ip) { + ap_log_error(APLOG_MARK, APLOG_NOERRNO | APLOG_WARNING, 0, r->server, + "AuthRadiusActive set, but no RADIUS server IP - missing AddRadiusAuth in this context?"); + return DECLINED; + }
- if ((res = ap_get_basic_auth_pw(r, &sent_pw))) - return res; - if (r->user[0] == 0) /* NUL users can never be let in */ return HTTP_UNAUTHORIZED;
@@ -1227,9 +1237,57 @@ return OK; }
+/* Apache 2.1+ */ +static authn_status +authenticate_basic_user_newargs(request_rec *r, + const char *user, + const char *password) +{ + int normalreturnvalue = authenticate_basic_user_common(r, user, password); + + if (normalreturnvalue == OK) + return AUTH_GRANTED; + else if (normalreturnvalue == HTTP_UNAUTHORIZED) + return AUTH_DENIED; + else + return AUTH_GENERAL_ERROR; + /* AUTH_USER_NOT_FOUND would be nice, but the typical RADIUS server + never gives any such information, it just sends an Access-Reject + packet, no reasons given + */ +} + +/* Apache 2.0 */ +static int +authenticate_basic_user(request_rec *r) +{ + int res; + const char *sent_pw; + + /* this used to say just if ((res=...)), which relied on the fact that + OK is defined as 0, and the other states are non-0, which is then + used in a typical C fashion... but it's a bad idea, really, we should + explicitly check if it's not OK, whatever that may be -joy + */ + res = ap_get_basic_auth_pw(r, &sent_pw); + if (res != OK) + return res; + + return authenticate_basic_user_common(r, r->user, sent_pw); +} + +/* Apache 2.1+ */ +static const authn_provider authn_radius_provider = { + &authenticate_basic_user_newargs, + NULL +}; + static void register_hooks(apr_pool_t *p) { - ap_hook_check_user_id(authenticate_basic_user,NULL,NULL,APR_HOOK_MIDDLE); +/* Apache 2.1+ */ + static const char * const aszPost[]={ "mod_authz_user.c", NULL }; + ap_register_provider(p, AUTHN_PROVIDER_GROUP, "radius", "0", &authn_radius_provider); + ap_hook_check_user_id(authenticate_basic_user,NULL,aszPost,APR_HOOK_MIDDLE); }
module AP_MODULE_DECLARE_DATA radius_auth_module =
-- 2. That which causes joy or happiness. ----- End forwarded message -----
participants (1)
-
Josip Rodin