On Sat, Jul 21, 2007 at 06:08:23PM +0200, joy wrote:
> Hi,
>
> Is the mod_auth_radius-2.0.c supposed to work properly with Apache 2.2.x?
>
> I can compile it just fine, but can't get it to work on runtime. I loaded
> auth_radius before auth_basic and used AuthBasicAuthoritative Off,
> but it didn't work, I always get this error:
>
> Internal error: pcfg_openfile() called with NULL filename
>
> Maybe, like LDAP, this module should become a an AuthBasicProvider?
I took a hint from mod_auth_xradius' changes for Apache 2.1+, and made the
patch which is attached... but it still doesn't work. Apache is so annoying
to debug, I need to compile the server with debugging symbols and run it
through gdb... :(
Anyway, any information would be appreciated.
--
2. That which causes joy or happiness.
--- libapache-mod-auth-radius-1.5.7.orig/mod_auth_radius-2.0.c
+++ libapache-mod-auth-radius-1.5.7/mod_auth_radius-2.0.c
@@ -300,6 +300,9 @@
#include "apr_general.h"
#include "apr_tables.h"
#include "apr_strings.h"
+/* Apache 2.1+ */
+#include "ap_provider.h"
+#include "mod_auth.h"
module AP_MODULE_DECLARE_DATA radius_auth_module;
@@ -1122,8 +1125,11 @@
* basic authentication...
*/
-static int
-authenticate_basic_user(request_rec *r)
+/* common stuff for both Apache 2.0 and 2.1+ */
+int
+authenticate_basic_user_common(request_rec *r,
+ const char* user,
+ const char* sent_pw)
{
radius_dir_config_rec *rec =
(radius_dir_config_rec *)ap_get_module_config (r->per_dir_config, &radius_auth_module);
@@ -1131,9 +1137,8 @@
radius_server_config_rec *scr = (radius_server_config_rec *)
ap_get_module_config (s->module_config, &radius_auth_module);
conn_rec *c = r->connection;
- const char *sent_pw;
char errstr[MAX_STRING_LEN];
- int res, min;
+ int min;
char *cookie;
char *state = NULL;
char message[256];
@@ -1143,9 +1148,6 @@
if (!rec->active || !scr->radius_ip) /* not active here, or no radius */
return DECLINED; /* server declared, decline */
- if ((res = ap_get_basic_auth_pw(r, &sent_pw)))
- return res;
-
if (r->user[0] == 0) /* NUL users can never be let in */
return HTTP_UNAUTHORIZED;
@@ -1227,9 +1229,58 @@
return OK;
}
+/* Apache 2.1+ */
+static authn_status
+authenticate_basic_user_newargs(request_rec *r,
+ const char *user,
+ const char *password)
+{
+ int normalreturnvalue = authenticate_basic_user_common(r, user, password);
+
+ if (normalreturnvalue == OK)
+ return AUTH_GRANTED;
+ else if (normalreturnvalue == HTTP_UNAUTHORIZED)
+ return AUTH_DENIED;
+ else
+ return AUTH_GENERAL_ERROR;
+ /* AUTH_USER_NOT_FOUND would be nice, but the typical RADIUS server
+ never gives any such information, it just sends an Access-Reject
+ packet, no reasons given
+ */
+}
+
+/* Apache 2.0 */
+static int
+authenticate_basic_user(request_rec *r)
+{
+ int res;
+ const char *sent_pw;
+
+ /* this used to say just if ((res=...)), which relied on the fact that
+ OK is defined as 0, and the other states are non-0, which is then
+ used in a typical C fashion... but it's a bad idea, really, we should
+ explicitly check if it's not OK, whatever that may be -joy
+ */
+ res = ap_get_basic_auth_pw(r, &sent_pw);
+ if (res != OK)
+ return res;
+
+ return authenticate_basic_user_common(r, r->user, sent_pw);
+}
+
+/* Apache 2.1+ */
+static const authn_provider authn_radius_provider = {
+ &authenticate_basic_user_newargs,
+ NULL
+};
+
static void register_hooks(apr_pool_t *p)
{
- ap_hook_check_user_id(authenticate_basic_user,NULL,NULL,APR_HOOK_MIDDLE);
+#if 0 /* Apache 2.0 */
+ ap_hook_check_user_id(authenticate_basic_user_oldargs,NULL,NULL,APR_HOOK_MIDDLE);
+#else /* Apache 2.1+ */
+ ap_register_provider(p, AUTHN_PROVIDER_GROUP, "radius", "0", &authn_radius_provider);
+#endif
}
module AP_MODULE_DECLARE_DATA radius_auth_module =
