mod-auth-external icon indicating copy to clipboard operation
mod-auth-external copied to clipboard
verified publisher icon phokz

Failure stops other authenticators

Open GoogleCodeExporter opened this issue 11 years ago • 3 comments 

What steps will reproduce the problem?
1. Put the following in a .htaccess file:
AuthType Basic
AuthBasicProvider external file
AuthExternal pwauth
AuthUserFile /web/htpasswd
Require valid-user
2. Access a URL under that tree
3. Offer credentials of a user described in /web/htpasswd

What is the expected output? What do you see instead?
Page should load. Instead, I get back "401 Authorization Required". The
error log shows the following:
[Thu May 27 11:57:51 2010] [error] [client 128.zzz.xxx.yyy] AuthExtern
pwauth [/usr/local/bin/pwauth]: Failed (1) for user htphil
[Thu May 27 11:57:51 2010] [error] [client 128.zzz.xxx.yyy] user htphil:
authentication failure for "/test/": Password Mismatch
Apparently, mod_authn_file was never consulted

What version of the product are you using? On what operating system?
Package libapache2-mod-authnz-external version 3.1.0-1ubuntu2 on Ubuntu
8.04.4 Hardy

Please provide any additional information below.
The documentation says that mod_auth_basic handles the issue of treating
the auth[nz] modules non-authoritatively, but that doesn't quite seem to be
the case.

Original issue reported on code.google.com by [email protected] on 27 May 2010 at 5:11

GoogleCodeExporter avatar Apr 24 '15 14:04 GoogleCodeExporter 

I have a same problem. If external authentication fails, next provider should 
be used. It is a very important feature. Please implement it.

Original comment by [email protected] on 12 Jun 2014 at 2:06

GoogleCodeExporter avatar Apr 24 '15 14:04 GoogleCodeExporter

I have the same problem too. Looking at #26 it appears that no protocol is available for the external program to tell "User don't exists", so this module can't decide to return AUTH_USER_NOT_FOUND rather that AUTH_DENIED.

I wrote a different approach: I add a new keyword "SetExternalAuthChecker" (optional) that allows to indicate a "user checker" external program. If checker is defined then before checking credentials code performs a user check. If ok code behaves like usual. If not ok (user not found) test is skipped and at the end AUTH_USER_NOT_FOUND is returned. So far I tested that and it works for me. Note: the checker program is called with only the username (in ENV), and should answer 0 (exists) or anything else (not exists).

Please let me know if this could be interesting for you. So far I'm not familiar with git/github, if you are interested I will look for giving a diff.

Hexasoft avatar May 15 '19 12:05 Hexasoft

Note: I may also have changed "DefineExternalAuth" to accept 4 values (to be coherent). So far my code is more a proof of concept than a ready-to-use code.

Hexasoft avatar May 15 '19 13:05 Hexasoft