1 How To Install mod_authnz_external.c
6 * If you want to use the HARDCODE function option follow the instructions
7 in the INSTALL.HARDCODE file in this directory before following these
10 * These instructions are for Apache version 2.2. This version of
11 mod_authnz_external will not work with older versions of Apache.
12 Other versions are available for different releases of Apache:
14 Apache 1.3 mod_auth_external-2.1.x
15 Apache 2.0 mod_auth_external-2.2.x
16 Apache 2.2 mod_authnz_external-3.1.x or mod_authnz_external-3.2.x
18 You can check your apache version by running it from the command line
21 * If you are upgrading from mod_auth_external to mod_authnz_external,
22 read the UPGRADE file.
24 * Starting with version 3.2.x, mod_authnz_external is designed to work
25 on any platform supported by Apache. Previous versions were Unix-only.
26 So mod_authnz_external might work on Windows, but the author doesn't
27 really do Windows development and doesn't even own a Windows C compiler.
28 So it has not been tested at all, no pre-compiled Windows code is available,
29 and there are no installation instructions for non-Unix platforms. If
30 you figure any of this out, please consider contributing your findings.
32 * Originally, mod_auth_external was a stand-alone module. However a new
33 authentication module structure was introduced in Apache-2.1, where
34 mod_auth_basic and mod_auth_digest are the only top-level authentication
35 modules. All other authentication modules simply provide authentication
36 services to these modules, and have names starting with "mod_authn_" for
37 authentication modules, or "mod_authz_" for access control modules, or
38 "mod_authnz_" for modules that provide both services. Mod_Authnz_External
39 is designed to fit into this new structure. It has essentially the same
40 features as mod_auth_external, but there are differences in the
41 configuration commands. It should be noted that it is still possible to
42 use older-style independent authentication modules in Apache 2.2, and
43 mod_auth_external-2.2.x can be made to work with only a little difficulty
44 arising from mod_auth_basic's reluctance to be turned off. See the
45 mod_auth_external INSTALL document for information on using it with
48 * Do not, however, install both mod_auth_external and mod_authnz_external
49 in your httpd. I don't know what exactly would happen, but it won't be
52 * There are two ways of installing mod_authnz_external on a Unix system.
54 (1) You can statically link it with Apache. This requires rebuilding
55 Apache in such a way that mod_authnz_external will be compiled in.
57 (2) You can make mod_authnz_external a dynamically loaded module. If
58 your Apache has been built to support dynamically loaded modules
59 you can do this without rebuilding Apache, so it is pretty easy.
60 Performance may be slightly worse with this option. For information
61 on dynamically loaded modules see http://www.apache.org/docs/dso.html
63 Instructions for both options are given here. The dynamic loading
64 option will probably be prefered on virtually all modern installations.
66 * There is also documentation in the README file and in the AUTHENTICATORS
67 file. If you find this document unclear, reading those may help.
70 INSTALL METHOD A: Dynamically Linking Mod_auth_external using apxs:
71 -------------------------------------------------------------------
74 Ensure that your Apache server is configured to handle dynamically
75 loaded modules. To check this, run Apache server with the -l command
80 If mod_so.c is one of the compiled-in modules, then you are ready
81 to go. Note that some installations may give the http daemon different
82 names, like 'apache' or 'httpd2'. Some may have multiple copies of
83 apache sitting in different directories. Be sure you looking at the
84 one that is being run.
87 Compile the module using the following command in the
88 mod_authnz_external distribution directory:
90 apxs -c mod_authnz_external.c
92 'Apxs' is the Apache extension tool. It is part of the standard
93 Apache distribution. If you don't have it, then there may be a
94 Apache development package that needs to be installed on your system,
95 or your Apache server may not be set up for handling dynamically
96 loaded modules. Some systems rename it weirdly, like 'apxs2' in
97 some openSUSE distributions.
99 Apxs should create a file named 'mod_authnz_external.so'.
101 AIX Note: For Apache 1.3 on AIX the 'apxs' command compiled
102 mod_authnz_external.c into mod_authnz_external.o correctly, but
103 generation of the shared library file failed with a message like
104 "No csects or exported symbols have been saved." We don't know
105 if this still happens with Apache 2.0. If it does happen, the
106 fix under Apache 1.3 was to create a file in the current
107 directory named mod_authnz_external.exp which contained the two
110 #! mod_authnz_external.o
111 authnz_external_module
115 apxs -c mod_authnz_external.c -bE:mod_authnz_external.exp
118 Install the module. Apxs can do this for you too. Do the following
119 command (as root so you can write to Apache's directories and config
122 apxs -i -a mod_authnz_external.la
124 This will create mod_authnz_external.so and copy it into the proper
125 place, and add appropriate AddModule and LoadModule commands to the
126 configuration files. (Actually, it may get the LoadModule command
130 Go to the CONFIGURATION instructions below.
133 INSTALL METHOD B: Statically Linking
134 ------------------------------------
137 Read the instructions on how to configure the Apache server in the
138 INSTALL file provided with the Apache source.
141 When you run the ./configure script, include an --with-module flag,
142 giving the full pathname to the mod_authnz_external.c file in this
143 distribution. For example, if you have unpacked this distribution
144 in /usr/local/src/mod_authnz_external and are building Apache for
145 installation in /usr/local/apache, you might do:
147 ./configure --prefix=/usr/local/apache \
148 --with-module=aaa:/usr/local/src/mod_authnz_external/mod_authnz_external.c
150 This will copy the mod_authnz_external.c file into the correct place in
151 the Apache source tree and set things up to link it in.
154 Type "make" to compile Apache and "make install" to install it.
157 Go to the CONFIGURATION instructions below.
163 There are three parts to doing the configuration. First, if you are using
164 dynamic loading, you need to configure Apache to load the mod_authnz_external
165 module. If 'apxs' is working correctly, it should do this for you
166 automatically, but it doesn't always.
168 Second you define the external program and communication method to use in
169 your httpd.conf file, identifying them with a keyword.
171 Finally you set up specific directories to use that authenticator, referencing
174 These instructions talk about editing the "httpd.conf" file, as it appears in
175 the standard Apache distributions. In many version of Linux, however, this
176 file will actually just include a lot of other configuration files, some of
177 which may be automatically generated by various GUI configuration tools. I
178 include notes on some of these variations that I have encountered, but you
179 may need to do some of your own figuring to find out how to adapt these
180 instructions to your server configuration.
182 (1) Configuring Module Loading:
184 This step is only required if you are using dynamic loading. In theory,
185 apxs will have done it for you. If you are trustful, you can skip ahead
186 to step 2 and only come back to this if things don't seem to be working.
187 In cases where you are using multiple non-authoritative authenticators
188 you'll probably want to check this manually, even if apxs works right, to
189 ensure that the modules are loaded (and thus envoked) in the desired order.
191 (a) First, you should make sure that there is a proper "LoadModule"
192 command in the httpd.conf file. This should have been put there
193 by 'apxs' but, some older Linux distributions, like Redhat 6.1,
194 messed it up. Basically, the 'LoadModule' command should look a
195 lot like all the other LoadModule commands. Something like
197 LoadModule authnz_external_module modules/mod_authnz_external.so
199 where the second part is the path from Apache's root directory
200 to the location where the module was stored by apxs.
202 Make sure that apxs didn't put this directive inside any inappropriate
203 <IfDefine> directives, as some Redhat versions have done in the past.
205 If you previously had mod_authnz_external or mod_auth_external
206 installed and are installing a new version, you may have more than
207 one LoadModule command into httpd.conf. You only need one. Get rid
210 (b) Check you httpd.conf file to see if there is a "ClearModuleList"
211 command. If this exists, then you need to add a command like:
213 AddModule mod_authnz_external.c
215 somewhere below "ClearModuleList" command (probably somewhere among
216 the dozens of other AddModule commands). If you used 'apxs' to
217 install mod_authnz_external, then this should already be done, but
218 it may again be stashed in an inappropriate <IfDefine>.
220 The standard Apache configuration files don't have a "ClearModuleList"
221 command and don't need an "AddModule" command. However the standard
222 RedHat configuration files, among others, do.
224 (2) Configurating the External Authenticator
226 In this section we insert commands into httpd.conf that will be run when
227 Apache starts up to tell Apache where your external authenticators are
228 and how to communicate with them.
230 It is possible to configure several different external authenticators
231 into Apache. For each one you need to configure a name, a method
232 of communicating with authenticator, and the location of the
235 The structure of Apache httpd.conf differs widely on different systems.
236 The notes below on where to put configuration commands assume that you
237 have something close to a straight apache install, but you probably
238 don't. Very likely there will be comments in your httpd.conf file that
239 tell you where to put local configuration.
241 If you are using virtual hosts, put these commands at the end of the
242 appropriate <VirtualHost> block. The declarations must be *inside*
243 the <VirtualHost> block to work for a virtual host. They are not
244 inherited from the primary host to the virtual hosts. Note that most
245 Apache SSL servers are set up as virtual hosts, so you'll probably
246 need to put these definitions in the <VirtualHost> block for use with
249 Otherwise, just put them anywhere (just before the Virtual Hosts
250 section of the standard Apache config file might make the most sense).
252 Two different command syntaxes are supported in mod_authnz_external.
253 One that is compatible with older releases, and one that is a bit
254 more compact, using one command instead of two.
256 (a) For External Authentication Programs:
260 DefineExternalAuth <keyword> <method> <location>
264 AddExternalAuth <keyword> <location>
265 SetExternalAuthMethod <keyword> <method>
267 <keyword> is some name you choose. You can configure multiple
268 different external authenticators by using different keywords for them.
270 <method> defines how the login and password are passed to the
271 external authenticator. The only values that do anything are:
273 pipe read newline-terminated strings from stdin. (default)
274 environment get args from environment variables.
275 checkpassword read null-terminated strings from file descriptor 3.
276 function internal authenticator called as function.
278 Pipe is the default. Environment used to be the default but it is
279 insecure on some versions of Unix. See the README file.
281 <location> tells where to find the authenticator. It's syntax varies
282 somewhat by method (which is why we introduced the new syntax - to
283 keep it closer to the method declaration):
285 For "pipe", "environment", and "checkpassword" methods:
287 <location> is the full path where you installed your external
288 authentication program, like "/usr/local/bin/auth_check".
289 It always starts with a slash. If you put it in quotes, you
290 can include command-line arguments, but these arguments won't
291 be processed by a shell, so you can't use wildcards or I/O
292 redirects or anything like that. (If you need shell processing
293 of arguments, write an sh-script wrapper for your authenticator,
294 and put the path to that here.)
296 For the "function" method:
298 <location> is a string like "<type>:<data>". The <type> part
299 is a string that can be used to select from multiple internal
300 functions. <data> is a string passed to that function and is
301 typically used as config file path. The ":" is required even if
302 the <data> is an empty string.
304 In the old-style syntax, the path declaration should always preceed
305 the method declaration, and the method declaration can be omitted if
306 you want the default.
308 Here are some examples. We give old style syntax only for the first
309 example, but it can be used in all cases:
311 * For external authentication programs using a pipe:
313 DefineExternalAuth archive_auth pipe /usr/local/bin/authcheck
317 AddExternalAuth archive_auth /usr/local/bin/authcheck
318 SetExternalAuthMethod archive_auth pipe
320 * For external authentication programs using environment variables:
322 DefineExternalAuth archive_auth environment /usr/local/bin/authcheck
324 * For external authenticators using the checkpassword protocol:
326 DefineExternalAuth archive_auth checkpassword "/bin/checkpassword /bin/true"
328 * For HARDCODE functions with a configuration file:
330 DefineExternalAuth archive_auth function RADIUS:/usr/local/raddb
332 * For HARDCODE functions with no configuration file:
334 DefineExternalAuth function archive_auth RADIUS:
336 (b) For External Group-Checking Programs:
338 If you want to use an external program to do group checking, add one
339 of the following to your server's httpd.conf.
343 DefineExternalGroup <keyword> <method> <location>
347 AddExternalGroup <keyword> <location>
348 SetExternalGroupMethod <keyword> <method>
350 <keyword> is some name you choose to identify this particular
351 group checking method. The keywords for login authenticators and
352 group authenticators are separate name spaces, so it doesn't matter
353 if these keywords match any you defined with DefineExternalAuth or
356 <method> defines how the login and group names are passed to the
357 external authenticator. Legal values are:
359 pipe - authenticator reads data from standard input.
360 environment - authenticator gets data from environment variables.
362 Pipe is the default. Environment used to be the default in older
363 versions. The "checkpassword" keyword also works, but doesn't
364 really make a lot of sense since there are no checkpassword
365 authenticators for groups.
369 * For external authentication programs using a pipe:
371 DefineExternalGroup archive_group pipe /usr/local/bin/grpcheck
375 AddExternalGroup archive_group /usr/local/bin/grpcheck
376 SetExternalGroupMethod archive_group pipe
378 * For external group check programs using environment variables:
380 DefineExternalGroup archive_group environment /usr/local/bin/grpcheck
382 (3) Configuring Web Pages to Use Authentication
384 For any directory you want to protect, you need either a .htaccess file
385 in the directory or a <Directory> block for the directory in your
388 Note that for .htaccess files to work, you must specify "AllowOverride
389 AuthConfig" in the httpd.conf file for any directories they appear
390 under. As distributed, Apache sets "AllowOverride None" for most
391 directories. If this is not changed, .htaccess files will be ignored.
393 * EXTERNAL PASSWORD CHECKING:
395 For normal user authentication, the following directives should be in
396 the .htaccess file or <Directory> block:
400 AuthBasicProvider external
401 AuthExternal <keyword>
404 Here <authname> identifies what we are authenticating for - it usually
405 appears in the browser's pop-up login window. <keyword> matches a
406 keyword you defined with DefineExternalAuth or AddExternalAuth in step 2.
408 If you only want some users to have access to the directory, as opposed
409 to all valid users, you can list the users on the "require" line,
412 Require user <username1> <username2> ...
414 Or if you want to allow only user's whose login name matches the
415 login name of the unix user who owns the file being accessed, you
416 can say (assuming you have mod_authz_owner installed):
420 It is possible to list more than one authenticator on the AuthExternal
423 AuthExternal <keyword1> <keyword2>...
425 Here each keyword should match an authenticator defined with the
426 DefineExternalAuth command. If the first authenticator fails, then
427 the second one will be run, and so on, until either one authenticator
428 accepts the user's login/password combination or all reject it.
430 * EXTERNAL GROUP CHECKING:
432 If you want to use the external group check program to allow only
433 users in a given group to have access, you could do:
437 AuthBasicProvider external
438 AuthExternal <keyword>
439 GroupExternal <groupkeyword>
440 Require group <groupname1> <groupname2> ...
442 Here <groupkeyword> matches a name you defined with with the
443 DefineExternalGroup or AddExternalGroup command in step 2.
445 Normally if you have multiple group names on your "Require group"
446 command, then the group checker will be run only once, passing it the
447 whole space-separated list of groups. Some older group checking
448 programs may only be able to handle one group name at a time. So if
449 you want the group checker to be run once for each group name, you can
452 GroupExternalManyAtOnce off
454 If, instead of listing group names, you want to allow access only
455 to users whose group name (as determined by whatever group database
456 your external group checker uses) matches the unix group name that
457 owns the file being accessed, you can configure an external group
458 checker and then install mod_authz_owner and do:
462 The GroupExternal cannot (yet?) be used with multiple external
465 * PASSING CONTEXT INFORMATION INTO AUTHENTICATORS:
467 If you want the authentication to work slightly differently in
468 different directories, then you can add a directive like:
470 AuthExternalContext <context>
472 This will simply pass whatever <context> string was given to the
473 authenticator in an environment variable called CONTEXT. The
474 authenticator can use that to modify it's behavior.
476 * MODIFYING ERROR CODES FOR GROUP CHECKING:
478 Normally, if a group authentication fails, then mod_authnz_external
479 will return a 401 error, which will normally cause the browser to
480 pop up a fresh login box so the user can try logging in with a different
481 ID. This may not always be appropriate. If you rejected him because he
482 has a blocked IP address, returning a 403 error, which displays an error
483 page (which you can configure) may be a better choice. To get a
484 403 error instead of a 401 error on failed group access checks, you
485 would add the following command to your configuration:
487 GroupExternalError 403
489 This would effect only group checks, never password checks. Bad
490 passwords always result in a 401 error.
492 * INTERACTIONS WITH OTHER AUTHENTICATORS:
494 It is possible to configure more than one different authentication
495 module. If you do so, you will normally want to make them
496 unauthoritative, so that if one fails, the others will be tried.
497 That way, authentication or access will be granted if ANY of the
498 the configured modules finds it valid.
500 If all your password checkers are "authn" modules running under
501 mod_auth_basic, then you need do nothing. The arbitration among
502 such modules is different than the arbitration between top level
503 modules, and does the right thing by default. But if some are not
504 "authn" modules, then you'll want to make mod_auth basic
505 unauthoritative with the "AuthBasicAuthoritative off" directive
506 described in the Apache manual.
508 If you have multiple group checkers, then you will need to make
509 mod_authnz_external un-authoritative for group checking. To do
510 this, use the directive:
512 GroupExternalAuthoritative off
514 Of course, you'll probably also have to make the other module
515 unauthoritative. For example, if you have a "Require user pete"
516 directive and a "Require group admin" directive and expect it to
517 allow either pete or any admin to login, then you need to make
518 mod_authz_user unauthoritative, because that's what checks
519 "Require user" directives.
521 See the Apache manual pages on AuthType, AuthName, AuthBasicProvider,
522 Require, and AuthGroupFile for more information.
526 Some of the directives mentioned above used to have different names.
527 The old names still work for backward compatibility.
529 AuthzExternalAuthoritative equals GroupExternalAuthoritative
530 AuthExternalGroupsAtOnce equals GroupExternalManyAtOnce
532 (4) Install the Authenticator
534 Install your external authentication program in the location named
535 by the pathname on your AddExternalAuth directive.
537 Make sure everything is permitted so that whatever account the httpd
538 runs under can execute the authenticator. Typically this requires
539 'execute' access to the script and all the directories above it. If
540 it is a script, then read access to the script will also be needed.
542 If your script is an set-uid script, then make sure the file is owned
543 by the user it is supposed to run as, and that the suid-bit is set.
547 Restart Apache, so that all the new configuration commands will be
548 loaded. If you have the apachectl command do:
552 For some systems which doesn't have apachectl, you'll want to manually
553 run the startup script for apache. The locations of these vary somewhat
554 in different Unix systems, but they typically are something like this:
556 /etc/init.d/httpd restart
560 Test your changes/code by trying to view a protected page.
562 If it doesn't work, check the apache error logs. They are loaded
563 with helpful information. Some common problems and their usual causes:
565 - Miscellaneous odd behaviors.
567 Did you restart the httpd after the last time you edited the
568 httpd.conf file or recompiled Apache? Confirm that an
569 "Apache configured -- resuming normal operations" message appeared
570 in the error log when you restarted.
572 - Apache complains about not recognizing mod_authnz_external commands
573 in the httpd.conf file like "DefineExternalAuth" and "AddExternalAuth".
575 Either the module didn't get installed (if you staticly linked
576 the module, are you running the newly compiled copy of httpd?),
577 or it isn't enabled (if it is dynamically linked, the AddModule
578 LoadModule commands described above in step (1) may be missing,
579 incorrect, or commented out by an inappropriate <IfDefine>).
580 Sometimes I've found that the httpd.conf file I've been editing is
581 not actually the one being used by the copy of Apache that is
582 running. Sometimes I test this by inserting deliberately invalid
583 commands and checking to see if error messages are generated when
586 - It displays pages in a protected directory without asking for
587 a login and password.
589 For some reason Apache is not seeing the directory configuration
590 commands that set up authentication for that directory. If you
591 are using .htaccess files, does your httpd.conf file say
592 "AllowOverride AuthConfig" for the directory? Apache is usually
593 distributed with "AllowOverride None" set, which will cause
594 .htaccess files to be quietly ignored.
596 - All logins are rejected, and the error log says it cannot execute the
597 authentication module. Error messages might look like:
599 exec of '/foo/bar/authcheck' failed: (2) No such file or directory
600 [Thu Nov 15 12:26:43 2007] [error] AuthExtern authcheck
601 [/foo/bar/authcheck]: Failed (-1) for user foo
602 [Thu Nov 15 12:26:43 2007] [error] user foo: authentication
603 failure for /mae/index.html": Password Mismatch
605 The first of these three messages is from Apache's process launching
606 library, and gives the clearest information about what caused the
607 error. Typically it will be either "No such file", which means that
608 the pathname you specified for the authenticator in step (2) does
609 not match the actual location of your external authenticator, or
610 it will be "permission denied", indicating that either the file
611 or one of the directories above it is permitted so whatever account
612 apache is configured to run as does not have execute permission.
613 If it's a script, it also needs read opinion.
615 The second error message is actually generated by mod_auth_external.
616 It just says authentication failed for the user. Normally it would
617 give the status code returned by the authenticator in parenthesis,
618 but if the authenticator could not be executed it will show a
619 phoney status code of -1 (which some systems display as 255).
621 The third error message is from Apache. Don't be mislead by it's
622 saying "Password Mismatch". When mod_auth_external fails, it
623 rejects all access attempts. To apache this looks like a
626 - Authentications failed and the message in the error log says it
627 failed with a status code of -2 or 254, for example:
629 [Thu Nov 15 12:26:43 2007] [error] AuthExtern authcheck
630 [/foo/bar/authcheck]: Failed (-2) for user foo
631 [Thu Nov 15 12:26:43 2007] [error] user foo: authentication
632 failure for /mae/index.html": Password Mismatch
634 A status code of -2 (or 254) indicates that the authenticator
635 crashed or was killed before it could return a status code. This
636 could either be because some other process sent it a signal to
637 terminate it, or it crashed due to some kind internal error in
638 the code, causing a segmentation fault or some other similar
641 - Error log says "Failed (X) for user foo" with X being some number
642 other than 255 or -1.
644 The authenticator ran, and exited with the given non-zero return
645 code. You'll have to check the authenticator to see under what
646 conditions it exits with that return code.