From a8482a3c5a4d4b1cd318deb4630e2094341fd8ad Mon Sep 17 00:00:00 2001
From: Jan Pazdziora <jpazdziora@redhat.com>
Date: Thu, 14 Nov 2013 16:31:42 +0800
Subject: Set EXTERNAL_AUTH_ERROR variable upon PAM error.

---
 README                      | 3 ++-
 mod_intercept_form_submit.c | 9 +++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/README b/README
index effcdf2..ffec64b 100644
--- a/README
+++ b/README
@@ -9,7 +9,8 @@ REMOTE_USER environment variable if the authentication passes. The
 internal r->user field is also set so other modules can use it (even
 if the module is invoked very late in the request processing). If the
 REMOTE_USER is already set (presumably by some previous module), no
-authentication takes place.
+authentication takes place. If the PAM authentication fails, environment
+variable EXTERNAL_AUTH_ERROR is set to the string describing the error.
 
 The assumption is that the application will be amended to trust the
 REMOTE_USER value if it is set and skip its own login/password
diff --git a/mod_intercept_form_submit.c b/mod_intercept_form_submit.c
index a0a6b00..833b29a 100644
--- a/mod_intercept_form_submit.c
+++ b/mod_intercept_form_submit.c
@@ -78,19 +78,24 @@ int pam_authenticate_conv(int num_msg, const struct pam_message ** msg, struct p
 }
 
 #define _REMOTE_USER_ENV_NAME "REMOTE_USER"
+#define _EXTERNAL_AUTH_ERROR_ENV_NAME "EXTERNAL_AUTH_ERROR"
 int pam_authenticate_with_login_password(request_rec * r, const char * pam_service, char * login, const char * password) {
 	pam_handle_t * pamh = NULL;
 	struct pam_conv pam_conversation = { &pam_authenticate_conv, (void *) password };
 	int ret;
 	if ((ret = pam_start(pam_service, login, &pam_conversation, &pamh)) != PAM_SUCCESS) {
+		const char * strerr = pam_strerror(pamh, ret);
 		ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
-			"mod_intercept_form_submit: PAM transaction failed for service %s: %s", pam_service, pam_strerror(pamh, ret));
+			"mod_intercept_form_submit: PAM transaction failed for service %s: %s", pam_service, strerr);
+		apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr));
 		pam_end(pamh, ret);
 		return 0;
 	}
 	if ((ret = pam_authenticate(pamh, PAM_SILENT | PAM_DISALLOW_NULL_AUTHTOK)) != PAM_SUCCESS) {
+		const char * strerr = pam_strerror(pamh, ret);
 		ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
-			"mod_intercept_form_submit: PAM authentication failed for user %s: %s", login, pam_strerror(pamh, ret));
+			"mod_intercept_form_submit: PAM authentication failed for user %s: %s", login, strerr);
+		apr_table_setn(r->subprocess_env, _EXTERNAL_AUTH_ERROR_ENV_NAME, apr_pstrdup(r->pool, strerr));
 		pam_end(pamh, ret);
 		return 0;
 	}
-- 
cgit