phokz · carrvo · Aug 11, 2016 · Feb 24, 2026 · Feb 24, 2026 · Feb 24, 2026
diff --git a/mod_authnz_external/CONTRIBUTORS b/mod_authnz_external/CONTRIBUTORS
@@ -50,3 +50,5 @@ mod_authnz_external is based on code from the following sources:
 	klemens/ka7
 	Josef Liska		(josef.liska@virtualmaster.com)
 	Micah Andersen/Baptist International Missions, Inc. (micah@bimi.org)
+	Matt Johnston/mkj	(matt@ucc.asn.au)
+
diff --git a/mod_authnz_external/INSTALL b/mod_authnz_external/INSTALL
@@ -574,6 +574,11 @@ instructions to your server configuration.
     directive. In Apache 2.4, the notion of authoritativeness is
     thankfully almost entirely gone, so this directive is too.
 
+    If you want the ability to specify a return code for your authenticator
-    If you want the ability to specify a return code for your authenticator
+    If you want to allow your authenticator to gracefully hand off to the
-    If you want the ability to specify a return code for your authenticator
+    If you want to allow your authenticator to gracefully hand off to the
+    to indicate that it could not find a user:
-    to indicate that it could not find a user:
+    next apache authentication module when your authenticator cannot locate
+    the submitted user, you have the ability to specify a return code for
+    your authenticator to indicate that it could not find a user:
-    to indicate that it could not find a user:
+    next apache authentication module when your authenticator cannot locate
+    the submitted user, you have the ability to specify a return code for
+    your authenticator to indicate that it could not find a user:
+
+    AuthnUserNotFoundCode <code>
+
     * OLD DIRECTIVES
 
     Some of the directives mentioned above used to have different names.

diff --git a/mod_authnz_external/mod_authnz_external.c b/mod_authnz_external/mod_authnz_external.c
@@ -81,6 +81,7 @@ typedef struct
 	char *context;					/* Context string from AuthExternalContext */
 	int  groupsatonce;				/* Check all groups in one call? */
 	int  providecache;				/* Provide auth data to mod_authn_socache? */
+	int  authn_no_user_code;			/* External code to use for no user (HTTP 401) */
 	int  authncheck;				/* Check for previous authentication? */
 
 } authnz_external_dir_config_rec;
@@ -120,6 +121,7 @@ static void *create_authnz_external_dir_config(apr_pool_t *p, char *d)
 	dir->context = NULL;		/* no default */
 	dir->groupsatonce = 1;		/* default to on */
 	dir->providecache = 0;		/* default to off */
+	dir->authn_no_user_code = 0;	/* default to 0 to ignore */
 	dir->authncheck = 1;		/* default to on */
 	return dir;
 }
@@ -321,6 +323,13 @@ static const command_rec authnz_external_cmds[] =
 	OR_AUTHCFG,
 	"Old version of 'GroupExternalManyAtOnce'"),
 
+	AP_INIT_TAKE1("AuthnUserNotFoundCode",
+	ap_set_int_slot,
+	(void *)APR_OFFSETOF(authnz_external_dir_config_rec, authn_no_user_code),
+	OR_AUTHCFG,
+	"Set to a return code that the authenticator uses to indicate that the "
+		"user is not found (respond with HTTP 401). Set to 0 to ignore."),
+
 	AP_INIT_FLAG("GroupExternalAuthNCheck",
 	ap_set_flag_slot,
 	(void *)APR_OFFSETOF(authnz_external_dir_config_rec, authncheck),
@@ -764,7 +773,7 @@ void mock_turtle_cache(request_rec *r, const char *plainpw)
 
 /* Password checker for basic authentication - given a login/password,
  * check if it is valid.  Returns one of AUTH_DENIED, AUTH_GRANTED,
- * or AUTH_GENERAL_ERROR. */
+ * AUTH_USER_NOT_FOUND, or AUTH_GENERAL_ERROR. */
 
 static authn_status authn_external_check_password(request_rec *r,
 	const char *user, const char *password)
@@ -787,6 +796,8 @@ static authn_status authn_external_check_password(request_rec *r,
 		return AUTH_GENERAL_ERROR;
 	}
 
+	int all_not_found = 1;
+
 	for (i = 0; i < dir->auth_name->nelts; i++)
 	{
 		extname = ((const char **)dir->auth_name->elts)[i];
@@ -813,12 +824,26 @@ static authn_status authn_external_check_password(request_rec *r,
 			return AUTH_GRANTED;
 		}
 
+		/* Nonexistant login or (for some configurations) incorrect password
-		/* Nonexistant login or (for some configurations) incorrect password
+		/* Determine whether the return code means 'non-existent user' or 'incorrect 
-		/* Nonexistant login or (for some configurations) incorrect password
+		/* Determine whether the return code means 'non-existent user' or 'incorrect 
+		 * Handle this differently so that unknown users can be passed to the next
-		 * Handle this differently so that unknown users can be passed to the next
+		 * password'. If 'non-existent user', move on to the next external authenticator
-		 * Handle this differently so that unknown users can be passed to the next
+		 * password'. If 'non-existent user', move on to the next external authenticator
+		 * Apache AuthBasicProvider
-		 * Apache AuthBasicProvider
-		 * Apache AuthBasicProvider
+		 * Note that a configuration of 0, this will always be true and thus ignored */
+		if (code != dir->authn_no_user_code)
+		{
+			all_not_found = 0;
+		}
+
 		/* Log a failed authentication */
 		errno = 0;
 		ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
 			"AuthExtern %s [%s]: Failed (%d) for user %s",
 			extname, extpath, code, r->user);
 	}
+
-
+
+	/* If all external authenticators return 'non-existent user', we return 
+	 * AUTH_USER_NOT_FOUND so that unknown users can be passed to the next
+	 * Apache AuthBasicProvider */
-
+
+	/* If all external authenticators return 'non-existent user', we return 
+	 * AUTH_USER_NOT_FOUND so that unknown users can be passed to the next
+	 * Apache AuthBasicProvider */
+	if (all_not_found) {
+		return AUTH_USER_NOT_FOUND;
+	}
+
 	/* If no authenticators succeed, refuse authentication */
 	return AUTH_DENIED;
 }