diff -rc mod_auth_pam-1.1.1/doc/configure.txt mod_auth_pam-1.1.1.new/doc/configure.txt
*** mod_auth_pam-1.1.1/doc/configure.txt	2002-07-09 10:40:44.000000000 -0700
--- mod_auth_pam-1.1.1.new/doc/configure.txt	2004-06-14 09:48:07.000000000 -0700
***************
*** 60,65 ****
--- 60,76 ----
            other  authentication modules. Switching AuthPAM_Fallthrough on
            will   make   Apache   ask   other  authentication  modules  if
            mod_auth_pam can't find the user.
+   AuthPAM_NoLocalUser
+           Syntax: AuthPAM_NoLocalUser on or off
+           Default: AuthPAM_NoLocalUser off
+           Context: directory, .htaccess
+ 	  This bypasses the getpwent lookup for the user in the local password
+           file and attempts to directly authenticate them via PAM as passed
+           in by apache.
+           NOTE: if all you require is valid-user this will allow anyone who can
+           authenticate via PAM access you your system.  Generally this option is
+           used to restrict access to specific groups of non local users.  Be 
+           aware of the security consequences of enabling this.
  
  References
  
diff -rc mod_auth_pam-1.1.1/doc/faq.txt mod_auth_pam-1.1.1.new/doc/faq.txt
*** mod_auth_pam-1.1.1/doc/faq.txt	2002-07-09 10:41:04.000000000 -0700
--- mod_auth_pam-1.1.1.new/doc/faq.txt	2004-06-14 09:48:24.000000000 -0700
***************
*** 43,49 ****
      6. Does mod_auth_pam work with shadow passwords?
         Yes,  but  you  have  to  make some changes to the shadow password
         file. See [6]Using Shadow with PAM for details.
!     7. What if my question is not answered here?
         Try asking in the [7]help forum or on the [8]mailing-list!
  
  References
--- 43,65 ----
      6. Does mod_auth_pam work with shadow passwords?
         Yes,  but  you  have  to  make some changes to the shadow password
         file. See [6]Using Shadow with PAM for details.
! 
!          _____________________________________________________________
! 
! 
!     7.  My auth logs whow "Verify user `foo'" and  "user 'foo' granted access"
!         but my apache error log shows "Permission denied: access to / failed 
!         for 192.168.0.xxx, reason: Permission denied" and 
! 	"pam_auth_basic_user() - account is not healthy"
!         You do not have a local account on the system with that username.
! 	Either add an account, or if you do not wish to have a local user
! 	and are aware of the implications enable the 
!         AuthPAM_NoLocalUser on
! 	option in you configuration (.htaccess, access.conf, or httpd.conf,
! 	wherever you have the authentication enabled for the offending directory)
!          _____________________________________________________________
! 
!     8. What if my question is not answered here?
         Try asking in the [7]help forum or on the [8]mailing-list!
  
  References
diff -rc mod_auth_pam-1.1.1/mod_auth_pam.c mod_auth_pam-1.1.1.new/mod_auth_pam.c
*** mod_auth_pam-1.1.1/mod_auth_pam.c	2002-08-08 06:47:33.000000000 -0700
--- mod_auth_pam-1.1.1.new/mod_auth_pam.c	2004-06-14 09:11:43.000000000 -0700
***************
*** 47,52 ****
--- 47,54 ----
   * provided invaluable development help and ideas.
   * 
   * Changes:
+  *   14-Jun-04: feature, added optional ability to bypass local passwd lookups
+                 <ryan.mooney@pnl.gov>
   *   08-Aug-02: bugfix, supplemental groups are now checked
   *   		against correctly.  Thanks to Will Holcomb for
   *   		the report.
***************
*** 130,135 ****
--- 132,139 ----
   *				fall through but return "access denied" instead
   *				Defaults to off
   *
+  * AuthPAM_NoLocalUser on|off   If on, turns off the requirement for a local user 
+  *                              in the passwd file
   * AuthPAM_Authorative on|off   DEPRECATED
   */
  
***************
*** 186,191 ****
--- 190,196 ----
      fail_delay, 	/* fail delay in ms -- needs library support */
      fall_through, 	/* 1 to DECLINE instead of AUTH_REQUIRED if we
  			   can't find the username (defaults to 0) */
+     no_localuser, 	/* 1 to disable local user checks (defaults to 0) */
      enabled;	/* 1 to use mod_auth_pam, 0 otherwise
  		   (defaults to 1) */
  } auth_pam_dir_config;
***************
*** 203,208 ****
--- 208,214 ----
  
    new->fail_delay     = 0; /* 0 ms */
    new->fall_through   = 0; /* off */
+   new->no_localuser   = 0; /* off */
    new->enabled	      = 1; /* on */
    return new;
  }
***************
*** 229,243 ****
    return NULL;
  }
  
  static command_rec auth_pam_cmds[] = {
    { "AuthFailDelay", (const char*(*)())auth_fail_delay, 0, OR_AUTHCFG, TAKE1,
!     "number of micro seconds to wait after failed authentication attempt. defau
! lt is 0" },
    { "AuthPAM_Authorative", (const char*(*)())auth_fall_through, NULL, OR_AUTHCFG, FLAG,
      "no longer in use -- see AuthPAM_FallThrough instead" },
    { "AuthPAM_FallThrough", (const char*(*)())auth_fall_through, NULL, OR_AUTHCFG, FLAG,
!     "on|off - determines if other authentication methods are attempted if this
! one fails; default is off" },
    { "AuthPAM_Enabled", (const char*(*)())auth_enable, NULL, OR_AUTHCFG, FLAG,
      "on|off - determines if PAM authentication is enabled; default is on" },
    { 0 }
--- 235,256 ----
    return NULL;
  }
  
+ static
+ char* no_localuser(cmd_parms *cmd, auth_pam_dir_config *config, int arg)
+ {
+   config->no_localuser = arg;
+   return NULL;
+ }
+ 
  static command_rec auth_pam_cmds[] = {
    { "AuthFailDelay", (const char*(*)())auth_fail_delay, 0, OR_AUTHCFG, TAKE1,
!     "number of micro seconds to wait after failed authentication attempt. default is 0" },
    { "AuthPAM_Authorative", (const char*(*)())auth_fall_through, NULL, OR_AUTHCFG, FLAG,
      "no longer in use -- see AuthPAM_FallThrough instead" },
    { "AuthPAM_FallThrough", (const char*(*)())auth_fall_through, NULL, OR_AUTHCFG, FLAG,
!     "on|off - determines if other authentication methods are attempted if this one fails; default is off" },
!   { "AuthPAM_NoLocalUser", (const char*(*)())no_localuser, NULL, OR_AUTHCFG, FLAG,
!     "on|off - determines if PAM authentication doesn't require a local password; default is off" },
    { "AuthPAM_Enabled", (const char*(*)())auth_enable, NULL, OR_AUTHCFG, FLAG,
      "on|off - determines if PAM authentication is enabled; default is on" },
    { 0 }
***************
*** 382,388 ****
    } /* endif authenticate */
  
    /* check that the account is healthy */
!   if((res = pam_acct_mgmt(pamh, PAM_DISALLOW_NULL_AUTHTOK)) != PAM_SUCCESS) {
      ap_log_reason((char*)compat_pam_strerror(pamh, res), r->uri, r);
      pam_end(pamh, PAM_SUCCESS);
      return AUTH_REQUIRED;
--- 395,401 ----
    } /* endif authenticate */
  
    /* check that the account is healthy */
!   if( (!conf->no_localuser) && (res = pam_acct_mgmt(pamh, PAM_DISALLOW_NULL_AUTHTOK)) != PAM_SUCCESS) {
      ap_log_reason((char*)compat_pam_strerror(pamh, res), r->uri, r);
      pam_end(pamh, PAM_SUCCESS);
      return AUTH_REQUIRED;
***************
*** 402,423 ****
    register int i = 0;
    char method_restricted = 0, *line = 0, *word = 0;
    auth_pam_dir_config *conf = (auth_pam_dir_config*)
!     ap_get_module_config(r->per_dir_config, &pam_auth_module);
!   struct passwd *pwent;
  
    /* check for allowed users/group */
    const array_header *reqs_arr = ap_requires (r);
    require_line *reqs = 0;
  
    /* enabled? */
!   if (!conf->enabled)
      return DECLINED;
  
    /* retrieve user info from passwd and use that info instead of
     * server supplied info */
!   pwent = getpwnam(r->connection->user);
!   if(pwent == NULL)
!     return DECLINED; // can't happen after authentication
  
    /* if any valid user suffices return success */
    if (!reqs_arr)
--- 415,443 ----
    register int i = 0;
    char method_restricted = 0, *line = 0, *word = 0;
    auth_pam_dir_config *conf = (auth_pam_dir_config*)
!   ap_get_module_config(r->per_dir_config, &pam_auth_module);
!   struct passwd *pwent=NULL;
!   char *username = NULL;
  
    /* check for allowed users/group */
    const array_header *reqs_arr = ap_requires (r);
    require_line *reqs = 0;
  
+ 
    /* enabled? */
!   if (!conf->enabled) 
      return DECLINED;
  
    /* retrieve user info from passwd and use that info instead of
     * server supplied info */
!   if(conf->no_localuser) {
!     username = r->connection->user;
!   } else {
!     pwent = getpwnam(r->connection->user);
!     if(pwent == NULL)
!       return DECLINED; // can't happen after authentication
!     username = pwent->pw_name;
!   }
  
    /* if any valid user suffices return success */
    if (!reqs_arr)
***************
*** 446,452 ****
  	    ap_getword_conf(r->pool, (const char**)&line);
  
            /* if allowed username matches authenticated username */
!           if(strcmp(pwent->pw_name, allowed_username) == 0)
              /* return success */
              return OK;
          }
--- 466,472 ----
  	    ap_getword_conf(r->pool, (const char**)&line);
  
            /* if allowed username matches authenticated username */
!           if(strcmp(username, allowed_username) == 0)
              /* return success */
              return OK;
          }
***************
*** 465,475 ****
  	    members = grent->gr_mem;
  	    
  	    /* maybe its the primary group? saves the comparisons */
! 	    if(pwent->pw_gid == grent->gr_gid)
  	      return OK;
  
  	    while (*members) {
! 	      if (strcmp (*members, pwent->pw_name) == 0)
  		return OK;
  	      
  	      members ++;
--- 485,495 ----
  	    members = grent->gr_mem;
  	    
  	    /* maybe its the primary group? saves the comparisons */
! 	    if((!conf->no_localuser) && pwent->pw_gid == grent->gr_gid)
  	      return OK;
  
  	    while (*members) {
! 	      if (strcmp (*members, username) == 0)
  		return OK;
  	      
  	      members ++;