Making authentication optional

[muks]

We use the spnego-http-auth-nginx-module in our Kerberos domain with much success. Authentication is password-less (using a smartcard), so we configure auth_gss_allow_basic_fallback off. The module authenticates access to a variety of services that are used only by staff (user principals).

We use an application called Request Tracker that is accessed by non-staff users too who do not have Kerberos accounts. Currently staff are forced to use password authentication using Request Tracker's HTML login form. Request Tracker supports HTTP authentication ($WebRemoteUserAuth) and a method to present the HTML login form as fallback ($WebFallbackToRTLogin). However, this would require that, if the SPNEGO authentication does not complete, the application webpage loads anyway without the REMOTE_USER CGI variable set.

How can this be configured in nginx? This module supports fallback to basic authentication (which is not what we want), and otherwise if the user is not authenticated (kinit was not run), the user receives a "401 Authorization Required" error from nginx. In this case, how can we get the application's webpage to load anyway without REMOTE_USER being set?

I haven't found a way to use the nginx satisfy config option for this either. satisfy picks one of the built-in authentication methods in precedence to auth_gss, and so the SPNEGO authentication does not happen if one of the built-in mechanisms (e.g., allow all) succeeds.

[Furgas]

Maybe use error_page 401 directive to redirect to a location without Kerberos authentication enabled.