docs/manual/mod/mod_auth_db.html - httpd - Git at Google

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
 <HTML>
 <HEAD>
 <TITLE>Apache module mod_auth_db</TITLE>
 </HEAD>

 <!-- Background white, links blue (unvisited), navy (visited), red (active) -->
 <BODY
  BGCOLOR="#FFFFFF"
  TEXT="#000000"
  LINK="#0000FF"
  VLINK="#000080"
  ALINK="#FF0000"
 >
 <!--#include virtual="header.html" -->
 <H1 ALIGN="CENTER">Module mod_auth_db</H1>

 This module is contained in the <CODE>mod_auth_db.c</CODE> file, and
 is not compiled in by default. It provides for user authentication using
 Berkeley DB files. It is an alternative to <A HREF="mod_auth_dbm.html">DBM</A>
 files for those systems which support DB and not DBM. It is only
 available in Apache 1.1 and later.

 <P>
 On some BSD systems (<EM>e.g.</EM>, FreeBSD and NetBSD) dbm is automatically mapped to
 Berkeley DB. You can use either <A HREF="mod_auth_dbm.html">mod_auth_dbm</A>
 or mod_auth_db. The latter makes it more obvious that it's Berkeley DB.  On
 other platforms where you want to use the DB library you usually have to
 install it first. See
 <A HREF="http://www.sleepycat.com/">http://www.sleepycat.com/</A> for the
 distribution. The interface this module uses is the one from DB version 1.85
 and 1.86, but DB version 2.x can also be used when compatibility mode is
 enabled.

 <MENU>
 <LI><A HREF="#authdbgroupfile">AuthDBGroupFile</A>
 <LI><A HREF="#authdbuserfile">AuthDBUserFile</A>
 <LI><A HREF="#authdbauthoritative">AuthDBAuthoritative</A>
 </MENU>
 <HR>


 <H2><A NAME="authdbgroupfile">AuthDBGroupFile</A></H2>
 <!--%plaintext &lt;?INDEX {\tt AuthDBGroupFile} directive&gt; -->
 <A
  HREF="directive-dict.html#Syntax"
  REL="Help"
 ><STRONG>Syntax:</STRONG></A> AuthDBGroupFile <EM>filename</EM><BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> AuthConfig<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Extension<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_auth_db<P>

 The AuthDBGroupFile directive sets the name of a DB file containing the list
 of user groups for user authentication. <EM>Filename</EM> is the absolute path
 to the group file.<P>

 The group file is keyed on the username. The value for a user is a
 comma-separated list of the groups to which the users belongs. There must
 be no whitespace within the value, and it must never contain any colons.<P>

 Security: make sure that the AuthDBGroupFile is stored outside the
 document tree of the web-server; do <EM>not</EM> put it in the directory that
 it protects. Otherwise, clients will be able to download the
 AuthDBGroupFile unless otherwise protected.<P>

 Combining Group and Password DB files: In some cases it is easier to
 manage a single database which contains both the password and group
 details for each user. This simplifies any support programs that need
 to be written: they now only have to deal with writing to and locking
 a single DBM file. This can be accomplished by first setting the group
 and password files to point to the same DB file:<P>

 <BLOCKQUOTE><CODE>
 AuthDBGroupFile /www/userbase<BR>
 AuthDBUserFile /www/userbase
 </CODE></BLOCKQUOTE>

 The key for the single DB record is the username. The value consists of <P>

 <BLOCKQUOTE><CODE>
 Unix Crypt-ed Password : List of Groups [ : (ignored) ]
 </CODE></BLOCKQUOTE>

 The password section contains the Unix crypt() password as before. This is
 followed by a colon and the comma separated list of groups. Other data may
 optionally be left in the DB file after another colon; it is ignored by the
 authentication module. <P>

 See also <A HREF="core.html#authname">AuthName</A>,
 <A HREF="core.html#authtype">AuthType</A> and
 <A HREF="#authdbuserfile">AuthDBUserFile</A>.<P><HR>

 <H2><A NAME="authdbuserfile">AuthDBUserFile</A></H2>
 <!--%plaintext &lt;?INDEX {\tt AuthDBUserFile} directive&gt; -->
 <A
  HREF="directive-dict.html#Syntax"
  REL="Help"
 ><STRONG>Syntax:</STRONG></A> AuthDBUserFile <EM>filename</EM><BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> AuthConfig<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Extension<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_auth_db<P>

 The AuthDBUserFile directive sets the name of a DB file containing the list
 of users and passwords for user authentication. <EM>Filename</EM> is the
 absolute path to the user file.<P>

 The user file is keyed on the username. The value for a user is the
 crypt() encrypted password, optionally followed by a colon and
 arbitrary data.  The colon and the data following it will be ignored
 by the server.<P>

 Security: make sure that the AuthDBUserFile is stored outside the
 document tree of the web-server; do <EM>not</EM> put it in the directory that
 it protects. Otherwise, clients will be able to download the
 AuthDBUserFile.<P>

 Important compatibility note: The implementation of "dbmopen" in the
 apache modules reads the string length of the hashed values from the
 DB data structures, rather than relying upon the string being
 NULL-appended. Some applications, such as the Netscape web server,
 rely upon the string being NULL-appended, so if you are having trouble
 using DB files interchangeably between applications this may be a
 part of the problem. <P>

 See also <A HREF="core.html#authname">AuthName</A>,
 <A HREF="core.html#authtype">AuthType</A> and
 <A HREF="#authdbgroupfile">AuthDBGroupFile</A>.<P>
 <HR>
 <H2><A NAME="authdbauthoritative">AuthDBAuthoritative</A></H2>
 <!--%plaintext &lt;?INDEX {\tt AuthDBAuthoritative} directive&gt; -->
 <A
  HREF="directive-dict.html#Syntax"
  REL="Help"
 ><STRONG>Syntax:</STRONG></A> AuthDBAuthoritative &lt;
  <STRONG> on</STRONG>(default) | off &gt; <BR>
 <A
  HREF="directive-dict.html#Context"
  REL="Help"
 ><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
 <A
  HREF="directive-dict.html#Override"
  REL="Help"
 ><STRONG>Override:</STRONG></A> AuthConfig<BR>
 <A
  HREF="directive-dict.html#Status"
  REL="Help"
 ><STRONG>Status:</STRONG></A> Base<BR>
 <A
  HREF="directive-dict.html#Module"
  REL="Help"
 ><STRONG>Module:</STRONG></A> mod_auth<P>

 Setting the AuthDBAuthoritative directive explicitly to <STRONG>'off'</STRONG>
 allows for both authentication and authorization to be passed on
 to lower level modules (as defined in the <CODE>Configuration</CODE>
 and <CODE>modules.c</CODE> file if there is <STRONG>no userID</STRONG> or
 <STRONG>rule</STRONG> matching the supplied userID. If there is a userID
 and/or rule specified; the usual password and access checks will
 be applied and a failure will give an Authorization Required reply.
 <P>
 So if a userID appears in the database of more than one module; or
 if a valid require directive applies to more than one module; then
 the first module will verify the credentials; and no access is
 passed on; regardless of the AuthAuthoritative setting.  <P>

 A common use for this is in conjunction with one of the basic auth
 modules; such as <A HREF="mod_auth.html"><CODE>mod_auth.c</CODE></A>.
 Whereas this DB module supplies the bulk of the user credential
 checking; a few (administrator) related accesses fall through to
 a lower level with a well protected .htpasswd file.  <P>

 <A
  HREF="directive-dict.html#Default"
  REL="Help"
 ><STRONG>Default:</STRONG></A> By default; control is not passed on; and an
 unknown
 userID or rule will result in an Authorization Required reply. Not
 setting it thus keeps the system secure; and forces an NCSA compliant
 behaviour.  <P>
 Security: Do consider the implications of allowing a user to allow
 fall-through in his .htaccess file; and verify that this is really
 what you want; Generally it is easier to just secure a single
 .htpasswd file, than it is to secure a database which might have
 more access interfaces.

 <P>
 See also <A HREF="core.html#authname">AuthName</A>,
 <A HREF="core.html#authtype">AuthType</A> and
 <A HREF="#authdbgroupfile">AuthDBGroupFile</A>.<P>

 <!--#include virtual="footer.html" -->
 </BODY>
 </HTML>
	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
	<HTML>
	<HEAD>
	<TITLE>Apache module mod_auth_db</TITLE>
	</HEAD>

	<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
	<BODY
	BGCOLOR="#FFFFFF"
	TEXT="#000000"
	LINK="#0000FF"
	VLINK="#000080"
	ALINK="#FF0000"
	>
	<!--#include virtual="header.html" -->
	<H1 ALIGN="CENTER">Module mod_auth_db</H1>

	This module is contained in the <CODE>mod_auth_db.c</CODE> file, and
	is not compiled in by default. It provides for user authentication using
	Berkeley DB files. It is an alternative to <A HREF="mod_auth_dbm.html">DBM</A>
	files for those systems which support DB and not DBM. It is only
	available in Apache 1.1 and later.

	<P>
	On some BSD systems (<EM>e.g.</EM>, FreeBSD and NetBSD) dbm is automatically mapped to
	Berkeley DB. You can use either <A HREF="mod_auth_dbm.html">mod_auth_dbm</A>
	or mod_auth_db. The latter makes it more obvious that it's Berkeley DB. On
	other platforms where you want to use the DB library you usually have to
	install it first. See
	<A HREF="http://www.sleepycat.com/">http://www.sleepycat.com/</A> for the
	distribution. The interface this module uses is the one from DB version 1.85
	and 1.86, but DB version 2.x can also be used when compatibility mode is
	enabled.

	<MENU>
	<LI><A HREF="#authdbgroupfile">AuthDBGroupFile</A>
	<LI><A HREF="#authdbuserfile">AuthDBUserFile</A>
	<LI><A HREF="#authdbauthoritative">AuthDBAuthoritative</A>
	</MENU>
	<HR>


	<H2><A NAME="authdbgroupfile">AuthDBGroupFile</A></H2>
	<!--%plaintext <?INDEX {\tt AuthDBGroupFile} directive> -->
	<A
	HREF="directive-dict.html#Syntax"
	REL="Help"
	><STRONG>Syntax:</STRONG></A> AuthDBGroupFile <EM>filename</EM><BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> AuthConfig<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Extension<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_auth_db<P>

	The AuthDBGroupFile directive sets the name of a DB file containing the list
	of user groups for user authentication. <EM>Filename</EM> is the absolute path
	to the group file.<P>

	The group file is keyed on the username. The value for a user is a
	comma-separated list of the groups to which the users belongs. There must
	be no whitespace within the value, and it must never contain any colons.<P>

	Security: make sure that the AuthDBGroupFile is stored outside the
	document tree of the web-server; do <EM>not</EM> put it in the directory that
	it protects. Otherwise, clients will be able to download the
	AuthDBGroupFile unless otherwise protected.<P>

	Combining Group and Password DB files: In some cases it is easier to
	manage a single database which contains both the password and group
	details for each user. This simplifies any support programs that need
	to be written: they now only have to deal with writing to and locking
	a single DBM file. This can be accomplished by first setting the group
	and password files to point to the same DB file:<P>

	<BLOCKQUOTE><CODE>
	AuthDBGroupFile /www/userbase<BR>
	AuthDBUserFile /www/userbase
	</CODE></BLOCKQUOTE>

	The key for the single DB record is the username. The value consists of <P>

	<BLOCKQUOTE><CODE>
	Unix Crypt-ed Password : List of Groups [ : (ignored) ]
	</CODE></BLOCKQUOTE>

	The password section contains the Unix crypt() password as before. This is
	followed by a colon and the comma separated list of groups. Other data may
	optionally be left in the DB file after another colon; it is ignored by the
	authentication module. <P>

	See also <A HREF="core.html#authname">AuthName</A>,
	<A HREF="core.html#authtype">AuthType</A> and
	<A HREF="#authdbuserfile">AuthDBUserFile</A>.<P><HR>

	<H2><A NAME="authdbuserfile">AuthDBUserFile</A></H2>
	<!--%plaintext <?INDEX {\tt AuthDBUserFile} directive> -->
	<A
	HREF="directive-dict.html#Syntax"
	REL="Help"
	><STRONG>Syntax:</STRONG></A> AuthDBUserFile <EM>filename</EM><BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> AuthConfig<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Extension<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_auth_db<P>

	The AuthDBUserFile directive sets the name of a DB file containing the list
	of users and passwords for user authentication. <EM>Filename</EM> is the
	absolute path to the user file.<P>

	The user file is keyed on the username. The value for a user is the
	crypt() encrypted password, optionally followed by a colon and
	arbitrary data. The colon and the data following it will be ignored
	by the server.<P>

	Security: make sure that the AuthDBUserFile is stored outside the
	document tree of the web-server; do <EM>not</EM> put it in the directory that
	it protects. Otherwise, clients will be able to download the
	AuthDBUserFile.<P>

	Important compatibility note: The implementation of "dbmopen" in the
	apache modules reads the string length of the hashed values from the
	DB data structures, rather than relying upon the string being
	NULL-appended. Some applications, such as the Netscape web server,
	rely upon the string being NULL-appended, so if you are having trouble
	using DB files interchangeably between applications this may be a
	part of the problem. <P>

	See also <A HREF="core.html#authname">AuthName</A>,
	<A HREF="core.html#authtype">AuthType</A> and
	<A HREF="#authdbgroupfile">AuthDBGroupFile</A>.<P>
	<HR>
	<H2><A NAME="authdbauthoritative">AuthDBAuthoritative</A></H2>
	<!--%plaintext <?INDEX {\tt AuthDBAuthoritative} directive> -->
	<A
	HREF="directive-dict.html#Syntax"
	REL="Help"
	><STRONG>Syntax:</STRONG></A> AuthDBAuthoritative <
	<STRONG> on</STRONG>(default) \| off > <BR>
	<A
	HREF="directive-dict.html#Context"
	REL="Help"
	><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
	<A
	HREF="directive-dict.html#Override"
	REL="Help"
	><STRONG>Override:</STRONG></A> AuthConfig<BR>
	<A
	HREF="directive-dict.html#Status"
	REL="Help"
	><STRONG>Status:</STRONG></A> Base<BR>
	<A
	HREF="directive-dict.html#Module"
	REL="Help"
	><STRONG>Module:</STRONG></A> mod_auth<P>

	Setting the AuthDBAuthoritative directive explicitly to <STRONG>'off'</STRONG>
	allows for both authentication and authorization to be passed on
	to lower level modules (as defined in the <CODE>Configuration</CODE>
	and <CODE>modules.c</CODE> file if there is <STRONG>no userID</STRONG> or
	<STRONG>rule</STRONG> matching the supplied userID. If there is a userID
	and/or rule specified; the usual password and access checks will
	be applied and a failure will give an Authorization Required reply.
	<P>
	So if a userID appears in the database of more than one module; or
	if a valid require directive applies to more than one module; then
	the first module will verify the credentials; and no access is
	passed on; regardless of the AuthAuthoritative setting. <P>

	A common use for this is in conjunction with one of the basic auth
	modules; such as <A HREF="mod_auth.html"><CODE>mod_auth.c</CODE></A>.
	Whereas this DB module supplies the bulk of the user credential
	checking; a few (administrator) related accesses fall through to
	a lower level with a well protected .htpasswd file. <P>

	<A
	HREF="directive-dict.html#Default"
	REL="Help"
	><STRONG>Default:</STRONG></A> By default; control is not passed on; and an
	unknown
	userID or rule will result in an Authorization Required reply. Not
	setting it thus keeps the system secure; and forces an NCSA compliant
	behaviour. <P>
	Security: Do consider the implications of allowing a user to allow
	fall-through in his .htaccess file; and verify that this is really
	what you want; Generally it is easier to just secure a single
	.htpasswd file, than it is to secure a database which might have
	more access interfaces.

	<P>
	See also <A HREF="core.html#authname">AuthName</A>,
	<A HREF="core.html#authtype">AuthType</A> and
	<A HREF="#authdbgroupfile">AuthDBGroupFile</A>.<P>

	<!--#include virtual="footer.html" -->
	</BODY>
	</HTML>