| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> |
| <HTML> |
| <HEAD> |
| <TITLE>Apache module mod_auth</TITLE> |
| </HEAD> |
| |
| <!-- Background white, links blue (unvisited), navy (visited), red (active) --> |
| <BODY |
| BGCOLOR="#FFFFFF" |
| TEXT="#000000" |
| LINK="#0000FF" |
| VLINK="#000080" |
| ALINK="#FF0000" |
| > |
| <!--#include virtual="header.html" --> |
| |
| <H1 ALIGN="CENTER">Module mod_auth</H1> |
| |
| This module is contained in the <CODE>mod_auth.c</CODE> file, and |
| is compiled in by default. It provides for user authentication using |
| textual files. |
| |
| |
| <MENU> |
| <LI><A HREF="#authgroupfile">AuthGroupFile</A> |
| <LI><A HREF="#authuserfile">AuthUserFile</A> |
| <LI><A HREF="#authauthoritative">AuthAuthoritative</A> |
| </MENU> |
| <HR> |
| |
| |
| <H2><A NAME="authgroupfile">AuthGroupFile</A></H2> |
| <!--%plaintext <?INDEX {\tt AuthGroupFile} directive> --> |
| <A |
| HREF="directive-dict.html#Syntax" |
| REL="Help" |
| ><STRONG>Syntax:</STRONG></A> AuthGroupFile <EM>filename</EM><BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> AuthConfig<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Base<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_auth<P> |
| |
| The AuthGroupFile directive sets the name of a textual file containing the list |
| of user groups for user authentication. <EM>Filename</EM> is the path |
| to the group file. If it is not absolute (<EM>i.e.</EM>, if it |
| doesn't begin with a slash), it is treated as relative to the ServerRoot. |
| <P> |
| Each line of the group file contains a groupname followed by a colon, followed |
| by the member usernames separated by spaces. Example: |
| <BLOCKQUOTE><CODE>mygroup: bob joe anne</CODE></BLOCKQUOTE> |
| Note that searching large text files is <EM>very</EM> inefficient; |
| <A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should |
| be used instead.<P> |
| |
| Security: make sure that the AuthGroupFile is stored outside the |
| document tree of the web-server; do <EM>not</EM> put it in the directory that |
| it protects. Otherwise, clients will be able to download the AuthGroupFile.<P> |
| |
| See also <A HREF="core.html#authname">AuthName</A>, |
| <A HREF="core.html#authtype">AuthType</A> and |
| <A HREF="#authuserfile">AuthUserFile</A>.<P><HR> |
| |
| <H2><A NAME="authuserfile">AuthUserFile</A></H2> |
| <!--%plaintext <?INDEX {\tt AuthUserFile} directive> --> |
| <A |
| HREF="directive-dict.html#Syntax" |
| REL="Help" |
| ><STRONG>Syntax:</STRONG></A> AuthUserFile <EM>filename</EM><BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> AuthConfig<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Base<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_auth<P> |
| |
| The AuthUserFile directive sets the name of a textual file containing |
| the list of users and passwords for user |
| authentication. <EM>Filename</EM> is the path to the user |
| file. If it is not absolute (<EM>i.e.</EM>, if it doesn't begin with a |
| slash), it is treated as relative to the ServerRoot. |
| <P> Each line of the user file file contains a username followed |
| by a colon, followed by the crypt() encrypted password. The behavior |
| of multiple occurrences of the same user is undefined. |
| <P> |
| The utility <code>htpasswd</code> which is installed as part of the |
| binary distribution, or which can be found in <code>src/support</code>, |
| is used to maintain this password file. See the <code>man</code> |
| page for more details. In short |
| <p> |
| <blockquote> |
| <code>htpasswd -c Filename username</code><br> |
| Create a password file 'Filename' with 'username' |
| as the initial ID. It will prompt for the password. |
| <code>htpasswd Filename username2</code><br> |
| Adds or modifies in password file 'Filename' the 'username'. |
| </blockquote> |
| <P> Note that |
| searching large text files is <EM>very</EM> inefficient; |
| <A HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be |
| used instead. |
| <P> |
| |
| Security: make sure that the AuthUserFile is stored outside the |
| document tree of the web-server; do <EM>not</EM> put it in the directory that |
| it protects. Otherwise, clients will be able to download the AuthUserFile.<P> |
| |
| See also <A HREF="core.html#authname">AuthName</A>, |
| <A HREF="core.html#authtype">AuthType</A> and |
| <A HREF="#authgroupfile">AuthGroupFile</A>.<P> |
| <HR> |
| <H2><A NAME="authauthoritative">AuthAuthoritative</A></H2> |
| <!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> --> |
| <A |
| HREF="directive-dict.html#Syntax" |
| REL="Help" |
| ><STRONG>Syntax:</STRONG></A> AuthAuthoritative < |
| <STRONG> on</STRONG>(default) | off > <BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> AuthConfig<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Base<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_auth<P> |
| |
| Setting the AuthAuthoritative directive explicitly to <STRONG>'off'</STRONG> |
| allows for both authentication and authorization to be passed on to |
| lower level modules (as defined in the <CODE>Configuration</CODE> and |
| <CODE>modules.c</CODE> files) if there is <STRONG>no userID</STRONG> or |
| <STRONG>rule</STRONG> matching the supplied userID. If there is a userID and/or |
| rule specified; the usual password and access checks will be applied |
| and a failure will give an Authorization Required reply. |
| |
| <P> |
| |
| So if a userID appears in the database of more than one module; or if |
| a valid require directive applies to more than one module; then the |
| first module will verify the credentials; and no access is passed on; |
| regardless of the AuthAuthoritative setting. |
| |
| <P> |
| |
| A common use for this is in conjunction with one of the database |
| modules; such as <A |
| HREF="mod_auth_db.html"><CODE>mod_auth_db.c</CODE></A>, <A |
| HREF="mod_auth_dbm.html"><CODE>mod_auth_dbm.c</CODE></A>, |
| <CODE>mod_auth_msql.c</CODE>, and <A |
| HREF="mod_auth_anon.html"><CODE>mod_auth_anon.c</CODE></A>. These modules |
| supply the bulk of the user credential checking; but a few |
| (administrator) related accesses fall through to a lower level with a |
| well protected AuthUserFile. |
| |
| <P> |
| |
| <A |
| HREF="directive-dict.html#Default" |
| REL="Help" |
| ><STRONG>Default:</STRONG></A> By default; control is not passed on; and an |
| unknown |
| userID or rule will result in an Authorization Required reply. Not |
| setting it thus keeps the system secure; and forces an NCSA compliant |
| behaviour. |
| |
| <P> |
| |
| Security: Do consider the implications of allowing a user to allow |
| fall-through in his .htaccess file; and verify that this is really |
| what you want; Generally it is easier to just secure a single |
| .htpasswd file, than it is to secure a database such as mSQL. Make |
| sure that the AuthUserFile is stored outside the document tree of the |
| web-server; do <EM>not</EM> put it in the directory that it |
| protects. Otherwise, clients will be able to download the |
| AuthUserFile. |
| |
| <P> |
| See also <A HREF="core.html#authname">AuthName</A>, |
| <A HREF="core.html#authtype">AuthType</A> and |
| <A HREF="#authgroupfile">AuthGroupFile</A>.<P> |
| |
| <!--#include virtual="footer.html" --> |
| </BODY> |
| </HTML> |
| |