| <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN"> |
| <HTML> |
| <HEAD> |
| <TITLE>Apache module mod_auth_db</TITLE> |
| </HEAD> |
| |
| <!-- Background white, links blue (unvisited), navy (visited), red (active) --> |
| <BODY |
| BGCOLOR="#FFFFFF" |
| TEXT="#000000" |
| LINK="#0000FF" |
| VLINK="#000080" |
| ALINK="#FF0000" |
| > |
| <!--#include virtual="header.html" --> |
| <H1 ALIGN="CENTER">Module mod_auth_db</H1> |
| |
| <p>This module provides for user authentication using Berkeley DB |
| files. </p> |
| |
| <P><A |
| HREF="module-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Extension |
| <BR> |
| <A |
| HREF="module-dict.html#SourceFile" |
| REL="Help" |
| ><STRONG>Source File:</STRONG></A> mod_auth_db.c |
| <BR> |
| <A |
| HREF="module-dict.html#ModuleIdentifier" |
| REL="Help" |
| ><STRONG>Module Identifier:</STRONG></A> db_auth_module |
| </P> |
| |
| <h2>Summary</h2> |
| |
| <p>This module provides an alternative to <A |
| HREF="mod_auth_dbm.html">DBM</A> files for those systems which support |
| DB and not DBM. It is only available in Apache 1.1 and later.</p> |
| |
| <p>On some BSD systems (<EM>e.g.</EM>, FreeBSD and NetBSD) dbm is |
| automatically mapped to Berkeley DB. You can use either <A |
| HREF="mod_auth_dbm.html">mod_auth_dbm</A> or mod_auth_db. The latter |
| makes it more obvious that it's Berkeley DB. On other platforms where |
| you want to use the DB library you usually have to install it |
| first. See <A |
| HREF="http://www.sleepycat.com/">http://www.sleepycat.com/</A> for the |
| distribution. The interface this module uses is the one from DB |
| version 1.85 and 1.86, but DB version 2.x can also be used when |
| compatibility mode is enabled.</p> |
| |
| <h2>Directives</h2> |
| |
| <UL> |
| <LI><A HREF="#authdbgroupfile">AuthDBGroupFile</A> |
| <LI><A HREF="#authdbuserfile">AuthDBUserFile</A> |
| <LI><A HREF="#authdbauthoritative">AuthDBAuthoritative</A> |
| </UL> |
| |
| <p>See also: <a href="core.html#satisfy">satisfy</a> and |
| <a href="core.html#require">require</a>.</p> |
| |
| <HR> |
| |
| |
| <H2><A NAME="authdbgroupfile">AuthDBGroupFile directive</A></H2> |
| <!--%plaintext <?INDEX {\tt AuthDBGroupFile} directive> --> |
| <A |
| HREF="directive-dict.html#Syntax" |
| REL="Help" |
| ><STRONG>Syntax:</STRONG></A> AuthDBGroupFile <EM>filename</EM><BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> AuthConfig<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Extension<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_auth_db<P> |
| |
| The AuthDBGroupFile directive sets the name of a DB file containing the list |
| of user groups for user authentication. <EM>Filename</EM> is the absolute path |
| to the group file.<P> |
| |
| The group file is keyed on the username. The value for a user is a |
| comma-separated list of the groups to which the users belongs. There must |
| be no whitespace within the value, and it must never contain any colons.<P> |
| |
| Security: make sure that the AuthDBGroupFile is stored outside the |
| document tree of the web-server; do <EM>not</EM> put it in the directory that |
| it protects. Otherwise, clients will be able to download the |
| AuthDBGroupFile unless otherwise protected.<P> |
| |
| Combining Group and Password DB files: In some cases it is easier to |
| manage a single database which contains both the password and group |
| details for each user. This simplifies any support programs that need |
| to be written: they now only have to deal with writing to and locking |
| a single DBM file. This can be accomplished by first setting the group |
| and password files to point to the same DB file:<P> |
| |
| <BLOCKQUOTE><CODE> |
| AuthDBGroupFile /www/userbase<BR> |
| AuthDBUserFile /www/userbase |
| </CODE></BLOCKQUOTE> |
| |
| The key for the single DB record is the username. The value consists of <P> |
| |
| <BLOCKQUOTE><CODE> |
| Unix Crypt-ed Password : List of Groups [ : (ignored) ] |
| </CODE></BLOCKQUOTE> |
| |
| The password section contains the Unix crypt() password as before. This is |
| followed by a colon and the comma separated list of groups. Other data may |
| optionally be left in the DB file after another colon; it is ignored by the |
| authentication module. <P> |
| |
| See also <A HREF="core.html#authname">AuthName</A>, |
| <A HREF="core.html#authtype">AuthType</A> and |
| <A HREF="#authdbuserfile">AuthDBUserFile</A>.<P><HR> |
| |
| <H2><A NAME="authdbuserfile">AuthDBUserFile</A> directive</H2> |
| <!--%plaintext <?INDEX {\tt AuthDBUserFile} directive> --> |
| <A |
| HREF="directive-dict.html#Syntax" |
| REL="Help" |
| ><STRONG>Syntax:</STRONG></A> AuthDBUserFile <EM>filename</EM><BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> AuthConfig<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Extension<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_auth_db<P> |
| |
| The AuthDBUserFile directive sets the name of a DB file containing the list |
| of users and passwords for user authentication. <EM>Filename</EM> is the |
| absolute path to the user file.<P> |
| |
| The user file is keyed on the username. The value for a user is the |
| crypt() encrypted password, optionally followed by a colon and |
| arbitrary data. The colon and the data following it will be ignored |
| by the server.<P> |
| |
| Security: make sure that the AuthDBUserFile is stored outside the |
| document tree of the web-server; do <EM>not</EM> put it in the directory that |
| it protects. Otherwise, clients will be able to download the |
| AuthDBUserFile.<P> |
| |
| Important compatibility note: The implementation of "dbmopen" in the |
| apache modules reads the string length of the hashed values from the |
| DB data structures, rather than relying upon the string being |
| NULL-appended. Some applications, such as the Netscape web server, |
| rely upon the string being NULL-appended, so if you are having trouble |
| using DB files interchangeably between applications this may be a |
| part of the problem. <P> |
| |
| <p>A perl script called |
| href="../programs/dbmmanage.html">dbmmanage</a> is included with |
| Apache. This program can be used to create and update DB format |
| password files for use with this module.</p> |
| |
| See also <A HREF="core.html#authname">AuthName</A>, |
| <A HREF="core.html#authtype">AuthType</A> and |
| <A HREF="#authdbgroupfile">AuthDBGroupFile</A>.<P> |
| <HR> |
| <H2><A NAME="authdbauthoritative">AuthDBAuthoritative</A> directive</H2> |
| <!--%plaintext <?INDEX {\tt AuthDBAuthoritative} directive> --> |
| <A |
| HREF="directive-dict.html#Syntax" |
| REL="Help" |
| ><STRONG>Syntax:</STRONG></A> AuthDBAuthoritative on|off<BR> |
| <A |
| HREF="directive-dict.html#Default" |
| REL="Help" |
| ><STRONG>Default:</STRONG></A> <CODE>AuthDBAuthoritative on</CODE><BR> |
| <A |
| HREF="directive-dict.html#Context" |
| REL="Help" |
| ><STRONG>Context:</STRONG></A> directory, .htaccess<BR> |
| <A |
| HREF="directive-dict.html#Override" |
| REL="Help" |
| ><STRONG>Override:</STRONG></A> AuthConfig<BR> |
| <A |
| HREF="directive-dict.html#Status" |
| REL="Help" |
| ><STRONG>Status:</STRONG></A> Base<BR> |
| <A |
| HREF="directive-dict.html#Module" |
| REL="Help" |
| ><STRONG>Module:</STRONG></A> mod_auth<P> |
| |
| Setting the AuthDBAuthoritative directive explicitly to <STRONG>'off'</STRONG> |
| allows for both authentication and authorization to be passed on |
| to lower level modules (as defined in the <CODE>Configuration</CODE> |
| and <CODE>modules.c</CODE> file if there is <STRONG>no userID</STRONG> or |
| <STRONG>rule</STRONG> matching the supplied userID. If there is a userID |
| and/or rule specified; the usual password and access checks will |
| be applied and a failure will give an Authorization Required reply. |
| <P> |
| So if a userID appears in the database of more than one module; or |
| if a valid <CODE>Require</CODE> directive applies to more than one module; then |
| the first module will verify the credentials; and no access is |
| passed on; regardless of the AuthAuthoritative setting. <P> |
| |
| A common use for this is in conjunction with one of the basic auth |
| modules; such as <A HREF="mod_auth.html"><CODE>mod_auth.c</CODE></A>. |
| Whereas this DB module supplies the bulk of the user credential |
| checking; a few (administrator) related accesses fall through to |
| a lower level with a well protected .htpasswd file. <P> |
| |
| |
| By default, control is not passed on and an unknown |
| userID or rule will result in an Authorization Required reply. Not |
| setting it thus keeps the system secure and forces an NCSA compliant |
| behaviour. <P> |
| Security: Do consider the implications of allowing a user to allow |
| fall-through in his .htaccess file; and verify that this is really |
| what you want; Generally it is easier to just secure a single |
| .htpasswd file, than it is to secure a database which might have |
| more access interfaces. |
| |
| <P> |
| See also <A HREF="core.html#authname">AuthName</A>, |
| <A HREF="core.html#authtype">AuthType</A> and |
| <A HREF="#authdbgroupfile">AuthDBGroupFile</A>.<P> |
| |
| <!--#include virtual="footer.html" --> |
| </BODY> |
| </HTML> |
| |