mirror of
https://github.com/apache/httpd.git
synced 2025-10-31 19:10:37 +03:00
b8861ba216
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@89603 13f79535-47bb-0310-9956-ffa450edef68
243 lines
8.3 KiB
HTML
243 lines
8.3 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>Apache module mod_auth_dbm</TITLE>
|
|
</HEAD>
|
|
|
|
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
|
|
<BODY
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#000080"
|
|
ALINK="#FF0000"
|
|
>
|
|
<!--#include virtual="header.html" -->
|
|
|
|
<H1 ALIGN="CENTER">Module mod_auth_dbm</H1>
|
|
|
|
<p>This module provides for user authentication using DBM files.</p>
|
|
|
|
<P><A
|
|
HREF="module-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Extension
|
|
<BR>
|
|
<A
|
|
HREF="module-dict.html#SourceFile"
|
|
REL="Help"
|
|
><STRONG>Source File:</STRONG></A> mod_auth_dbm.c
|
|
<BR>
|
|
<A
|
|
HREF="module-dict.html#ModuleIdentifier"
|
|
REL="Help"
|
|
><STRONG>Module Identifier:</STRONG></A> dbm_auth_module
|
|
</P>
|
|
|
|
<h2>Summary</h2>
|
|
|
|
<p>This module provides for HTTP Basic Authentication, where the
|
|
usernames and passwords are stored in DBM type database files. It is
|
|
an alternative to the plain text password files provided by <a
|
|
href="mod_auth.html">mod_auth</A> and the Berkely DB password files
|
|
provided by <a href="mod_auth_db.html">mod_auth_db</a>.</p>
|
|
|
|
<h2>Directives</h2>
|
|
|
|
<ul>
|
|
<LI><A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>
|
|
<LI><A HREF="#authdbmuserfile">AuthDBMUserFile</A>
|
|
<LI><A HREF="#authdbmauthoritative">AuthDBMAuthoritative</A>
|
|
</ul>
|
|
|
|
<p>See also: <a href="core.html#satisfy">Satisfy</a> and
|
|
<a href="core.html#require">Require</a>.
|
|
<HR>
|
|
|
|
|
|
<H2><A NAME="authdbmgroupfile">AuthDBMGroupFile</A></H2>
|
|
<!--%plaintext <?INDEX {\tt AuthDBMGroupFile} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> AuthDBMGroupFile <EM>file-path</EM><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> AuthConfig<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Extension<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_auth_dbm<P>
|
|
|
|
The AuthDBMGroupFile directive sets the name of a DBM file containing the list
|
|
of user groups for user authentication. <EM>File-path</EM> is the absolute path
|
|
to the group file.<P>
|
|
|
|
The group file is keyed on the username. The value for a user is a
|
|
comma-separated list of the groups to which the users belongs. There must
|
|
be no whitespace within the value, and it must never contain any colons.<P>
|
|
|
|
Security: make sure that the AuthDBMGroupFile is stored outside the
|
|
document tree of the web-server; do <EM>not</EM> put it in the directory that
|
|
it protects. Otherwise, clients will be able to download the
|
|
AuthDBMGroupFile unless otherwise protected.<P>
|
|
|
|
Combining Group and Password DBM files: In some cases it is easier to
|
|
manage a single database which contains both the password and group
|
|
details for each user. This simplifies any support programs that need
|
|
to be written: they now only have to deal with writing to and locking
|
|
a single DBM file. This can be accomplished by first setting the group
|
|
and password files to point to the same DBM:<P>
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
AuthDBMGroupFile /www/userbase<BR>
|
|
AuthDBMUserFile /www/userbase
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
The key for the single DBM is the username. The value consists of <P>
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
Unix Crypt-ed Password : List of Groups [ : (ignored) ]
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
The password section contains the Unix crypt() password as before. This is
|
|
followed by a colon and the comma separated list of groups. Other data may
|
|
optionally be left in the DBM file after another colon; it is ignored by the
|
|
authentication module. This is what www.telescope.org uses for its combined
|
|
password and group database. <P>
|
|
|
|
See also <A HREF="core.html#authname">AuthName</A>,
|
|
<A HREF="core.html#authtype">AuthType</A> and
|
|
<A HREF="#authdbmuserfile">AuthDBMUserFile</A>.<P><HR>
|
|
|
|
<H2><A NAME="authdbmuserfile">AuthDBMUserFile</A></H2>
|
|
<!--%plaintext <?INDEX {\tt AuthDBMUserFile} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> AuthDBMUserFile <EM>file-path</EM><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> AuthConfig<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Extension<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_auth_dbm<P>
|
|
|
|
The AuthDBMUserFile directive sets the name of a DBM file containing the list
|
|
of users and passwords for user authentication. <EM>File-path</EM> is the
|
|
absolute path to the user file.<P>
|
|
|
|
The user file is keyed on the username. The value for a user is the
|
|
crypt() encrypted password, optionally followed by a colon and
|
|
arbitrary data. The colon and the data following it will be ignored
|
|
by the server.<P>
|
|
|
|
Security: make sure that the AuthDBMUserFile is stored outside the
|
|
document tree of the web-server; do <EM>not</EM> put it in the directory that
|
|
it protects. Otherwise, clients will be able to download the
|
|
AuthDBMUserFile.<P>
|
|
|
|
Important compatibility note: The implementation of "dbmopen" in the
|
|
apache modules reads the string length of the hashed values from the
|
|
DBM data structures, rather than relying upon the string being
|
|
NULL-appended. Some applications, such as the Netscape web server,
|
|
rely upon the string being NULL-appended, so if you are having trouble
|
|
using DBM files interchangeably between applications this may be a
|
|
part of the problem. <P>
|
|
|
|
<p>A perl script called
|
|
href="../programs/dbmmanage.html">dbmmanage</a> is included with
|
|
Apache. This program can be used to create and update DBM format
|
|
password files for use with this module.</p>
|
|
|
|
See also <A HREF="core.html#authname">AuthName</A>,
|
|
<A HREF="core.html#authtype">AuthType</A> and
|
|
<A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>.<P>
|
|
|
|
<HR>
|
|
<H2><A NAME="authdbmauthoritative">AuthDBMAuthoritative</A></H2>
|
|
<!--%plaintext <?INDEX {\tt AuthDBMAuthoritative} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> AuthDBMAuthoritative on|off<BR>
|
|
<A
|
|
HREF="directive-dict.html#Default"
|
|
REL="Help"
|
|
><STRONG>Default:</STRONG></A> <code>AuthDBMAuthoritative on</code><br>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> AuthConfig<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Extension<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_auth_dbm<P>
|
|
|
|
Setting the AuthDBMAuthoritative directive explicitly to <STRONG>'off'</STRONG>
|
|
allows for both authentication and authorization to be passed on
|
|
to lower level modules (as defined in the <CODE>Configuration</CODE>
|
|
and <CODE>modules.c</CODE> file if there is <STRONG>no userID</STRONG> or
|
|
<STRONG>rule</STRONG> matching the supplied userID. If there is a userID
|
|
and/or rule specified; the usual password and access checks will
|
|
be applied and a failure will give an Authorization Required reply.
|
|
<P>
|
|
So if a userID appears in the database of more than one module; or
|
|
if a valid <CODE>Require</CODE> directive applies to more than one module; then
|
|
the first module will verify the credentials; and no access is
|
|
passed on; regardless of the AuthAuthoritative setting. <P>
|
|
|
|
A common use for this is in conjunction with one of the basic auth
|
|
modules; such as <A HREF="mod_auth.html"><CODE>mod_auth.c</CODE></A>.
|
|
Whereas this DBM module supplies the bulk of the user credential
|
|
checking; a few (administrator) related accesses fall through to
|
|
a lower level with a well protected .htpasswd file. <P>
|
|
|
|
|
|
By default, control is not passed on and an unknown userID or rule
|
|
will result in an Authorization Required reply. Not setting it thus
|
|
keeps the system secure and forces an NCSA compliant behaviour. <P>
|
|
|
|
Security: Do consider the implications of allowing a user to allow
|
|
fall-through in his .htaccess file; and verify that this is really
|
|
what you want; Generally it is easier to just secure a single
|
|
.htpasswd file, than it is to secure a database which might have
|
|
more access interfaces.
|
|
|
|
<P>
|
|
See also <A HREF="core.html#authname">AuthName</A>,
|
|
<A HREF="core.html#authtype">AuthType</A> and
|
|
<A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>.<P>
|
|
|
|
<!--#include virtual="footer.html" -->
|
|
</BODY>
|
|
</HTML>
|
|
|