mirror of
https://github.com/apache/httpd.git
synced 2025-05-17 15:21:13 +03:00
d56f872d3e
git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@87879 13f79535-47bb-0310-9956-ffa450edef68
251 lines
8.6 KiB
HTML
251 lines
8.6 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<TITLE>Apache module mod_auth_db</TITLE>
|
|
</HEAD>
|
|
|
|
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
|
|
<BODY
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#000080"
|
|
ALINK="#FF0000"
|
|
>
|
|
<!--#include virtual="header.html" -->
|
|
<H1 ALIGN="CENTER">Module mod_auth_db</H1>
|
|
|
|
<p>This module provides for user authentication using Berkeley DB
|
|
files. </p>
|
|
|
|
<P><A
|
|
HREF="module-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Extension
|
|
<BR>
|
|
<A
|
|
HREF="module-dict.html#SourceFile"
|
|
REL="Help"
|
|
><STRONG>Source File:</STRONG></A> mod_auth_db.c
|
|
<BR>
|
|
<A
|
|
HREF="module-dict.html#ModuleIdentifier"
|
|
REL="Help"
|
|
><STRONG>Module Identifier:</STRONG></A> db_auth_module
|
|
</P>
|
|
|
|
<h2>Summary</h2>
|
|
|
|
<p>This module provides an alternative to <A
|
|
HREF="mod_auth_dbm.html">DBM</A> files for those systems which support
|
|
DB and not DBM. It is only available in Apache 1.1 and later.</p>
|
|
|
|
<p>On some BSD systems (<EM>e.g.</EM>, FreeBSD and NetBSD) dbm is
|
|
automatically mapped to Berkeley DB. You can use either <A
|
|
HREF="mod_auth_dbm.html">mod_auth_dbm</A> or mod_auth_db. The latter
|
|
makes it more obvious that it's Berkeley DB. On other platforms where
|
|
you want to use the DB library you usually have to install it
|
|
first. See <A
|
|
HREF="http://www.sleepycat.com/">http://www.sleepycat.com/</A> for the
|
|
distribution. The interface this module uses is the one from DB
|
|
version 1.85 and 1.86, but DB version 2.x can also be used when
|
|
compatibility mode is enabled.</p>
|
|
|
|
<h2>Directives</h2>
|
|
|
|
<UL>
|
|
<LI><A HREF="#authdbgroupfile">AuthDBGroupFile</A>
|
|
<LI><A HREF="#authdbuserfile">AuthDBUserFile</A>
|
|
<LI><A HREF="#authdbauthoritative">AuthDBAuthoritative</A>
|
|
</UL>
|
|
|
|
<p>See also: <a href="core.html#satisfy">satisfy</a> and
|
|
<a href="core.html#require">require</a>.</p>
|
|
|
|
<HR>
|
|
|
|
|
|
<H2><A NAME="authdbgroupfile">AuthDBGroupFile directive</A></H2>
|
|
<!--%plaintext <?INDEX {\tt AuthDBGroupFile} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> AuthDBGroupFile <EM>filename</EM><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> AuthConfig<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Extension<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_auth_db<P>
|
|
|
|
The AuthDBGroupFile directive sets the name of a DB file containing the list
|
|
of user groups for user authentication. <EM>Filename</EM> is the absolute path
|
|
to the group file.<P>
|
|
|
|
The group file is keyed on the username. The value for a user is a
|
|
comma-separated list of the groups to which the users belongs. There must
|
|
be no whitespace within the value, and it must never contain any colons.<P>
|
|
|
|
Security: make sure that the AuthDBGroupFile is stored outside the
|
|
document tree of the web-server; do <EM>not</EM> put it in the directory that
|
|
it protects. Otherwise, clients will be able to download the
|
|
AuthDBGroupFile unless otherwise protected.<P>
|
|
|
|
Combining Group and Password DB files: In some cases it is easier to
|
|
manage a single database which contains both the password and group
|
|
details for each user. This simplifies any support programs that need
|
|
to be written: they now only have to deal with writing to and locking
|
|
a single DBM file. This can be accomplished by first setting the group
|
|
and password files to point to the same DB file:<P>
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
AuthDBGroupFile /www/userbase<BR>
|
|
AuthDBUserFile /www/userbase
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
The key for the single DB record is the username. The value consists of <P>
|
|
|
|
<BLOCKQUOTE><CODE>
|
|
Unix Crypt-ed Password : List of Groups [ : (ignored) ]
|
|
</CODE></BLOCKQUOTE>
|
|
|
|
The password section contains the Unix crypt() password as before. This is
|
|
followed by a colon and the comma separated list of groups. Other data may
|
|
optionally be left in the DB file after another colon; it is ignored by the
|
|
authentication module. <P>
|
|
|
|
See also <A HREF="core.html#authname">AuthName</A>,
|
|
<A HREF="core.html#authtype">AuthType</A> and
|
|
<A HREF="#authdbuserfile">AuthDBUserFile</A>.<P><HR>
|
|
|
|
<H2><A NAME="authdbuserfile">AuthDBUserFile</A> directive</H2>
|
|
<!--%plaintext <?INDEX {\tt AuthDBUserFile} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> AuthDBUserFile <EM>filename</EM><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> AuthConfig<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Extension<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_auth_db<P>
|
|
|
|
The AuthDBUserFile directive sets the name of a DB file containing the list
|
|
of users and passwords for user authentication. <EM>Filename</EM> is the
|
|
absolute path to the user file.<P>
|
|
|
|
The user file is keyed on the username. The value for a user is the
|
|
crypt() encrypted password, optionally followed by a colon and
|
|
arbitrary data. The colon and the data following it will be ignored
|
|
by the server.<P>
|
|
|
|
Security: make sure that the AuthDBUserFile is stored outside the
|
|
document tree of the web-server; do <EM>not</EM> put it in the directory that
|
|
it protects. Otherwise, clients will be able to download the
|
|
AuthDBUserFile.<P>
|
|
|
|
Important compatibility note: The implementation of "dbmopen" in the
|
|
apache modules reads the string length of the hashed values from the
|
|
DB data structures, rather than relying upon the string being
|
|
NULL-appended. Some applications, such as the Netscape web server,
|
|
rely upon the string being NULL-appended, so if you are having trouble
|
|
using DB files interchangeably between applications this may be a
|
|
part of the problem. <P>
|
|
|
|
<p>A perl script called
|
|
href="../programs/dbmmanage.html">dbmmanage</a> is included with
|
|
Apache. This program can be used to create and update DB format
|
|
password files for use with this module.</p>
|
|
|
|
See also <A HREF="core.html#authname">AuthName</A>,
|
|
<A HREF="core.html#authtype">AuthType</A> and
|
|
<A HREF="#authdbgroupfile">AuthDBGroupFile</A>.<P>
|
|
<HR>
|
|
<H2><A NAME="authdbauthoritative">AuthDBAuthoritative</A> directive</H2>
|
|
<!--%plaintext <?INDEX {\tt AuthDBAuthoritative} directive> -->
|
|
<A
|
|
HREF="directive-dict.html#Syntax"
|
|
REL="Help"
|
|
><STRONG>Syntax:</STRONG></A> AuthDBAuthoritative on|off<BR>
|
|
<A
|
|
HREF="directive-dict.html#Default"
|
|
REL="Help"
|
|
><STRONG>Default:</STRONG></A> <CODE>AuthDBAuthoritative on</CODE><BR>
|
|
<A
|
|
HREF="directive-dict.html#Context"
|
|
REL="Help"
|
|
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
|
|
<A
|
|
HREF="directive-dict.html#Override"
|
|
REL="Help"
|
|
><STRONG>Override:</STRONG></A> AuthConfig<BR>
|
|
<A
|
|
HREF="directive-dict.html#Status"
|
|
REL="Help"
|
|
><STRONG>Status:</STRONG></A> Base<BR>
|
|
<A
|
|
HREF="directive-dict.html#Module"
|
|
REL="Help"
|
|
><STRONG>Module:</STRONG></A> mod_auth<P>
|
|
|
|
Setting the AuthDBAuthoritative directive explicitly to <STRONG>'off'</STRONG>
|
|
allows for both authentication and authorization to be passed on
|
|
to lower level modules (as defined in the <CODE>Configuration</CODE>
|
|
and <CODE>modules.c</CODE> file if there is <STRONG>no userID</STRONG> or
|
|
<STRONG>rule</STRONG> matching the supplied userID. If there is a userID
|
|
and/or rule specified; the usual password and access checks will
|
|
be applied and a failure will give an Authorization Required reply.
|
|
<P>
|
|
So if a userID appears in the database of more than one module; or
|
|
if a valid <CODE>Require</CODE> directive applies to more than one module; then
|
|
the first module will verify the credentials; and no access is
|
|
passed on; regardless of the AuthAuthoritative setting. <P>
|
|
|
|
A common use for this is in conjunction with one of the basic auth
|
|
modules; such as <A HREF="mod_auth.html"><CODE>mod_auth.c</CODE></A>.
|
|
Whereas this DB module supplies the bulk of the user credential
|
|
checking; a few (administrator) related accesses fall through to
|
|
a lower level with a well protected .htpasswd file. <P>
|
|
|
|
|
|
By default, control is not passed on and an unknown
|
|
userID or rule will result in an Authorization Required reply. Not
|
|
setting it thus keeps the system secure and forces an NCSA compliant
|
|
behaviour. <P>
|
|
Security: Do consider the implications of allowing a user to allow
|
|
fall-through in his .htaccess file; and verify that this is really
|
|
what you want; Generally it is easier to just secure a single
|
|
.htpasswd file, than it is to secure a database which might have
|
|
more access interfaces.
|
|
|
|
<P>
|
|
See also <A HREF="core.html#authname">AuthName</A>,
|
|
<A HREF="core.html#authtype">AuthType</A> and
|
|
<A HREF="#authdbgroupfile">AuthDBGroupFile</A>.<P>
|
|
|
|
<!--#include virtual="footer.html" -->
|
|
</BODY>
|
|
</HTML>
|
|
|