mod_auth.html revision 2eaf662cbc81e823e8d9aeb8d54e69e63032493e
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Apache module mod_auth</title>
</head>
<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<body bgcolor="#FFFFFF" text="#000000" link="#0000FF"
vlink="#000080" alink="#FF0000">
<!--#include virtual="header.html" -->
<h1 align="CENTER">Module mod_auth</h1>
<p>This module provides for user authentication using text
files.</p>
rel="Help"><strong>Status:</strong></a> Base<br />
<a href="module-dict.html#SourceFile"
<a href="module-dict.html#ModuleIdentifier"
rel="Help"><strong>Module Identifier:</strong></a>
auth_module</p>
<h2>Summary</h2>
<p>This module allows the use of HTTP Basic Authentication to
restrict access by looking up users in plain text password and
group files. Similar functionality and greater scalability is
href="mod_auth_db.html">mod_auth_db</a>. HTTP Digest
Authentication is provided by <a
<h2>Directives</h2>
<ul>
<li><a href="#authgroupfile">AuthGroupFile</a></li>
<li><a href="#authuserfile">AuthUserFile</a></li>
<li><a href="#authauthoritative">AuthAuthoritative</a></li>
</ul>
<hr />
<h2><a id="authgroupfile"
name="authgroupfile">AuthGroupFile</a> directive</h2>
<!--%plaintext <?INDEX {\tt AuthGroupFile} directive> -->
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> AuthGroupFile
<em>file-path</em><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> directory,
.htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Base<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth
<p>The AuthGroupFile directive sets the name of a textual file
containing the list of user groups for user authentication.
<em>File-path</em> is the path to the group file. If it is not
is treated as relative to the ServerRoot.</p>
<p>Each line of the group file contains a groupname followed by
a colon, followed by the member usernames separated by spaces.
Example:</p>
<blockquote>
<code>mygroup: bob joe anne</code>
</blockquote>
Note that searching large text files is <em>very</em>
inefficient; <a
href="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</a>
should be used instead.
<p>Security: make sure that the AuthGroupFile is stored outside
the document tree of the web-server; do <em>not</em> put it in
the directory that it protects. Otherwise, clients will be able
to download the AuthGroupFile.</p>
href="#authuserfile">AuthUserFile</a>.</p>
<hr />
<h2><a id="authuserfile" name="authuserfile">AuthUserFile</a>
directive</h2>
<!--%plaintext <?INDEX {\tt AuthUserFile} directive> -->
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> AuthUserFile
<em>file-path</em><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> directory,
.htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Base<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth
<p>The AuthUserFile directive sets the name of a textual file
containing the list of users and passwords for user
authentication. <em>File-path</em> is the path to the user
with a slash), it is treated as relative to the ServerRoot.</p>
<p>Each line of the user file file contains a username followed
by a colon, followed by the crypt() encrypted password. The
behavior of multiple occurrences of the same user is
undefined.</p>
which is installed as part of the binary distribution, or which
this password file. See the <code>man</code> page for more
details. In short</p>
<blockquote>
<code>htpasswd -c Filename username</code><br />
Create a password file 'Filename' with 'username' as the
initial ID. It will prompt for the password. <code>htpasswd
Filename username2</code><br />
Adds or modifies in password file 'Filename' the 'username'.
</blockquote>
<p>Note that searching large text files is <em>very</em>
inefficient; <a
href="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</a>
should be used instead.</p>
<p>Security: make sure that the AuthUserFile is stored outside
the document tree of the web-server; do <em>not</em> put it in
the directory that it protects. Otherwise, clients will be able
to download the AuthUserFile.</p>
href="#authgroupfile">AuthGroupFile</a>.</p>
<hr />
<h2><a id="authauthoritative"
name="authauthoritative">AuthAuthoritative</a> directive</h2>
<!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> -->
<a href="directive-dict.html#Syntax"
rel="Help"><strong>Syntax:</strong></a> AuthAuthoritative
on|off<br />
<a href="directive-dict.html#Default"
rel="Help"><strong>Default:</strong></a>
<code>AuthAuthoritative on</code><br />
<a href="directive-dict.html#Context"
rel="Help"><strong>Context:</strong></a> directory,
.htaccess<br />
<a href="directive-dict.html#Override"
rel="Help"><strong>Override:</strong></a> AuthConfig<br />
<a href="directive-dict.html#Status"
rel="Help"><strong>Status:</strong></a> Base<br />
<a href="directive-dict.html#Module"
rel="Help"><strong>Module:</strong></a> mod_auth
<p>Setting the AuthAuthoritative directive explicitly to
<strong>'off'</strong> allows for both authentication and
authorization to be passed on to lower level modules (as
defined in the <code>Configuration</code> and
userID</strong> or <strong>rule</strong> matching the supplied
password and access checks will be applied and a failure will
give an Authorization Required reply.</p>
<p>So if a userID appears in the database of more than one
module; or if a valid <code>Require</code> directive applies to
more than one module; then the first module will verify the
credentials; and no access is passed on; regardless of the
AuthAuthoritative setting.</p>
<p>A common use for this is in conjunction with one of the
database modules; such as <a
These modules supply the bulk of the user credential checking;
but a few (administrator) related accesses fall through to a
lower level with a well protected AuthUserFile.</p>
rel="Help"><strong>Default:</strong></a> By default; control is
not passed on; and an unknown userID or rule will result in an
Authorization Required reply. Not setting it thus keeps the
system secure; and forces an NCSA compliant behaviour.</p>
<p>Security: Do consider the implications of allowing a user to
allow fall-through in his .htaccess file; and verify that this
is really what you want; Generally it is easier to just secure
a single .htpasswd file, than it is to secure a database such
as mSQL. Make sure that the AuthUserFile is stored outside the
document tree of the web-server; do <em>not</em> put it in the
directory that it protects. Otherwise, clients will be able to
download the AuthUserFile.</p>
href="#authgroupfile">AuthGroupFile</a>.</p>
<p><!--#include virtual="footer.html" -->
</p>
</body>
</html>