2N/A<!
DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
2N/A<
TITLE>Apache module mod_auth</
TITLE>
2N/A<!-- Background white, links blue (unvisited), navy (visited), red (active) --> 2N/A<
H1 ALIGN="CENTER">Module mod_auth</
H1>
2N/A<
P>This module provides for user authentication using text files.
2N/A><
STRONG>Status:</
STRONG></
A> Base
2N/A><
STRONG>Module Identifier:</
STRONG></
A> auth_module
2N/A<
P>This module allows the use of HTTP Basic Authentication to restrict
2N/Aaccess by looking up users in plain text password and group files.
2N/ASimilar functionality and greater scalability is provided by <
A 2N/A<
LI><
A HREF="#authgroupfile">AuthGroupFile</
A>
2N/A<
LI><
A HREF="#authuserfile">AuthUserFile</
A>
2N/A<
LI><
A HREF="#authauthoritative">AuthAuthoritative</
A>
2N/A<
H2><
A NAME="authgroupfile">AuthGroupFile</
A> directive</
H2>
2N/A<!--%plaintext <?INDEX {\tt AuthGroupFile} directive> --> 2N/A><
STRONG>Syntax:</
STRONG></
A> AuthGroupFile <
EM>filename</
EM><
BR>
2N/A><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
2N/A><
STRONG>Override:</
STRONG></
A> AuthConfig<
BR>
2N/A><
STRONG>Status:</
STRONG></
A> Base<
BR>
2N/A><
STRONG>Module:</
STRONG></
A> mod_auth<
P>
2N/AThe AuthGroupFile directive sets the name of a textual file containing the list
2N/Aof user groups for user authentication. <
EM>Filename</
EM> is the path
2N/Ato the group file. If it is not absolute (<
EM>
i.e.</
EM>, if it
2N/Adoesn't begin with a slash), it is treated as relative to the ServerRoot.
2N/AEach line of the group file contains a groupname followed by a colon, followed
2N/Aby the member usernames separated by spaces. Example:
2N/A<
BLOCKQUOTE><
CODE>mygroup: bob joe anne</
CODE></
BLOCKQUOTE>
2N/ANote that searching large text files is <
EM>very</
EM> inefficient;
2N/ASecurity: make sure that the AuthGroupFile is stored outside the
2N/Adocument tree of the web-server; do <
EM>not</
EM> put it in the directory that
2N/Ait protects. Otherwise, clients will be able to download the AuthGroupFile.<
P>
2N/A<
A HREF="#authuserfile">AuthUserFile</
A>.<
P><
HR>
2N/A<
H2><
A NAME="authuserfile">AuthUserFile</
A> directive</
H2>
2N/A<!--%plaintext <?INDEX {\tt AuthUserFile} directive> --> 2N/A><
STRONG>Syntax:</
STRONG></
A> AuthUserFile <
EM>filename</
EM><
BR>
2N/A><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
2N/A><
STRONG>Override:</
STRONG></
A> AuthConfig<
BR>
2N/A><
STRONG>Status:</
STRONG></
A> Base<
BR>
2N/A><
STRONG>Module:</
STRONG></
A> mod_auth<
P>
2N/AThe AuthUserFile directive sets the name of a textual file containing
2N/Athe list of users and passwords for user
2N/Aauthentication. <
EM>Filename</
EM> is the path to the user
2N/Afile. If it is not absolute (<
EM>
i.e.</
EM>, if it doesn't begin with a
2N/Aslash), it is treated as relative to the ServerRoot.
2N/A<
P> Each line of the user file file contains a username followed
2N/Aby a colon, followed by the crypt() encrypted password. The behavior
2N/Aof multiple occurrences of the same user is undefined.
2N/AThe utility <
code>htpasswd</
code> which is installed as part of the
2N/Abinary distribution, or which can be found in <
code>
src/
support</
code>,
2N/Ais used to maintain this password file. See the <
code>man</
code>
2N/Apage for more details. In short
2N/A <
code>htpasswd -c Filename username</
code><
br>
2N/A Create a password file 'Filename' with 'username'
2N/A as the initial ID. It will prompt for the password.
2N/A <
code>htpasswd Filename username2</
code><
br>
Adds or modifies in password file 'Filename' the 'username'.
searching large text files is <
EM>very</
EM> inefficient;
Security: make sure that the AuthUserFile is stored outside the
document tree of the web-server; do <
EM>not</
EM> put it in the directory that
it protects. Otherwise, clients will be able to download the AuthUserFile.<
P>
See also <
A HREF="core.html#authname">AuthName</
A>,
<
A HREF="core.html#authtype">AuthType</
A> and
<
A HREF="#authgroupfile">AuthGroupFile</
A>.<
P>
<
H2><
A NAME="authauthoritative">AuthAuthoritative</
A> directive</
H2>
<!--%plaintext <?INDEX {\tt AuthAuthoritative} directive> --> ><
STRONG>Syntax:</
STRONG></
A> AuthAuthoritative <
<
STRONG> on</
STRONG>(default) | off > <
BR>
><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
><
STRONG>Override:</
STRONG></
A> AuthConfig<
BR>
><
STRONG>Status:</
STRONG></
A> Base<
BR>
><
STRONG>Module:</
STRONG></
A> mod_auth<
P>
Setting the AuthAuthoritative directive explicitly to <
STRONG>'off'</
STRONG>
allows for both authentication and authorization to be passed on to
lower level modules (as defined in the <
CODE>Configuration</
CODE> and
<
CODE>
modules.c</
CODE> files) if there is <
STRONG>no userID</
STRONG> or
<
STRONG>rule</
STRONG> matching the supplied userID. If there is a userID
and/
orrule specified; the usual password and access checks will be applied
and a failure will give an Authorization Required reply.
So if a userID appears in the database of more than one module; or if
a valid <
CODE>Require</
CODE> directive applies to more than one module; then the
first module will verify the credentials; and no access is passed on;
regardless of the AuthAuthoritative setting.
A common use for this is in conjunction with one of the database
supply the bulk of the user credential checking; but a few
(administrator) related accesses fall through to a lower level with a
well protected AuthUserFile.
><
STRONG>Default:</
STRONG></
A> By default; control is not passed on; and an
userID or rule will result in an Authorization Required reply. Not
setting it thus keeps the system secure; and forces an NCSA compliant
Security: Do consider the implications of allowing a user to allow
fall-through in his .htaccess file; and verify that this is really
what you want; Generally it is easier to just secure a single
.htpasswd file, than it is to secure a database such as mSQL. Make
sure that the AuthUserFile is stored outside the document tree of the
web-server; do <
EM>not</
EM> put it in the directory that it
protects. Otherwise, clients will be able to download the
See also <
A HREF="core.html#authname">AuthName</
A>,
<
A HREF="core.html#authtype">AuthType</
A> and
<
A HREF="#authgroupfile">AuthGroupFile</
A>.<
P>