32N/A<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">

32N/A<HTML>

943N/A<HEAD>

32N/A<TITLE>Apache module mod_auth</TITLE>

32N/A</HEAD>

919N/A

919N/A<BODY

919N/A BGCOLOR="#FFFFFF"

919N/A TEXT="#000000"

919N/A LINK="#0000FF"

919N/A VLINK="#000080"

919N/A ALINK="#FF0000"

919N/A>

919N/A

919N/A<H1 ALIGN="CENTER">Module mod_auth</H1>

919N/A

919N/A<P>This module provides for user authentication using text files.

919N/A

919N/A<P><A

32N/A><STRONG>Status:</STRONG></A> Base

32N/A<BR>

32N/A<A

32N/A><STRONG>Source File:</STRONG></A> mod_auth.c

851N/A<BR>

32N/A<A

911N/A><STRONG>Module Identifier:</STRONG></A> auth_module

911N/A</P>

32N/A

606N/A<H2>Summary</H2>

32N/A

970N/A<P>This module allows the use of HTTP Basic Authentication to restrict

970N/Aaccess by looking up users in plain text password and group files.

970N/ASimilar functionality and greater scalability is provided by <A

970N/AHREF="mod_auth_dbm.html">mod_auth_dbm</A> and <A

970N/AHREF="mod_auth_db.html">mod_auth_db</A>. HTTP Digest Authentication

970N/Ais provided by <A HREF="mod_auth_digest.html">mod_auth_digest</A>.

970N/A

970N/A

32N/A<H2>Directives</H2>

32N/A

<UL>

<LI><A HREF="#authgroupfile">AuthGroupFile</A>

<LI><A HREF="#authuserfile">AuthUserFile</A>

<LI><A HREF="#authauthoritative">AuthAuthoritative</A>

</UL>

<P>See also: <A HREF="core.html#require">require</A>

and <A HREF="core.html#satisfy">satisfy</A>.</P>

<HR>

<H2><A NAME="authgroupfile">AuthGroupFile</A> directive</H2>

<A

HREF="directive-dict.html#Syntax"

REL="Help"

><STRONG>Syntax:</STRONG></A> AuthGroupFile <EM>filename</EM><BR>

<A

HREF="directive-dict.html#Context"

REL="Help"

><STRONG>Context:</STRONG></A> directory, .htaccess<BR>

<A

HREF="directive-dict.html#Override"

REL="Help"

><STRONG>Override:</STRONG></A> AuthConfig<BR>

<A

HREF="directive-dict.html#Status"

REL="Help"

><STRONG>Status:</STRONG></A> Base<BR>

<A

HREF="directive-dict.html#Module"

REL="Help"

><STRONG>Module:</STRONG></A> mod_auth<P>

The AuthGroupFile directive sets the name of a textual file containing the list

of user groups for user authentication. <EM>Filename</EM> is the path

to the group file. If it is not absolute (<EM>i.e.</EM>, if it

doesn't begin with a slash), it is treated as relative to the ServerRoot.

<P>

Each line of the group file contains a groupname followed by a colon, followed

by the member usernames separated by spaces. Example:

<BLOCKQUOTE><CODE>mygroup: bob joe anne</CODE></BLOCKQUOTE>

Note that searching large text files is <EM>very</EM> inefficient;

<A HREF="mod_auth_dbm.html#authdbmgroupfile">AuthDBMGroupFile</A> should

be used instead.<P>

Security: make sure that the AuthGroupFile is stored outside the

document tree of the web-server; do <EM>not</EM> put it in the directory that

it protects. Otherwise, clients will be able to download the AuthGroupFile.<P>

See also <A HREF="core.html#authname">AuthName</A>,

<A HREF="core.html#authtype">AuthType</A> and

<A HREF="#authuserfile">AuthUserFile</A>.<P><HR>

<H2><A NAME="authuserfile">AuthUserFile</A> directive</H2>

<A

HREF="directive-dict.html#Syntax"

REL="Help"

><STRONG>Syntax:</STRONG></A> AuthUserFile <EM>filename</EM><BR>

<A

HREF="directive-dict.html#Context"

REL="Help"

><STRONG>Context:</STRONG></A> directory, .htaccess<BR>

<A

HREF="directive-dict.html#Override"

REL="Help"

><STRONG>Override:</STRONG></A> AuthConfig<BR>

<A

HREF="directive-dict.html#Status"

REL="Help"

><STRONG>Status:</STRONG></A> Base<BR>

<A

HREF="directive-dict.html#Module"

REL="Help"

><STRONG>Module:</STRONG></A> mod_auth<P>

The AuthUserFile directive sets the name of a textual file containing

the list of users and passwords for user

authentication. <EM>Filename</EM> is the path to the user

file. If it is not absolute (<EM>i.e.</EM>, if it doesn't begin with a

slash), it is treated as relative to the ServerRoot.

<P> Each line of the user file file contains a username followed

by a colon, followed by the crypt() encrypted password. The behavior

of multiple occurrences of the same user is undefined.

<P>

The utility <code>htpasswd</code> which is installed as part of the

binary distribution, or which can be found in <code>src/support</code>,

is used to maintain this password file. See the <code>man</code>

page for more details. In short

<p>

<blockquote>

<code>htpasswd -c Filename username</code><br>

Create a password file 'Filename' with 'username'

as the initial ID. It will prompt for the password.

<code>htpasswd Filename username2</code><br>

Adds or modifies in password file 'Filename' the 'username'.

</blockquote>

<P> Note that

searching large text files is <EM>very</EM> inefficient;

<A HREF="mod_auth_dbm.html#authdbmuserfile">AuthDBMUserFile</A> should be

used instead.

<P>

Security: make sure that the AuthUserFile is stored outside the

document tree of the web-server; do <EM>not</EM> put it in the directory that

it protects. Otherwise, clients will be able to download the AuthUserFile.<P>

See also <A HREF="core.html#authname">AuthName</A>,

<A HREF="core.html#authtype">AuthType</A> and

<A HREF="#authgroupfile">AuthGroupFile</A>.<P>

<HR>

<H2><A NAME="authauthoritative">AuthAuthoritative</A> directive</H2>

<A

HREF="directive-dict.html#Syntax"

REL="Help"

><STRONG>Syntax:</STRONG></A> AuthAuthoritative &lt;

<STRONG> on</STRONG>(default) | off &gt; <BR>

<A

HREF="directive-dict.html#Context"

REL="Help"

><STRONG>Context:</STRONG></A> directory, .htaccess<BR>

<A

HREF="directive-dict.html#Override"

REL="Help"

><STRONG>Override:</STRONG></A> AuthConfig<BR>

<A

HREF="directive-dict.html#Status"

REL="Help"

><STRONG>Status:</STRONG></A> Base<BR>

<A

HREF="directive-dict.html#Module"

REL="Help"

><STRONG>Module:</STRONG></A> mod_auth<P>

Setting the AuthAuthoritative directive explicitly to <STRONG>'off'</STRONG>

allows for both authentication and authorization to be passed on to

lower level modules (as defined in the <CODE>Configuration</CODE> and

<CODE>modules.c</CODE> files) if there is <STRONG>no userID</STRONG> or

<STRONG>rule</STRONG> matching the supplied userID. If there is a userID and/or

rule specified; the usual password and access checks will be applied

and a failure will give an Authorization Required reply.

<P>

So if a userID appears in the database of more than one module; or if

a valid <CODE>Require</CODE> directive applies to more than one module; then the

first module will verify the credentials; and no access is passed on;

regardless of the AuthAuthoritative setting.

<P>

A common use for this is in conjunction with one of the database

modules; such as <A

HREF="mod_auth_db.html"><CODE>mod_auth_db.c</CODE></A>, <A

HREF="mod_auth_dbm.html"><CODE>mod_auth_dbm.c</CODE></A>,

<CODE>mod_auth_msql.c</CODE>, and <A

HREF="mod_auth_anon.html"><CODE>mod_auth_anon.c</CODE></A>. These modules

supply the bulk of the user credential checking; but a few

(administrator) related accesses fall through to a lower level with a

well protected AuthUserFile.

<P>

<A

HREF="directive-dict.html#Default"

REL="Help"

><STRONG>Default:</STRONG></A> By default; control is not passed on; and an

unknown

userID or rule will result in an Authorization Required reply. Not

setting it thus keeps the system secure; and forces an NCSA compliant

behaviour.

<P>

Security: Do consider the implications of allowing a user to allow

fall-through in his .htaccess file; and verify that this is really

what you want; Generally it is easier to just secure a single

.htpasswd file, than it is to secure a database such as mSQL. Make

sure that the AuthUserFile is stored outside the document tree of the

web-server; do <EM>not</EM> put it in the directory that it

protects. Otherwise, clients will be able to download the

AuthUserFile.

<P>

See also <A HREF="core.html#authname">AuthName</A>,

<A HREF="core.html#authtype">AuthType</A> and

<A HREF="#authgroupfile">AuthGroupFile</A>.<P>

</BODY>

</HTML>