mod_auth_dbm.html revision 25503838e438bb909e3ff880125732c7ed5e64ad
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen BGCOLOR="#FFFFFF"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen TEXT="#000000"
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen LINK="#0000FF"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen VLINK="#000080"
fd2f5fbc1f07aa93e2214a28cdf02437fb7d06c8Timo Sirainen ALINK="#FF0000"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<!--#include virtual="header.html" -->
6cd02a9525acb9897a65b05bfeee9b8d283e0f74Timo SirainenThis module is contained in the <CODE>mod_auth_dbm.c</CODE> file, and
6cd02a9525acb9897a65b05bfeee9b8d283e0f74Timo Sirainenis not compiled in by default. It provides for user authentication using
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<LI><A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<LI><A HREF="#authdbmuserfile">AuthDBMUserFile</A>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<LI><A HREF="#authdbmauthoritative">AuthDBMAuthoritative</A>
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen<A name="authdbmgroupfile"><H2>AuthDbmGroupFile</H2></A>
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen<!--%plaintext <?INDEX {\tt AuthDbmGroupFile} directive> -->
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen><STRONG>Syntax:</STRONG></A> AuthDBMGroupFile <EM>filename</EM><BR>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenThe AuthDBMGroupFile directive sets the name of a DBM file containing the list
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenof user groups for user authentication. <EM>Filename</EM> is the absolute path
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainento the group file.<P>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenThe group file is keyed on the username. The value for a user is a
91dca97b367c54a139c268b56a0c67f564bd9197Timo Sirainencomma-separated list of the groups to which the users belongs. There must
ee26329cb5cc679b5645e4933d529f86accb976aTimo Sirainenbe no whitespace within the value, and it must never contain any colons.<P>
ee26329cb5cc679b5645e4933d529f86accb976aTimo SirainenSecurity: make sure that the AuthDBMGroupFile is stored outside the
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainendocument tree of the web-server; do <EM>not</EM> put it in the directory that
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainenit protects. Otherwise, clients will be able to download the
992a13add4eea0810e4db0f042a595dddf85536aTimo SirainenAuthDBMGroupFile unless otherwise protected.<P>
992a13add4eea0810e4db0f042a595dddf85536aTimo SirainenCombining Group and Password DBM files: In some cases it is easier to
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenmanage a single database which contains both the password and group
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainendetails for each user. This simplifies any support programs that need
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainento be written: they now only have to deal with writing to and locking
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainena single DBM file. This can be accomplished by first setting the group
a2ce2eb4c266e2854fd34416ea5cfbe05dfd3971Timo Sirainenand password files to point to the same DBM:<P>
e9f2d9104d395bcf54be3f8ba8d9f63aecf0bcbeTimo SirainenThe key for the single DBM is the username. The value consists of <P>
a2ce2eb4c266e2854fd34416ea5cfbe05dfd3971Timo SirainenUnix Crypt-ed Password : List of Groups [ : (ignored) ]
a2ce2eb4c266e2854fd34416ea5cfbe05dfd3971Timo SirainenThe password section contains the Unix crypt() password as before. This is
a2ce2eb4c266e2854fd34416ea5cfbe05dfd3971Timo Sirainenfollowed by a colon and the comma separated list of groups. Other data may
a2ce2eb4c266e2854fd34416ea5cfbe05dfd3971Timo Sirainenoptionally be left in the DBM file after another colon; it is ignored by the
a2ce2eb4c266e2854fd34416ea5cfbe05dfd3971Timo Sirainenauthentication module. This is what www.telescope.org uses for its combined
a2ce2eb4c266e2854fd34416ea5cfbe05dfd3971Timo Sirainenpassword and group database. <P>
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenSee also <A HREF="core.html#authname">AuthName</A>,
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen<A HREF="#authdbmuserfile">AuthDBMUserFile</A>.<P><HR>
992a13add4eea0810e4db0f042a595dddf85536aTimo Sirainen<A name="authdbmuserfile"><H2>AuthDBMUserFile</H2></A>
50c4a9739b55370b1d3950d7b3ec2f7cd2ed5f49Timo Sirainen<!--%plaintext <?INDEX {\tt AuthDBMUserFile} directive> -->
6cd02a9525acb9897a65b05bfeee9b8d283e0f74Timo Sirainen><STRONG>Syntax:</STRONG></A> AuthDBMUserFile <EM>filename</EM><BR>
a2ce2eb4c266e2854fd34416ea5cfbe05dfd3971Timo Sirainen><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenThe AuthDBMUserFile directive sets the name of a DBM file containing the list
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenof users and passwords for user authentication. <EM>Filename</EM> is the
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenabsolute path to the user file.<P>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenThe user file is keyed on the username. The value for a user is the
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainencrypt() encrypted password, optionally followed by a colon and
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenarbitrary data. The colon and the data following it will be ignored
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenby the server.<P>
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenSecurity: make sure that the AuthDBMUserFile is stored outside the
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainendocument tree of the web-server; do <EM>not</EM> put it in the directory that
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenit protects. Otherwise, clients will be able to download the
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenAuthDBMUserFile.<P>
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenImportant compatibility note: The implementation of "dbmopen" in the
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenapache modules reads the string length of the hashed values from the
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenDBM data structures, rather than relying upon the string being
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenNULL-appended. Some applications, such as the Netscape web server,
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenrely upon the string being NULL-appended, so if you are having trouble
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenusing DBM files interchangeably between applications this may be a
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenpart of the problem. <P>
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenSee also <A HREF="core.html#authname">AuthName</A>,
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen<A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>.<P>
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen<A name="authdbmauthoritative"><H2>AuthDBMAuthoritative</H2></A>
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen<!--%plaintext <?INDEX {\tt AuthDBMAuthoritative} directive> -->
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen><STRONG>Syntax:</STRONG></A> AuthDBMAuthoritative < <STRONG> on</STRONG>(default) | off > <BR>
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenSetting the AuthDBMAuthoritative directive explicitly to <STRONG>'off'</STRONG>
faef57a36800fe952a5794328467f846d5480ae6Timo Sirainenallows for both authentication and authorization to be passed on
faef57a36800fe952a5794328467f846d5480ae6Timo Sirainento lower level modules (as defined in the <CODE>Configuration</CODE>
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenand <CODE>modules.c</CODE> file if there is <STRONG>no userID</STRONG> or
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<STRONG>rule</STRONG> matching the supplied userID. If there is a userID
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenand/or rule specified; the usual password and access checks will
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenbe applied and a failure will give an Authorization Required reply.
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenSo if a userID appears in the database of more than one module; or
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenif a valid require directive applies to more than one module; then
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenthe first module will verify the credentials; and no access is
dbd9604da561399cc6255289d5b6f6f662ab2d00Timo Sirainenpassed on; regardless of the AuthAuthoritative setting. <P>
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenA common use for this is in conjunction with one of the basic auth
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenmodules; such as <A HREF="mod_auth.html"><CODE>mod_auth.c</CODE></A>.
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenWhereas this DBM module supplies the bulk of the user credential
faef57a36800fe952a5794328467f846d5480ae6Timo Sirainenchecking; a few (administrator) related accesses fall through to
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainena lower level with a well protected .htpasswd file. <P>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen><STRONG>Default:</STRONG></A> By default; control is not passed on; and an unknown
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenuserID or rule will result in an Authorization Required reply. Not
b30499429feee4f16f1e09c7047101dc7ff38304Timo Sirainensetting it thus keeps the system secure; and forces an NSCA compliant
b30499429feee4f16f1e09c7047101dc7ff38304Timo Sirainenbehaviour. <P>
6cd02a9525acb9897a65b05bfeee9b8d283e0f74Timo SirainenSecurity: Do consider the implications of allowing a user to allow
6cd02a9525acb9897a65b05bfeee9b8d283e0f74Timo Sirainenfall-through in his .htaccess file; and verify that this is really
b30499429feee4f16f1e09c7047101dc7ff38304Timo Sirainenwhat you want; Generally it is easier to just secure a single
b30499429feee4f16f1e09c7047101dc7ff38304Timo Sirainen.htpasswd file, than it is to secure a database which might have
b30499429feee4f16f1e09c7047101dc7ff38304Timo Sirainenmore access interfaces.
6cd02a9525acb9897a65b05bfeee9b8d283e0f74Timo SirainenSee also <A HREF="core.html#authname">AuthName</A>,
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen<A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>.<P>
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen<!--#include virtual="footer.html" -->