mod_auth_dbm.html revision 25503838e438bb909e3ff880125732c7ed5e64ad
c25356d5978632df6203437e1953bcb29e0c736fTimo Sirainen<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
a40d26f83af808a0ea1e212c001d682a96d870b0Timo Sirainen BGCOLOR="#FFFFFF"
9a583c7a827f7a4d89ee43774f2d51ea6a214543Timo Sirainen TEXT="#000000"
9a583c7a827f7a4d89ee43774f2d51ea6a214543Timo Sirainen LINK="#0000FF"
9a583c7a827f7a4d89ee43774f2d51ea6a214543Timo Sirainen VLINK="#000080"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen ALINK="#FF0000"
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<!--#include virtual="header.html" -->
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenThis module is contained in the <CODE>mod_auth_dbm.c</CODE> file, and
1a21e7049796c98d6d998fcf7a438d7a97193dc4Timo Sirainenis not compiled in by default. It provides for user authentication using
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<LI><A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>
abb83d133dd082527d500916fca66a72fbbbaa8dTimo Sirainen<LI><A HREF="#authdbmuserfile">AuthDBMUserFile</A>
abb83d133dd082527d500916fca66a72fbbbaa8dTimo Sirainen<LI><A HREF="#authdbmauthoritative">AuthDBMAuthoritative</A>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<A name="authdbmgroupfile"><H2>AuthDbmGroupFile</H2></A>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<!--%plaintext <?INDEX {\tt AuthDbmGroupFile} directive> -->
0a51697f82fbd45a511710479e99efd42dc18453Timo Sirainen><STRONG>Syntax:</STRONG></A> AuthDBMGroupFile <EM>filename</EM><BR>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
a40d26f83af808a0ea1e212c001d682a96d870b0Timo SirainenThe AuthDBMGroupFile directive sets the name of a DBM file containing the list
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenof user groups for user authentication. <EM>Filename</EM> is the absolute path
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainento the group file.<P>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenThe group file is keyed on the username. The value for a user is a
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainencomma-separated list of the groups to which the users belongs. There must
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainenbe no whitespace within the value, and it must never contain any colons.<P>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenSecurity: make sure that the AuthDBMGroupFile is stored outside the
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainendocument tree of the web-server; do <EM>not</EM> put it in the directory that
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenit protects. Otherwise, clients will be able to download the
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo SirainenAuthDBMGroupFile unless otherwise protected.<P>
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo SirainenCombining Group and Password DBM files: In some cases it is easier to
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenmanage a single database which contains both the password and group
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainendetails for each user. This simplifies any support programs that need
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainento be written: they now only have to deal with writing to and locking
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainena single DBM file. This can be accomplished by first setting the group
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenand password files to point to the same DBM:<P>
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo SirainenThe key for the single DBM is the username. The value consists of <P>
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo SirainenUnix Crypt-ed Password : List of Groups [ : (ignored) ]
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenThe password section contains the Unix crypt() password as before. This is
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenfollowed by a colon and the comma separated list of groups. Other data may
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainenoptionally be left in the DBM file after another colon; it is ignored by the
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainenauthentication module. This is what www.telescope.org uses for its combined
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainenpassword and group database. <P>
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo SirainenSee also <A HREF="core.html#authname">AuthName</A>,
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainen<A HREF="#authdbmuserfile">AuthDBMUserFile</A>.<P><HR>
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainen<A name="authdbmuserfile"><H2>AuthDBMUserFile</H2></A>
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainen<!--%plaintext <?INDEX {\tt AuthDBMUserFile} directive> -->
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen><STRONG>Syntax:</STRONG></A> AuthDBMUserFile <EM>filename</EM><BR>
72cbf33ae81fde08384d30c779ff540752d9256cTimo Sirainen><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo SirainenThe AuthDBMUserFile directive sets the name of a DBM file containing the list
e96fb85799dc95603bb1a6b4d3685df2d042a2f8Timo Sirainenof users and passwords for user authentication. <EM>Filename</EM> is the
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainenabsolute path to the user file.<P>
9a583c7a827f7a4d89ee43774f2d51ea6a214543Timo SirainenThe user file is keyed on the username. The value for a user is the
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainencrypt() encrypted password, optionally followed by a colon and
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainenarbitrary data. The colon and the data following it will be ignored
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainenby the server.<P>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenSecurity: make sure that the AuthDBMUserFile is stored outside the
6a19e109ee8c5a6f688da83a86a7f6abeb71abddTimo Sirainendocument tree of the web-server; do <EM>not</EM> put it in the directory that
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenit protects. Otherwise, clients will be able to download the
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenAuthDBMUserFile.<P>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenImportant compatibility note: The implementation of "dbmopen" in the
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenapache modules reads the string length of the hashed values from the
1098fc409a45e7603701dc94635927a673bee0c1Timo SirainenDBM data structures, rather than relying upon the string being
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo SirainenNULL-appended. Some applications, such as the Netscape web server,
1098fc409a45e7603701dc94635927a673bee0c1Timo Sirainenrely upon the string being NULL-appended, so if you are having trouble
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainenusing DBM files interchangeably between applications this may be a
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainenpart of the problem. <P>
13c6532dc104d23061e6901783ceb1ff8872c206Timo SirainenSee also <A HREF="core.html#authname">AuthName</A>,
d9fdacd5fb3e07997e5c389739d2054f0c8441d8Timo Sirainen<A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>.<P>
f501ad38c51cf1d8f4f84313922c785e6ae6e81fTimo Sirainen<A name="authdbmauthoritative"><H2>AuthDBMAuthoritative</H2></A>
f501ad38c51cf1d8f4f84313922c785e6ae6e81fTimo Sirainen<!--%plaintext <?INDEX {\tt AuthDBMAuthoritative} directive> -->
f501ad38c51cf1d8f4f84313922c785e6ae6e81fTimo Sirainen><STRONG>Syntax:</STRONG></A> AuthDBMAuthoritative < <STRONG> on</STRONG>(default) | off > <BR>
4bbee99b3aef449a9a2a11a5b5cf1ca486915c49Timo Sirainen><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
72cbf33ae81fde08384d30c779ff540752d9256cTimo SirainenSetting the AuthDBMAuthoritative directive explicitly to <STRONG>'off'</STRONG>
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenallows for both authentication and authorization to be passed on
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainento lower level modules (as defined in the <CODE>Configuration</CODE>
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenand <CODE>modules.c</CODE> file if there is <STRONG>no userID</STRONG> or
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainen<STRONG>rule</STRONG> matching the supplied userID. If there is a userID
0cb2e8eb55e70f8ebe1e8349bdf49e4cbe5d8834Timo Sirainenand/or rule specified; the usual password and access checks will
6a19e109ee8c5a6f688da83a86a7f6abeb71abddTimo Sirainenbe applied and a failure will give an Authorization Required reply.
992a13add4eea0810e4db0f042a595dddf85536aTimo SirainenSo if a userID appears in the database of more than one module; or
ca316aeb7648d3f1bcf45231f73ddeb1b67a6961Timo Sirainenif a valid require directive applies to more than one module; then
ca316aeb7648d3f1bcf45231f73ddeb1b67a6961Timo Sirainenthe first module will verify the credentials; and no access is
287ba82a8da3eaa473b5735d4eeac2fb4c5d8117Timo Sirainenpassed on; regardless of the AuthAuthoritative setting. <P>
58febed28f2af78b2d8a281c851d9b67160c4bd3Timo SirainenA common use for this is in conjunction with one of the basic auth
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenmodules; such as <A HREF="mod_auth.html"><CODE>mod_auth.c</CODE></A>.
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo SirainenWhereas this DBM module supplies the bulk of the user credential
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainenchecking; a few (administrator) related accesses fall through to
e015e2f7e7f48874495f9df8b0dd192b7ffcb5ccTimo Sirainena lower level with a well protected .htpasswd file. <P>
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainen><STRONG>Default:</STRONG></A> By default; control is not passed on; and an unknown
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo SirainenuserID or rule will result in an Authorization Required reply. Not
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainensetting it thus keeps the system secure; and forces an NSCA compliant
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainenbehaviour. <P>
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo SirainenSecurity: Do consider the implications of allowing a user to allow
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainenfall-through in his .htaccess file; and verify that this is really
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainenwhat you want; Generally it is easier to just secure a single
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainen.htpasswd file, than it is to secure a database which might have
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainenmore access interfaces.
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo SirainenSee also <A HREF="core.html#authname">AuthName</A>,
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainen<A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>.<P>
6b85bc4b03e552cfaeeae872d63c2d8ac5fcb7c4Timo Sirainen<!--#include virtual="footer.html" -->