0N/A<!
DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
0N/A<
TITLE>Apache module mod_auth_dbm</
TITLE>
0N/A<!-- Background white, links blue (unvisited), navy (visited), red (active) --> 0N/A<
H1 ALIGN="CENTER">Module mod_auth_dbm</
H1>
0N/Ais not compiled in by default. It provides for user authentication using
0N/A<
LI><
A HREF="#authdbmgroupfile">AuthDBMGroupFile</
A>
0N/A<
LI><
A HREF="#authdbmuserfile">AuthDBMUserFile</
A>
0N/A<
LI><
A HREF="#authdbmauthoritative">AuthDBMAuthoritative</
A>
0N/A<
H2><
A NAME="authdbmgroupfile">AuthDBMGroupFile</
A></
H2>
0N/A<!--%plaintext <?INDEX {\tt AuthDBMGroupFile} directive> --> 0N/A><
STRONG>Syntax:</
STRONG></
A> AuthDBMGroupFile <
EM>filename</
EM><
BR>
0N/A><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
0N/A><
STRONG>Override:</
STRONG></
A> AuthConfig<
BR>
0N/A><
STRONG>Status:</
STRONG></
A> Extension<
BR>
0N/A><
STRONG>Module:</
STRONG></
A> mod_auth_dbm<
P>
0N/AThe AuthDBMGroupFile directive sets the name of a DBM file containing the list
0N/Aof user groups for user authentication. <
EM>Filename</
EM> is the absolute path
0N/Ato the group file.<
P>
0N/AThe group file is keyed on the username. The value for a user is a
0N/Acomma-separated list of the groups to which the users belongs. There must
0N/Abe no whitespace within the value, and it must never contain any colons.<
P>
0N/ASecurity: make sure that the AuthDBMGroupFile is stored outside the
0N/Adocument tree of the web-server; do <
EM>not</
EM> put it in the directory that
0N/Ait protects. Otherwise, clients will be able to download the
0N/AAuthDBMGroupFile unless otherwise protected.<
P>
0N/ACombining Group and Password DBM files: In some cases it is easier to
0N/Amanage a single database which contains both the password and group
0N/Adetails for each user. This simplifies any support programs that need
0N/Ato be written: they now only have to deal with writing to and locking
0N/Aa single DBM file. This can be accomplished by first setting the group
0N/Aand password files to point to the same DBM:<
P>
0N/AThe key for the single DBM is the username. The value consists of <
P>
0N/AUnix Crypt-ed Password : List of Groups [ : (ignored) ]
0N/AThe password section contains the Unix crypt() password as before. This is
0N/Afollowed by a colon and the comma separated list of groups. Other data may
0N/Aoptionally be left in the DBM file after another colon; it is ignored by the
0N/Apassword and group database. <
P>
0N/A<
A HREF="#authdbmuserfile">AuthDBMUserFile</
A>.<
P><
HR>
0N/A<
H2><
A NAME="authdbmuserfile">AuthDBMUserFile</
A></
H2>
0N/A<!--%plaintext <?INDEX {\tt AuthDBMUserFile} directive> --> 0N/A><
STRONG>Syntax:</
STRONG></
A> AuthDBMUserFile <
EM>filename</
EM><
BR>
0N/A><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
0N/A><
STRONG>Override:</
STRONG></
A> AuthConfig<
BR>
0N/A><
STRONG>Status:</
STRONG></
A> Extension<
BR>
0N/A><
STRONG>Module:</
STRONG></
A> mod_auth_dbm<
P>
0N/AThe AuthDBMUserFile directive sets the name of a DBM file containing the list
0N/Aof users and passwords for user authentication. <
EM>Filename</
EM> is the
0N/Aabsolute path to the user file.<
P>
0N/AThe user file is keyed on the username. The value for a user is the
0N/Acrypt() encrypted password, optionally followed by a colon and
0N/Aarbitrary data. The colon and the data following it will be ignored
0N/ASecurity: make sure that the AuthDBMUserFile is stored outside the
0N/Adocument tree of the web-server; do <
EM>not</
EM> put it in the directory that
0N/Ait protects. Otherwise, clients will be able to download the
0N/AImportant compatibility note: The implementation of "dbmopen" in the
0N/Aapache modules reads the string length of the hashed values from the
0N/ADBM data structures, rather than relying upon the string being
0N/ANULL-appended. Some applications, such as the Netscape web server,
0N/Arely upon the string being NULL-appended, so if you are having trouble
0N/Ausing DBM files interchangeably between applications this may be a
0N/Apart of the problem. <
P>
0N/A<
A HREF="#authdbmgroupfile">AuthDBMGroupFile</
A>.<
P>
0N/A<
H2><
A NAME="authdbmauthoritative">AuthDBMAuthoritative</
A></
H2>
0N/A<!--%plaintext <?INDEX {\tt AuthDBMAuthoritative} directive> --> 0N/A><
STRONG>Syntax:</
STRONG></
A> AuthDBMAuthoritative < <
STRONG> on</
STRONG>(default) | off > <
BR>
0N/A><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
0N/A><
STRONG>Override:</
STRONG></
A> AuthConfig<
BR>
0N/A><
STRONG>Status:</
STRONG></
A> Base<
BR>
0N/A><
STRONG>Module:</
STRONG></
A> mod_auth<
P>
0N/ASetting the AuthDBMAuthoritative directive explicitly to <
STRONG>'off'</
STRONG>
0N/Aallows for both authentication and authorization to be passed on
0N/Ato lower level modules (as defined in the <
CODE>Configuration</
CODE>
0N/Aand <
CODE>
modules.c</
CODE> file if there is <
STRONG>no userID</
STRONG> or
0N/A<
STRONG>rule</
STRONG> matching the supplied userID. If there is a userID
0N/Aand/
or rule specified; the usual password and access checks will
0N/Abe applied and a failure will give an Authorization Required reply.
0N/ASo if a userID appears in the database of more than one module; or
0N/Aif a valid require directive applies to more than one module; then
0N/Athe first module will verify the credentials; and no access is
0N/Apassed on; regardless of the AuthAuthoritative setting. <
P>
0N/AA common use for this is in conjunction with one of the basic auth
0N/AWhereas this DBM module supplies the bulk of the user credential
0N/Achecking; a few (administrator) related accesses fall through to
0N/Aa lower level with a well protected .htpasswd file. <
P>
0N/A><
STRONG>Default:</
STRONG></
A> By default; control is not passed on; and an unknown
0N/AuserID or rule will result in an Authorization Required reply. Not
0N/Asetting it thus keeps the system secure; and forces an NCSA compliant
0N/ASecurity: Do consider the implications of allowing a user to allow
0N/Afall-through in his .htaccess file; and verify that this is really
0N/Awhat you want; Generally it is easier to just secure a single
0N/A.htpasswd file, than it is to secure a database which might have
0N/Amore access interfaces.
0N/A<
A HREF="#authdbmgroupfile">AuthDBMGroupFile</
A>.<
P>