540N/A<!
DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
540N/A<
TITLE>Apache module mod_auth_dbm</
TITLE>
540N/A<!-- Background white, links blue (unvisited), navy (visited), red (active) --> <
H1 ALIGN="CENTER">Module mod_auth_dbm</
H1>
is not compiled in by default. It provides for user authentication using
<
LI><
A HREF="#authdbmgroupfile">AuthDBMGroupFile</
A>
<
LI><
A HREF="#authdbmuserfile">AuthDBMUserFile</
A>
<
LI><
A HREF="#authdbmauthoritative">AuthDBMAuthoritative</
A>
<
H2><
A name="authdbmgroupfile">AuthDbmGroupFile</
A></
H2>
<!--%plaintext <?INDEX {\tt AuthDbmGroupFile} directive> --> ><
STRONG>Syntax:</
STRONG></
A> AuthDBMGroupFile <
EM>filename</
EM><
BR>
><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
><
STRONG>Override:</
STRONG></
A> AuthConfig<
BR>
><
STRONG>Status:</
STRONG></
A> Extension<
BR>
><
STRONG>Module:</
STRONG></
A> mod_auth_dbm<
P>
The AuthDBMGroupFile directive sets the name of a DBM file containing the list
of user groups for user authentication. <
EM>Filename</
EM> is the absolute path
The group file is keyed on the username. The value for a user is a
comma-separated list of the groups to which the users belongs. There must
be no whitespace within the value, and it must never contain any colons.<
P>
Security: make sure that the AuthDBMGroupFile is stored outside the
document tree of the web-server; do <
EM>not</
EM> put it in the directory that
it protects. Otherwise, clients will be able to download the
AuthDBMGroupFile unless otherwise protected.<
P>
Combining Group and Password DBM files: In some cases it is easier to
manage a single database which contains both the password and group
details for each user. This simplifies any support programs that need
to be written: they now only have to deal with writing to and locking
a single DBM file. This can be accomplished by first setting the group
and password files to point to the same DBM:<
P>
The key for the single DBM is the username. The value consists of <
P>
Unix Crypt-ed Password : List of Groups [ : (ignored) ]
The password section contains the Unix crypt() password as before. This is
followed by a colon and the comma separated list of groups. Other data may
optionally be left in the DBM file after another colon; it is ignored by the
password and group database. <
P>
See also <
A HREF="core.html#authname">AuthName</
A>,
<
A HREF="core.html#authtype">AuthType</
A> and
<
A HREF="#authdbmuserfile">AuthDBMUserFile</
A>.<
P><
HR>
<
H2><
A name="authdbmuserfile">AuthDBMUserFile</
A></
H2>
<!--%plaintext <?INDEX {\tt AuthDBMUserFile} directive> --> ><
STRONG>Syntax:</
STRONG></
A> AuthDBMUserFile <
EM>filename</
EM><
BR>
><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
><
STRONG>Override:</
STRONG></
A> AuthConfig<
BR>
><
STRONG>Status:</
STRONG></
A> Extension<
BR>
><
STRONG>Module:</
STRONG></
A> mod_auth_dbm<
P>
The AuthDBMUserFile directive sets the name of a DBM file containing the list
of users and passwords for user authentication. <
EM>Filename</
EM> is the
absolute path to the user file.<
P>
The user file is keyed on the username. The value for a user is the
crypt() encrypted password, optionally followed by a colon and
arbitrary data. The colon and the data following it will be ignored
Security: make sure that the AuthDBMUserFile is stored outside the
document tree of the web-server; do <
EM>not</
EM> put it in the directory that
it protects. Otherwise, clients will be able to download the
Important compatibility note: The implementation of "dbmopen" in the
apache modules reads the string length of the hashed values from the
DBM data structures, rather than relying upon the string being
NULL-appended. Some applications, such as the Netscape web server,
rely upon the string being NULL-appended, so if you are having trouble
using DBM files interchangeably between applications this may be a
See also <
A HREF="core.html#authname">AuthName</
A>,
<
A HREF="core.html#authtype">AuthType</
A> and
<
A HREF="#authdbmgroupfile">AuthDBMGroupFile</
A>.<
P>
<
H2><
A name="authdbmauthoritative">AuthDBMAuthoritative</
A></
H2>
<!--%plaintext <?INDEX {\tt AuthDBMAuthoritative} directive> --> ><
STRONG>Syntax:</
STRONG></
A> AuthDBMAuthoritative < <
STRONG> on</
STRONG>(default) | off > <
BR>
><
STRONG>Context:</
STRONG></
A> directory, .htaccess<
BR>
><
STRONG>Override:</
STRONG></
A> AuthConfig<
BR>
><
STRONG>Status:</
STRONG></
A> Base<
BR>
><
STRONG>Module:</
STRONG></
A> mod_auth<
P>
Setting the AuthDBMAuthoritative directive explicitly to <
STRONG>'off'</
STRONG>
allows for both authentication and authorization to be passed on
to lower level modules (as defined in the <
CODE>Configuration</
CODE>
and <
CODE>
modules.c</
CODE> file if there is <
STRONG>no userID</
STRONG> or
<
STRONG>rule</
STRONG> matching the supplied userID. If there is a userID
and/
or rule specified; the usual password and access checks will
be applied and a failure will give an Authorization Required reply.
So if a userID appears in the database of more than one module; or
if a valid require directive applies to more than one module; then
the first module will verify the credentials; and no access is
passed on; regardless of the AuthAuthoritative setting. <
P>
A common use for this is in conjunction with one of the basic auth
Whereas this DBM module supplies the bulk of the user credential
checking; a few (administrator) related accesses fall through to
a lower level with a well protected .htpasswd file. <
P>
><
STRONG>Default:</
STRONG></
A> By default; control is not passed on; and an unknown
userID or rule will result in an Authorization Required reply. Not
setting it thus keeps the system secure; and forces an NSCA compliant
Security: Do consider the implications of allowing a user to allow
fall-through in his .htaccess file; and verify that this is really
what you want; Generally it is easier to just secure a single
.htpasswd file, than it is to secure a database which might have
See also <
A HREF="core.html#authname">AuthName</
A>,
<
A HREF="core.html#authtype">AuthType</
A> and
<
A HREF="#authdbmgroupfile">AuthDBMGroupFile</
A>.<
P>