File: mod_auth_dbm.html

package info (click to toggle)
apache 1.3.0-5
links: PTS
area: main
in suites: hamm
size: 6,488 kB
ctags: 6,702
sloc: ansic: 47,562; sh: 3,221; makefile: 1,382; perl: 1,346; cpp: 55
file content (224 lines) | stat: -rw-r--r-- 7,827 bytes
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<TITLE>Apache module mod_auth_dbm</TITLE>
</HEAD>

<!-- Background white, links blue (unvisited), navy (visited), red (active) -->
<BODY
 BGCOLOR="#FFFFFF"
 TEXT="#000000"
 LINK="#0000FF"
 VLINK="#000080"
 ALINK="#FF0000"
>
<DIV ALIGN="CENTER">
 <IMG SRC="../images/sub.gif" ALT="[APACHE DOCUMENTATION]">
 <H3>
  Apache HTTP Server Version 1.3
 </H3>
</DIV>


<H1 ALIGN="CENTER">Module mod_auth_dbm</H1>

This module is contained in the <CODE>mod_auth_dbm.c</CODE> file, and
is not compiled in by default. It provides for user authentication using
DBM files.


<MENU>
<LI><A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>
<LI><A HREF="#authdbmuserfile">AuthDBMUserFile</A>
<LI><A HREF="#authdbmauthoritative">AuthDBMAuthoritative</A>
</MENU>
<HR>


<H2><A NAME="authdbmgroupfile">AuthDbmGroupFile</A></H2>
<!--%plaintext &lt;?INDEX {\tt AuthDbmGroupFile} directive&gt; -->
<A
 HREF="directive-dict.html#Syntax"
 REL="Help"
><STRONG>Syntax:</STRONG></A> AuthDBMGroupFile <EM>filename</EM><BR>
<A
 HREF="directive-dict.html#Context"
 REL="Help"
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
<A
 HREF="directive-dict.html#Override"
 REL="Help"
><STRONG>Override:</STRONG></A> AuthConfig<BR>
<A
 HREF="directive-dict.html#Status"
 REL="Help"
><STRONG>Status:</STRONG></A> Extension<BR>
<A
 HREF="directive-dict.html#Module"
 REL="Help"
><STRONG>Module:</STRONG></A> mod_auth_dbm<P>

The AuthDBMGroupFile directive sets the name of a DBM file containing the list
of user groups for user authentication. <EM>Filename</EM> is the absolute path
to the group file.<P>

The group file is keyed on the username. The value for a user is a
comma-separated list of the groups to which the users belongs. There must
be no whitespace within the value, and it must never contain any colons.<P>

Security: make sure that the AuthDBMGroupFile is stored outside the
document tree of the web-server; do <EM>not</EM> put it in the directory that
it protects. Otherwise, clients will be able to download the
AuthDBMGroupFile unless otherwise protected.<P>

Combining Group and Password DBM files: In some cases it is easier to
manage a single database which contains both the password and group
details for each user. This simplifies any support programs that need
to be written: they now only have to deal with writing to and locking
a single DBM file. This can be accomplished by first setting the group
and password files to point to the same DBM:<P>

<BLOCKQUOTE><CODE>
AuthDBMGroupFile /www/userbase<BR>
AuthDBMUserFile /www/userbase
</CODE></BLOCKQUOTE>

The key for the single DBM is the username. The value consists of <P>

<BLOCKQUOTE><CODE>
Unix Crypt-ed Password : List of Groups [ : (ignored) ]
</CODE></BLOCKQUOTE>

The password section contains the Unix crypt() password as before. This is
followed by a colon and the comma separated list of groups. Other data may
optionally be left in the DBM file after another colon; it is ignored by the
authentication module. This is what www.telescope.org uses for its combined
password and group database. <P>

See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authdbmuserfile">AuthDBMUserFile</A>.<P><HR>

<H2><A NAME="authdbmuserfile">AuthDBMUserFile</A></H2>
<!--%plaintext &lt;?INDEX {\tt AuthDBMUserFile} directive&gt; -->
<A
 HREF="directive-dict.html#Syntax"
 REL="Help"
><STRONG>Syntax:</STRONG></A> AuthDBMUserFile <EM>filename</EM><BR>
<A
 HREF="directive-dict.html#Context"
 REL="Help"
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
<A
 HREF="directive-dict.html#Override"
 REL="Help"
><STRONG>Override:</STRONG></A> AuthConfig<BR>
<A
 HREF="directive-dict.html#Status"
 REL="Help"
><STRONG>Status:</STRONG></A> Extension<BR>
<A
 HREF="directive-dict.html#Module"
 REL="Help"
><STRONG>Module:</STRONG></A> mod_auth_dbm<P>

The AuthDBMUserFile directive sets the name of a DBM file containing the list
of users and passwords for user authentication. <EM>Filename</EM> is the
absolute path to the user file.<P>

The user file is keyed on the username. The value for a user is the
crypt() encrypted password, optionally followed by a colon and
arbitrary data.  The colon and the data following it will be ignored
by the server.<P>

Security: make sure that the AuthDBMUserFile is stored outside the
document tree of the web-server; do <EM>not</EM> put it in the directory that
it protects. Otherwise, clients will be able to download the
AuthDBMUserFile.<P>

Important compatibility note: The implementation of "dbmopen" in the
apache modules reads the string length of the hashed values from the
DBM data structures, rather than relying upon the string being
NULL-appended. Some applications, such as the Netscape web server,
rely upon the string being NULL-appended, so if you are having trouble
using DBM files interchangeably between applications this may be a
part of the problem. <P>

See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>.<P>

<HR>
<H2><A NAME="authdbmauthoritative">AuthDBMAuthoritative</A></H2>
<!--%plaintext &lt;?INDEX {\tt AuthDBMAuthoritative} directive&gt; -->
<A
 HREF="directive-dict.html#Syntax"
 REL="Help"
><STRONG>Syntax:</STRONG></A> AuthDBMAuthoritative &lt; <STRONG> on</STRONG>(default) | off &gt; <BR>
<A
 HREF="directive-dict.html#Context"
 REL="Help"
><STRONG>Context:</STRONG></A> directory, .htaccess<BR>
<A
 HREF="directive-dict.html#Override"
 REL="Help"
><STRONG>Override:</STRONG></A> AuthConfig<BR>
<A
 HREF="directive-dict.html#Status"
 REL="Help"
><STRONG>Status:</STRONG></A> Base<BR>
<A
 HREF="directive-dict.html#Module"
 REL="Help"
><STRONG>Module:</STRONG></A> mod_auth<P>

Setting the AuthDBMAuthoritative directive explicitly to <STRONG>'off'</STRONG>
allows for both authentication and authorization to be passed on
to lower level modules (as defined in the <CODE>Configuration</CODE>
and <CODE>modules.c</CODE> file if there is <STRONG>no userID</STRONG> or
<STRONG>rule</STRONG> matching the supplied userID. If there is a userID
and/or rule specified; the usual password and access checks will
be applied and a failure will give an Authorization Required reply.
<P>
So if a userID appears in the database of more than one module; or
if a valid require directive applies to more than one module; then
the first module will verify the credentials; and no access is
passed on; regardless of the AuthAuthoritative setting.  <P>

A common use for this is in conjunction with one of the basic auth
modules; such as <A HREF="mod_auth.html"><CODE>mod_auth.c</CODE></A>.
Whereas this DBM module supplies the bulk of the user credential
checking; a few (administrator) related accesses fall through to
a lower level with a well protected .htpasswd file.  <P>

<A
 HREF="directive-dict.html#Default"
 REL="Help"
><STRONG>Default:</STRONG></A> By default; control is not passed on; and an unknown
userID or rule will result in an Authorization Required reply. Not
setting it thus keeps the system secure; and forces an NSCA compliant
behaviour.  <P>

Security: Do consider the implications of allowing a user to allow
fall-through in his .htaccess file; and verify that this is really
what you want; Generally it is easier to just secure a single
.htpasswd file, than it is to secure a database which might have
more access interfaces.

<P>
See also <A HREF="core.html#authname">AuthName</A>,
<A HREF="core.html#authtype">AuthType</A> and
<A HREF="#authdbmgroupfile">AuthDBMGroupFile</A>.<P>

<HR>

<H3 ALIGN="CENTER">
 Apache HTTP Server Version 1.3
</H3>

<A HREF="./"><IMG SRC="../images/index.gif" ALT="Index"></A>
<A HREF="../"><IMG SRC="../images/home.gif" ALT="Home"></A>

</BODY>
</HTML>