File: mod_auth_pgsql.html

package info (click to toggle)
apache 1.3.9-14.1
links: PTS
area: main
in suites: potato
size: 2,816 kB
ctags: 416
sloc: ansic: 3,803; perl: 722; sh: 508; makefile: 411
file content (310 lines) | stat: -rw-r--r-- 10,226 bytes
parent folder | download | duplicates (2)
<HTML>
<HEAD>
   <META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
   <META NAME="GENERATOR" CONTENT="Mozilla/4.05 [en] (X11; I; Linux 2.0.34 i686) [Netscape]">
   <TITLE>Module mod_auth_pg95</TITLE>
</HEAD>
<BODY>

<H1>
Module mod_auth_pgsql</H1>

<H2>
PostgreSQL Authentication</H2>
This module allows user authentication against information stored in a
<A HREF="http://www.postgreSQL.org/">PostgreSQL</A> database. PostgreSQL
is a public domain SQL database.

<P>One database, and one (or two) tables. One table holds the username
and the <B>encrypted</B> password. The other table holds the username and
the names of the group to which the user belongs. It is possible to have
username, groupname and password in the same table.

<P>        
        This page documents version 0.7 (November 1998)
of mod_auth_pgsql.c require Apache 1.3.3 and PostreSQL 6.4

<P>&nbsp;</P>        

<P><A href="#example">Example</A>| <A href="#notes">Technical Notes</A>
| <A href="#compile">Compilation Notes</A>| <A href="#utility">Utility
Program</A>
<H2>
Directives</H2>

<UL>
<LI>
<A href="#host">Auth_PGhost</A>

<LI>
<A href="#port">Auth_PGport</A>

<LI>
<A href="#options">Auth_PGoptions</A>

<LI>
<A href="#database">Auth_PGdatabase</A>

<LI>
<A href="#pwd_table">Auth_PGpwd_table</A>

<LI>
<A href="#grp_table">Auth_PGgrp_table</A>

<LI>
<A href="#uid_field">Auth_PGuid_field</A>

<LI>
<A href="#pwd_field">Auth_PGpwd_field</A>

<LI>
<A href="#gid_field">Auth_PGgid_field</A>

<LI>
<A href="#nopasswd">Auth_PG_nopasswd</A>

<LI>
<A href="#authorative">Auth_PG_authorative</A>and <A href="#authorative">Auth_PG_authoratative</A>

<LI>
<A href="#encrypted">Auth_PG_encrypted</A>

<LI>
<A href="#pwd_whereclause">Auth_PGpwd_whereclause</A>

<LI>
<A href="#grp_whereclause">Auth_PGgrp_whereclause</A></LI>
</UL>

<HR>
<H2>
<A NAME="host"></A>Auth_PGhost</H2>
<B>Syntax:</B> Auth_PGhost <I>hostname</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>Specifies the host on which the <B>postmaster</B> is running.
<H2>
<A NAME="port"></A>Auth_PGport</H2>
<B>Syntax:</B> Auth_PGport <I>port number</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>Specifies the TCP/IP port number at which the <B>postmaster</B> can
be found.
<H2>
<A NAME="options"></A>Auth_PGoptions</H2>
<B>Syntax:</B> Auth_PGoptions <I>option string</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>Specifies an option string to be passed to the postgres95 backend process.
Refer to the Postgres95 user manual for a description of the available
options.
<H2>
<A NAME="database"></A>Auth_PGdatabase</H2>
<B>Syntax:</B> Auth_PGdatabase <I>database name</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>Specifies the name of the database that stores the authentication information.
<H2>
<A NAME="pwd_table"></A>Auth_PGpwd_table</H2>
<B>Syntax:</B> Auth_PGpwd_table <I>relation name</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>Gives the name of the relation which contains the username and password
information.
<H2>
<A NAME="grp_table"></A>Auth_PGgrp_table</H2>
<B>Syntax:</B> Auth_PGgrp_table <I>relation name</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>Gives the name of the relation which contains the username and group
information. This can be the same table specified with Auth_PGpwd_table.
This directive is only necessary if you want to authenticate by user groups.
<H2>
<A NAME="uid_field"></A>Auth_PGuid_field</H2>
<B>Syntax:</B> Auth_PGuid_field <I>attribute name</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>Specifies the attribute name of the field containing the user name in
the Auth_PGpwd_table relation.
<H2>
<A NAME="pwd_field"></A>Auth_PGpwd_field</H2>
<B>Syntax:</B> Auth_PGpwd_field <I>attribute name</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>Specifies the attribute name of the field containing the encrypted password
in the Auth_PGpwd_table relation.
<H2>
<A NAME="gid_field"></A>Auth_PGgid_field</H2>
<B>Syntax:</B> Auth_PGgid_field <I>attribute name</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>Specifies the attribute name of the field containing the group name
in the Auth_PGgrp_table relation. This directive is only necessary if you
want to authenticate by user groups.
<H2>
<A NAME="nopasswd"></A>Auth_PG_nopasswd</H2>
<B>Syntax:</B> Auth_PG_nopasswd <I>on</I> or <I>off</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>This option is off by default. Turning it on will cause a user to be
validated when their password field is empty. The password entered will
be ignored. Exercise caution when turning this on.
<H2>
<A NAME="authorative"></A>Auth_PG_authorative and Auth_PG_authoratative</H2>
<B>Syntax:</B> Auth_PG_authorative <I>on</I> or <I>off</I>
<BR><B>Syntax:</B> Auth_PG_authoratative <I>on</I> or <I>off</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>This option is on by default. Turning it off will cause low level errors
such a user not being found or a simple configuration error to fall through
to other authentication directives which may be defined for this area.
For example, if a parent directory has another authorization scheme and
a user name is not found for the Postgres95 scheme, the parent directory
scheme will be given the chance to try and authenticate the user. Exercise
caution when turning this option off. It can be a security risk.
<H2>
<A NAME="encrypted"></A>Auth_PG_encrypted</H2>
<B>Syntax:</B> Auth_PG_encrypted <I>on</I> or <I>off</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>Defaults to on. Controls weather this module expects passwords in the
database to be encrypted or not. When turned off, you can use unencrypted
passwords in your database. Exercise caution when deciding to turn this
off!
<H2>
<A NAME="pwd_whereclause"></A>Auth_PGpwd_whereclause</H2>
<B>Syntax:</B> Auth_PGpwd_whereclause <I>SQL fragment</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>This option allows you to exercise greater control over the SQL code
used to retrieve the user name and password from the database. You can
use this to search for the username using more attributes in the table
than the pwd_field.

<P>The basic SQL statement used to retrieve a user's password for checking
looks like this:
<UL>select <I>&lt;pwd_field&gt;</I> from <I>&lt;pwd_table&gt;</I> where <I>&lt;uid_field&gt;</I>='<I>&lt;remote_user&gt;</I>'</UL>
<P>The pwd_whereclause will be added to the end of this statement and must fit 
logically. <EM>The where clause must be double quoted.</EM></P>
<P>&nbsp;</P>
            
 
<H2>
<A NAME="grp_whereclause"></A>Auth_PGgrp_whereclause</H2>
<B>Syntax:</B> Auth_PGgrp_whereclause <I>SQL fragment</I>
<BR><B>Context:</B> directory, .htaccess
<BR><B>Override:</B> AuthConfig
<BR><B>Status:</B> Extension

<P>This option allows you to exercise greater control over the SQL code
used to retrieve the group name and corresponding user from the database.
You can use this to search for the group name using more attributes in
the table than the gid_field.

<P>The basic SQL statement used to retrieve a group name and user name
for checking looks like this:
<UL>select <I>&lt;uid_field&gt;</I> from <I>&lt;grp_table&gt;</I> where <I>&lt;gid_field&gt;</I>='<I>&lt;required
group&gt;</I>'</UL>The gid_whereclause will be added to the end of this 
statement and must fit logically. <EM>The where clause must be double 
quoted.</EM>
            
 
<HR>
<H2>
<A NAME="example"></A>Example</H2>
Here is an example <B>.htaccess</B> file you might use to enable Postgres95
authentication:
<PRE>Auth_PGhost localhost
Auth_PGport 5432
Auth_PGdatabase www
Auth_PGpwd_table valid_users
Auth_PGuid_field user
Auth_PGpwd_field password
AuthName My Postgres95 Authenticator
AuthType basic

&lt;LIMIT GET POST&gt;
require valid-user
&lt;/LIMIT&gt;</PRE>

<H2>
<A NAME="notes"></A>Technical Notes</H2>

<LI>
If the SQL statement used to retrieve the user or group 
name returns more than one tuple, it is considered an error. If this is likely 
to happen, use Auth_PGpwd_whereclause and Auth_PGgrp_whereclause to create a 
query that will only return one tuple. 

<H2>
<A NAME="compile"></A>Compilation Notes</H2>
<b>Using APACI configure script</b>
<ul>
<li>check the library location in 
    <STRONG>auth_pgsql/Makefile.tmpl</STRONG>     
<li>copy the dir <b>auth_pgsql</b> under  <b>src/modules</b> in the apache tree
<li>add <b>--activate-module=src/modules/auth_pgsql/mod_auth_pgsql.c</b> to your 
    apache <STRONG>configure</STRONG> command line
    
<li>make &amp; install as usual<br></li>
</ul>


<b>By hand</b><br>
In order to compile this module into your server, you will require am installed
PostgreSQL library. This is typically located in /usr/local/pgsql.
You will need to add the following things to your <I>Configuration</I> file: 

<UL>
<LI>
To CFLAGS add <B>-I/usr/local/pgsql/include</B>

<LI>
To LFLAFS add <B>-L/usr/local/pgsql/lib</B>

<LI>
To EXTRA_LIBS add <B>-lpq</B>

<LI>
Apache 1.3: Use configure 
    --add-module=/path/mod_auth_pgsql.c 
    

<LI>
Apache 1.2: Use&nbsp; this line to the modules list 
    : 
    

<UL><B>Module pg95_auth_module mod_auth_pg95.o</B>
<BR><B></B>&nbsp;</UL></LI>
</UL></LI>

  
</BODY>
</HTML>