toucheatout 2006-07-28 15:34
This is performed with the mod_auth_mysql module.
To create more or less along the defaults, create a database (simpler to manage, note yet you can use information from an existing user table by specifying fields names). The database will be named auth in our case (default is user_info):
create database auth;
create table mysql_auth (user_name char(25) primary key,user_passwd char(25),groups char(25));
Mysql basic directives for use with apache 401 authentication
Instruct apache on the mysql database with the appropriate directives:
Auth_MySQL_Info [host] [user] [password]
and
Auth_MySQL_General_DB auth
This has to be declared in a virtualhost definiton or in a .htaccess file (see sample below).
Minimum code aside mysql-related statements
AuthName MyAuth
AuthType Basic
Then require, that can be targeted at user or groups.
A sample htaccess file including everything and requiring users to be members of the group "aGroup":
AuthMYSQLEnable on
AuthMySQLDB auth
AuthMySQLPassword_Table mysql_auth
AuthMySQLGroupTable mysql_auth
AuthMySQLGroupField groups
AuthMySQL_uthoritative on
AuthMySQLEmpty_Passwords off
AuthMySQLPwEncryption crypt
AuthName "My auth name"
AuthType Basic
require group aGroup
Asking for more
Quick list of options, with their defaults if it exists. You can find a finer description from modauthmysql.sourceforge.net/CONFIGURE:
AuthMySQLEnable On
AuthMySQLHost localhost
AuthMySQLPort
AuthMySQLSocket
AuthMySQLUser
AuthMySQLPassword
AuthMySQLDB test
AuthMySQLUserTable user_info
AuthMySQLUserCondition
AuthMySQLNameField user_name
AuthMySQLPasswordField user_passwd
AuthMySQLNoPasswd Off
AuthMySQLPwEncryption crypt
AuthMySQLSaltField <>
AuthMySQLGroupTable
AuthMySQLGroupCondition
AuthMySQLGroupField
AuthMySQLKeepAlive Off
AuthMySQLAuthoritative On
AuthMySQLCharacterSet
AuthMySQLEnable On | Off
Whether or not mod_auth_mysql should attempt to authorize the user.
Off: No authorization will be done by this module
On: Attempt to authorize the user
AuthMySQLHost localhost | host_name_or_ip_address
Identifies the MySQL host.
AuthMySQLPort tcp/ip_port_number
The tcp/ip port which should be used to access MySQL. MySQL normally uses
port 3306, but this can be changed in the MySQL configuration. See the MySQL
documentation for more details.
AuthMySQLSocket full_path_to_socket_file
The UNIX socket which should be used to access MySQL host "localhost" on a
UNIX system. The default is /tmp/mysql.sock, but this can be changed in the
MySQL configuration. See the mySQL documentation for more details.
AuthMySQLUser userid
The userid to be used to access MySQL. This user must have SELECT access to
the appropriate tables. As the password must be in plain text (see
AuthMySQLPassword below), it is recommended you use a userid with limited
privileges (do NOT use "root"!).
AuthMySQLPassword password
The password for the userid specified in AuthMySQLUser. An, as the password
must be in plain text, it is recommended you use a userid with limited
privileges (do NOT use "root"!).
AuthMySQLDB database_name
The name of the MySQL database containing the authorization information. On
systems with case sensitive file systems (i.e. Unix), this field is case
sensitive.
AuthMySQLUserTable mysql_table_name
The name of the MySQL table in AuthMySQLDB which contains the userids and
passwords. On systems with case sensitive file systems (i.e. Unix), this
field is case sensitive.
If this field contains two or more table names, you will need to join the
tables in the AuthMySQLUserCondition (below).
AuthMySQLUserCondition
Additional conditions to be placed in the WHERE clause when retrieving user
information. Whatever is in this string is appended after an AND condition
in the SQL statement.
If two or more tables have been specified in the AuthMySQLUserTable option
above, this option must contain the information required to join the tables.
AuthMySQLNameField mysql_column_name
The name of the column in AuthMySQLUserTable which contains the userids to be
authenticated. The column must contain unique, non-empty field values. Its
length is however long you want it to be. This value is case sensitive.
Values in this field are case sensitive ONLY if you define the column as
binary data (i.e. BINARY, VARBINARY, etc.). It is NOT case sensitive if the
column is defined with character data (i.e. CHAR, VARCHAR). See the MySQL
documentation for more information.
AuthMySQLPasswordField mysql_column_name
The name of the column in AuthMySQLUserTable which contains the passwords.
This value is case sensitive. It's length may be as long as you want it to
be for plaintext passwords. If the password is encrypted, the field must be
long enough to contain the encrypted data. See AuthMySQLPwEncryption below.
Passwords values are case sensitive.
AuthMySQLNoPasswd Off
No password is required for this resource.
AuthMySQLPwEncryption none | crypt | scrambled | md5 | aes | sha1
The encryption type used for the passwords in AuthMySQLPasswordField:
none: not encrypted (plain text)
crypt: UNIX crypt() encryption
scrambled: MySQL PASSWORD encryption
md5: MD5 hashing
aes: Advanced Encryption Standard (AES) encryption
sha1: Secure Hash Algorihm (SHA1)
WARNING: When using aes encryption, the password field MUST be a BLOB type
(i.e. TINYBLOB). MySQL will strip trailing x'20' characters (blanks), EVEN
IF THE COLUMN TYPE IS BINARY!
AuthMySQLSaltField <> | | mysql_column_name
Contains information on the salt field to be used for crypt and aes
encryption methods. It can contain one of the following:
<>: password itself is the salt field (use with crypt() only)
: "string" as the salt field
mysql_column_name: the salt is take from the mysql_column_name field in the
same row as the password
This field is required for aes encryption, optional for crypt encryption.
It is ignored for all other encryption types.
AuthMySQLGroupTable
Contains the name of the table with the group information when authorizing by
groups (Apache option require group).
As with the AuthMySQLUserTable, you can specify two or more tables in this
option, in which case you will need to join the tables in the
AuthMySQLGroupCondition below.
AuthMySQLGroupCondition
Additional conditions to be placed in the WHERE clause when retrieving group
information. Whatever is in this string is appended after an AND condition
in the SQL statement.
If two or more tables have been specified in the AuthMySQLGroupTable option
above, this option must contain the information required to join the tables.
AuthMySQLGroupField
This option contains the name of the column containing the group information
when Apache group authorization is required. Values in the Apache require group
option will be matched against the retrieved rows.
AuthMySQLKeepAlive
Indicates whether to keep the connection to MySQL open or close it after each
request. Keeping the connection open can improve performance at the cost of
the resources necessary to maintain the connection. If this is Off, the connection
will be closed after each request.
Currently, only one connection to the server can have AuthMySQLKeepAlive on.
Note: This parameter currently does not work with Apache 2.x and is ignored.
We are aware of the bug.
AuthMySQLAuthoritative
Used to indicate if other modules should be called when mod_auth_mysql is not
able to authorize the user. If this is On, no other modules will be called
and the request will fail. If this is off, Apache will attempt to use
mod_auth and/or any other active modules to authorize the user.
AuthMySQLCharacterSet
Used to override the default characterset for the connection. This
parameter must specify a valid character set in MySQL. It is generally
required only in MySQL 4.1 and above, where the characterset encoding
for the tables being used is different that the default specified in
the MySQL configuration.