[APACHE] Apache2 + MySQL Mod_Auth V2 (libapache2-mod-auth-mysql)

15 January 2007 0 Comments

[APACHE] Apache2 + MySQL Mod_Auth V2 (libapache2-mod-auth-mysql)

Il post di seguito spiega come utilizzare la seconda versione del mod “MySQL Authentication” con un Apache Server versione 2.x.

La distribuzione utilizzata è una Debian GNU/Linux Stable.

Innanzitutto installare i pacchetti necessari (dato per assunto che sia stato già installato apache2/mysql)

# apt-get install libapache2-mod-auth-mysql

Creare la tabella nel database MySQL

mysql -uroot -p

mysql> create database apache_auth;

mysql> CREATE TABLE `users` (

`login` varchar(25) NOT NULL default ”,

`passwd` varchar(25) NOT NULL default ”,

PRIMARY KEY (`login`),

) ENGINE=MyISAM DEFAULT CHARSET=latin1;

Creare un utente (definito da auth_user/auth_password) con USAGE Privileges sulla tabella appena creata

mysql> grant all on apache_auth.* to auth_user@localhost identified by ‘auth_password‘;

mysql> flush privileges

Definire nel file di configurazione /etc/apache2/apache2.conf la directory per la quale deve essere letto il file .htaccess

Options +Indexes FollowSymLinks MultiViews

AllowOverride AuthConfig Options FileInfo Limit

Order allow,deny

Allow from all

Creare il file .htaccess fisicamente nella directory relativa sul filesystem e inserirci le seguenti righe:

AuthMYSQL on

AuthType Basic
AuthName “Autenticazione Richiesta”

AuthMySQL_User auth_user
AuthMySQL_Password auth_password
AuthMySQL_Host 127.0.0.1
AuthMySQL_Authoritative on
AuthMySQL_DB apache_auth
AuthMySQL_Password_Table users
AuthMySQL_Username_Field login
Auth_MySQL_Password_Field passwd

AuthMySQL_Empty_Passwords off
AuthMySQL_Encryption_Types Plaintext Crypt_DES

require valid-user

In questo modo, tutti gli utenti definiti nella tabella “apache_auth” si autenticheranno con successo nella directory definita.

Di seguito sono descritte tutte le possibili direttive utilizzabili (prese dal package sorgente mantenuto da Matthew Palmer)

—- START —-

Auth_MySQL_Info

Server-wide config option to specify the database host, username,
and password used to connect to the MySQL server.This option affects all directories which do not override it via
AuthMySQL_Host, AuthMySQL_User, and/or AuthMySQL_Password.

AuthMySQL_DefaultHost
Specifies the MySQL server to use for authentication.

This option affects all directories which do not override it via
AuthMySQL_Host.

AuthMySQL_Host
Synonym for AuthMySQL_DefaultHost, to be used in .htaccess files and
directory-specific entries.

Auth_MySQL_DefaultPort

Specifies a port to use to talk to a MySQL server. If left empty,
the default (3306) will be used.This option affects all directories which do not override it via
Auth_MySQL_Port.

Auth_MySQL_Port

Specifies a non-default port to use (other than 3306) when talking
to the MySQL server on AuthMySQL_Host or AuthMySQL_DefaultHost.Auth_MySQL_DefaultSocket
If using a local MySQL server, you can
specify a non-default named pipe to use instead of the default pipe
name compiled into your MySQL client library.

This option affects all directories which do not override it via
Auth_MySQL_Socket.

Auth_MySQL_Socket
If using a local MySQL server, you can specify a non-default named
pipe to use instead of the default one compiled into MySQL with this
option.

AuthMySQL_DefaultUser
Specifies the username for connection to the MySQL server.

AuthMySQL_User
Synonym for AuthMySQL_DefaultUser, to be used in .htaccess files and
directory-specific entries.

AuthMySQL_DefaultPassword

Specifies the password user together with the above user.AuthMySQL_Password

Synonym for AuthMySQL_Password, to be used in .htaccess files and
directory-specific entries.Auth_MySQL_General_DB
Server-wide, specifies a default database name to use.

Auth_MySQL_DB
Synonym for Auth_MySQL_General_DB, to be used in .htaccess files and
directory-specific entries.

AuthMySQL_DefaultDB
Synonym for Auth_MySQL_General_DB.

AuthMySQL_DB
Synonym for Auth_MySQL_General_DB, to be used in .htaccess files and
directory-specific entries.

AuthName “”
Describes the data you’re guarding.

AuthType
The authentication process used in the transaction. Stick with
Basic, no others work at present.

require
Specify what is considered a valid authentication. can be
either user, group, or valid-user. valid-user is the simplest -
anyone who gets the username and password right gets in. Otherwise,
the user must either have a username in the space-separated list of
identifiers (if using user) or must be a member of a group in the
list of identifiers (if user group).

Multiple require statements are allowed; if multiple require
statements are present in a configuration, then the user will be
considered authenticated if they can satisfy any of the require
statements supplied.

Auth_MySQL_Password_Table

The name of the MySQL table in the specified database which stores
username:password pairs. By default, it is ‘mysql_auth’.AuthMySQL_Password_Table

Synonym for Auth_MySQL_Password_Table.Auth_MySQL_Group_Table
As per …Password_Table above, stores username:group pairs.
Normally you’ll store username:password:group triplets in the one
table, but we are nothing if not flexible. Defaults to
‘mysql_auth’.

AuthMySQL_Group_Table
Synonym for Auth_MySQL_Group_Table.

Auth_MySQL_Username_Field
The name of the field which stores usernames. Defaults to
‘username’. The username/password combo specified in Auth_MySQL_Info
must have select privileges to this field in the Password and Group
tables.

AuthMySQL_Username_Field
Synonym for Auth_MySQL_Username_Field.

Auth_MySQL_Password_Field

As per …Username_Field above, but for passwords. Same MySQL
access privileges. Defaults to ‘password’.AuthMySQL_Password_Field

Synonym for Auth_MySQL_Password_Field.Auth_MySQL_Group_Field
As per …Username_Field above. Defaults to ‘groups’.

AuthMySQL_Group_Field
Synonym for Auth_MySQL_Group_Field.

Auth_MySQL_Group_User_Field
The name of the field in the groups table which stores the username.
Defaults to the field name specified for usernames in the passwords
table.

AuthMySQL_Group_User_Field
Synonym for Auth_MySQL_Group_User_Field.

Auth_MySQL_Password_Clause
Adds arbitrary clause to username:password matching query, for example:
” AND Allowed=1″. Clause has to start with space. Default is empty.

Auth_MySQL_Group_Clause
Adds arbitrary clause to username:group matching query, for example:
” AND Allowed=1″. Clause has to start with space. Default is empty.

Auth_MySQL_Empty_Passwords
Whether or not to allow empty passwords. If the password field is
empty (equals to ”) and this option is ‘on’, users would be able to
access the page by just specifying their username WITHOUT ANY
PASSWORD CHECKING. If this is ‘off’, they would be denied access.
Default: ‘on’.

AuthMySQL_Empty_Passwords
Synonym for Auth_MySQL_Empty_Passwords.

Auth_MySQL_Encryption_Types

Select which types of encryption to check, and in which order to
check them. It overrides the legacy Auth_MySQL_Scrambled_Passwords
and Auth_MySQL_Encrypted_Passwords directives. Multiple encryption
types may be specified, to instruct the module to check each
password in multiple encryption schemes – a useful feature for
legacy transitions. For example:

Auth_MySQL_Encryption_Types Plaintext Crypt_DES

Would instruct the module to do a direct comparison of the entered
password with the contents of the password field, and if that fails,
to do a DES crypt() check, a la Unix password handling.

The available encryption types supported at this time are:

Plaintext
Pretty self-explanatory. Not recommended.

Crypt_DES
Check the password via the standard Unix crypt() call, using
DES hashing.

Crypt_MD5
Check the password via the standard Unix crypt() call, using
an MD5 hash.

Crypt
Check the password via the standard Unix crypt() call,
without preference for the hashing scheme employed. This is
the generally preferred means of checking crypt()ed
passwords, because it allows you to use other schemes which
may be available on your system, such as blowfish.

PHP_MD5
Compares with an MD5 hash, encoded in the way that PHP and
MySQL handle MD5 hashes – 32 character hex code, with
lowercase letters.

SHA1Sum
Compares with a SHA1 hash, encoded the way that MySQL, PHP,
and the sha1sum command produce their output (a 40 character
lowercase hex representation).

MySQL
The hashing scheme used by the MySQL PASSWORD() function.

AuthMySQL_Encryption_Types
Synonym for Auth_MySQL_Encryption_Types.

Auth_MySQL_Encrypted_Passwords (DEPRECATED)
Equivalent to: Auth_MySQL_Encryption_Types Crypt_DES
Only used if …Encryption_Types is not set. Defaults to ‘on’. If
both this option and …Scrambled_Passwords are ‘off’ and
…Encryption_Types is not set, passwords are expected to be in
plaintext.

AuthMySQL_Encrypted_Passwords (DEPRECATED)
Synonym for Auth_MySQL_Encrypted_Passwords.

Auth_MySQL_Scrambled_Passwords (DEPRECATED)
Equivalent to: Auth_MySQL_Encryption_Types MySQL
The same restrictions apply to this directive as to
…Encrypted_Passwords.

AuthMySQL_Scrambled_Passwords (DEPRECATED)
Synonym for Auth_MySQL_Scrambled_Passwords.

Auth_MySQL_Authoritative
Whether or not to use other authentication schemes if the user is
successfully authenticated. That is, if the user passes the MySQL
authentication, they may still be rejected by a later module if this
option is set ‘off’. The default is ‘on’ (i.e. if the user passes
the MySQL module, they’re considered OK).

AuthMySQL_Authoritative
Synonym for Auth_MySQL_Authoritative.

Auth_MySQL_Non_Persistent
If set to ‘on’, the link to the MySQL server is explicitly closed
after each authentication request. Note that I can’t think of any
possible good reason to do this, unless your platform makes MySQL go
crazy when it has plenty of simultaneous threads (bad handling of
file descriptors may cause that). In my opinion, one should
increase the maximum number of simultaneous threads in MySQL and
keep this option off. Default: off, and for good reason.

AuthMySQL_Persistent
An antonym for Auth_MySQL_Non_Persistent.

AuthMySQL_AllowOverride
Whether or not .htaccess files are allowed to use their own
Host/User/Password/DB specifications. If set to ‘off’, then the
defaults specified in the httpd.conf cannot be overridden.

Auth_MYSQL
Whether or not to enable MySQL authentication. If it’s off, the
MySQL authentication will simply pass authentication off to other
modules defined.

AuthMySQL
Synonym for Auth_MYSQL.

— END —

Share and Enjoy: