mod_auth_msql.c
file and is compiled in by default. It allows access control using the public domain mSQL database ftp://ftp.bond.edu.au/pub/Minerva/msql
, a fast but limited SQL engine which can be contacted over an internal Unix domain protocol as well as over normal TCP/IP socket communication. It is only available in Apache 1.1 and later.
Full description / Example / Compile time options / RevisionHistory / Person to blame / Sourcecode
Auth_MSQLhost < FQHN | IP Address | localhost >
localhost
, it is passed to the mSQL library as a null pointer. This effectively forces it to use /dev/msql rather than the (slower) socket communication.
Auth_MSQLdatabase < mSQL database name >
relshow [<hostname> dbase]
to verify the spelling of the database name).
Auth_MSQLpwd_table < mSQL table name >
Auth_MSQL_Authoritative
directive below.
Auth_MSQLgrp_table < mSQL table name in the above database >
Auth_MSQLuid_field < mSQL field name >
Auth_MSQLpwd_table
and optionally in the Auth_MSQLgrp_table
tables.
Auth_MSQLpwd_field < mSQL field name >
Auth_MSQLpwd_table
table.
Auth_MSQLgrp_field < mSQL field name >
BACKWARD_VITEK
option then the uid and pwd field names default to 'user' and 'password'. However you are strongly encouraged to always specify these values explicitly given the security issues involved.
Auth_MSQL_nopasswd < on | off >
Auth_MSQL_Authoritative < on | off >
Auth_MSQL_EncryptedPasswords < on | off >
% msqladmin create www
% msql www
-> create table user_records (
-> User_id char(32) primary key,
-> Cpasswd char(32),
-> Xgroup char(32)
-> ) \g
query OK
-> \q
%
User_id
can be as long as desired. However some of the popular web browsers truncate names at or stop the user from entering names longer than 32 characters. Furthermore the 'crypt' function on your platform might impose further limits. Also use of the require users uid [uid..]
directive in the access.conf
file where the uid's are separated by spaces can possibly prohibit the use of spaces in your usernames. Also, please note the MAX_FIELD_LEN
directive somewhere below.
To use the above, the following example could be in your access.conf
file. Also there is a more elaborate description below this example.
<directory /web/docs/private>
Auth_MSQLhost localhost
or
Auth_MSQLhost datab.machine.your.org
localhost
, it is assumed that Apache and the mSQL database run on the same (physical) machine and the faster /dev/msql communication channel will be used. Otherwise, it is the machine to contact by TCP/IP. Consult the mSQL documentation for more information.Auth_MSQLdatabase www
msql.acl
(access control file) of mSQL does indeed allow the effective uid of the web server read access to this database. Check the httpd.conf file for this uid.
Auth_MSQLpwd_table user_records
Auth_MSQLuid_field User_id
Auth_MSQLpwd_field Cpasswd
user_record
table. If this module is compiled with the BACKWARD_VITEK
compatibility switch, the defaults user
and password
are assumed if you do not specify them. Currently the user_id field *MUST* be a primary key or one must ensure that each user only occurs once in the table. If a uid occurs twice access is denied by default; but see the ONLY_ONCE
compiler directive for more information.
Auth_MSQLgrp_table user_records
Auth_MSQLgrp_field Xgroup
Auth_MSQL_nopasswd off
Auth_MSQL_Authoritative on
Auth_MSQL_EncryptedPasswords on
AuthName example mSQL realm
AuthType basic
<limit get post head>
order deny,allow
allow from all
require valid-user
valid-user
; allow in any user which has a valid uid/passwd pair in the above pwd_table.require user smith jones
require group has_paid
<limit>
#define ONLY_ONCE 1
ONLY_ONCE
directive set, access is denied if the uid occurs more than once in the uid/passwd table. If you choose not to set it, the software takes the first pair returned and ignores any further pairs. The SQL statement used for this is"select password form pwd_table where user='UID'"
this might lead to unpredictable results. For this reason as well as for performance reasons you are strongly advised to make the uid field a primary key. Use at your own peril :-)
#define KEEP_MSQL_CONNECTION_OPEN
msqlClose()
. If an error occurs an attempt is made to reopen the connection for the next http request.
This has a number of very serious drawbacks
In short, use this at your own peril and only in a highly controlled and monitored environment.
#define BACKWARD_VITEK
#define VITEK_uid_name "user"
#define VITEK_gid_name "passwd"
ftp://ftp.kcilink.com/pub/mod_auth_msql.c*
. Older 'vitek' versions had the field/table names compiled in. Newer versions, v.1.11 have more access.conf
configuration options. However these where chosen not to be in line the 'ewse' version of this module. Also, the 'vitek' module does not give group control or 'empty' password control.
To get things slightly more in line this version (0.9) should be backward compatible with the 'vitek' module by:
Auth_MSQL_EncryptedPasswords
on/off functionalityIf this troubles you, remove the 'BACKWARD_VITEK' define.
#define MAX_FIELD_LEN (64)
#define MAX_QUERY_LEN (32+24+MAX_FIELD_LEN*2+3*MSQL_FIELD_NAME_LEN+1*MSQL_TABLE_NAME_LEN)
HUGE_STRING_LENGTH
, the above two compile time directives are supplies. The MAX_FIELD_LEN
contains the maximum number of characters in your user, password and group fields. The maximum query length is derived from those values.
We only do the following two queries:
"select PWDFIELD from PWDTABLE where USERFIELD='UID'"
"select GROUPFIELD from GROUPTABLE where USERFIELD='UID' and GROUPFIELD='GID'"
This leads to the above limit for the query string. We are ignoring escaping a wee bit here assuming not more than 24 escapes.)
Auth_MSQL_nopasswd
' optionAuth_MSQLgrp_field
' as indicated above.*host
to host
fixed. Credits go to Rob Stout, <stout@lava.et.tudelft.nl> for spotting this one.palloc
return code check(s), should be backward compatible with 1.11 version of Vivek Khera <khera@kciLink.com> msql module, fixed broken err msg in group control, changed command table messages to make more sense when displayed in that new module management tool. Added Auth_MSQL_EncryptedPasswords
on/off functionality. msqlClose() statements added upon error. Support for persistent connections with the mSQL database (riscy). Escaping of ' and \. Replaced some MAX_STRING_LENGTH
claims.http://www.apache.org
. A snapshot of a development version usually resides at http://me-www.jrc.it/~dirkx/mod_auth_msql.c
. Please make sure that you always quote the version you use when filing a bug report.
Furthermore a test/demonstration suite (which assumes that you have both mSQL and Apache compiled and installed) is available at the contrib section of ftp://ftp.apache.org/apache/dist/contrib
or http://me-www.jrc.it/~dirkx/apache-msql-demo.tar.gz
and its README
file.