mod_auth_msql.c
file and
is compiled in by default. It allows access control using the public
domain mSQL database ftp://ftp.bond.edu.au/pub/Minerva/msql
,
a fast but limited SQL engine which can be contacted over an internal
Unix domain protocol as well as over normal TCP/IP socket
communication. It is only available in Apache 1.1 and later. Full description / Example / Compile time options / RevisionHistory / Person to blame / Sourcecode
-
Auth_MSQLhost < FQHN | IP Address | localhost >
localhost
, it is passed to the mSQL library as a null
pointer. This effectively forces it to use /dev/msql rather than the
(slower) socket communication.
-
Auth_MSQLdatabase < mSQL database name >
relshow [<hostname> dbase]
to verify the spelling of the
database name).
-
Auth_MSQLpwd_table < mSQL table name >
Auth_MSQL_Authoritative
directive below.
-
Auth_MSQLgrp_table < mSQL table name in the above database >
-
Auth_MSQLuid_field < mSQL field name >
Auth_MSQLpwd_table
and optionally in the
Auth_MSQLgrp_table
tables.
-
Auth_MSQLpwd_field < mSQL field name >
Auth_MSQLpwd_table
table.
-
Auth_MSQLgrp_field < mSQL field name >
BACKWARD_VITEK
option then
the uid and pwd field names default to 'user' and 'password'.
However you are strongly encouraged to always specify these values
explicitly given the security issues involved.
-
Auth_MSQL_nopasswd < on | off >
-
Auth_MSQL_Authoritative < on | off >
-
Auth_MSQL_EncryptedPasswords < on | off >
% msqladmin create www
% msql www
-> create table user_records (
-> User_id char(32) primary key,
-> Cpasswd char(32),
-> Xgroup char(32)
-> ) \g
query OK
-> \q
%
User_id
can be as long as desired. However some of the
popular web browsers truncate names at or stop the user from entering
names longer than 32 characters. Furthermore the 'crypt' function
on your platform might impose further limits. Also use of
the require users uid [uid..]
directive in the
access.conf
file where the uid's are separated by
spaces can possibly prohibit the use of spaces in your usernames.
Also, please note the MAX_FIELD_LEN
directive somewhere below.
To use the above, the following example could be in your
access.conf
file. Also there is a more elaborate description
below this example.
<directory /web/docs/private>
Auth_MSQLhost localhost
or
Auth_MSQLhost datab.machine.your.org
localhost
,
it is assumed that Apache and the mSQL
database run on the same (physical) machine and the faster
/dev/msql communication channel will be used. Otherwise,
it is the machine to contact by TCP/IP. Consult the mSQL
documentation for more information.
Auth_MSQLdatabase www
msql.acl
(access control file) of
mSQL does indeed allow the effective uid of the
web server read access to this database. Check the
httpd.conf file for this uid.
-
Auth_MSQLpwd_table user_records
-
Auth_MSQLuid_field User_id
Auth_MSQLpwd_field Cpasswd
user_record
table. If this module is compiled with the BACKWARD_VITEK
compatibility switch, the defaults user
and password
are
assumed if you do not specify them. Currently the user_id field
*MUST* be a primary key or one must ensure that each user only
occurs once in the table. If a uid occurs twice access is
denied by default; but see the ONLY_ONCE
compiler directive for more information.
-
Auth_MSQLgrp_table user_records
Auth_MSQLgrp_field Xgroup
-
Auth_MSQL_nopasswd off
Auth_MSQL_Authoritative on
Auth_MSQL_EncryptedPasswords on
-
AuthName example mSQL realm
AuthType basic
<limit get post head>
order deny,allow
allow from all
require valid-user
valid-user
; allow in any user which has a valid uid/passwd
pair in the above pwd_table.
require user smith jones
require group has_paid
<limit>
#define ONLY_ONCE 1
ONLY_ONCE
directive set, access is denied if the uid occurs more than once in the
uid/passwd table. If you choose not to set it, the software takes
the first pair returned and ignores any further pairs. The SQL
statement used for this is"select password form pwd_table where user='UID'"
this might lead to unpredictable results. For this reason as well as for performance reasons you are strongly advised to make the uid field a primary key. Use at your own peril :-)
#define KEEP_MSQL_CONNECTION_OPEN
msqlClose()
.
If an error occurs an attempt is made to reopen the connection for
the next http request.
This has a number of very serious drawbacks
In short, use this at your own peril and only in a highly controlled and monitored environment.
#define BACKWARD_VITEK
#define VITEK_uid_name "user"
#define VITEK_gid_name "passwd"
khera@kciLink.com
>
and was subsequently distributed with some early versions of Apache. It
can be obtained from
ftp://ftp.kcilink.com/pub/mod_auth_msql.c*
.
Older 'vitek' versions had the field/table names compiled in. Newer
versions, v.1.11 have more access.conf
configuration
options. However these where chosen not to be in line the 'ewse'
version of this module. Also, the 'vitek' module does not give group
control or 'empty' password control.
To get things slightly more in line this version (0.9) should be backward compatible with the 'vitek' module by:
Auth_MSQL_EncryptedPasswords
on/off functionality
If this troubles you, remove the 'BACKWARD_VITEK' define.
#define MAX_FIELD_LEN (64)
#define MAX_QUERY_LEN (32+24+MAX_FIELD_LEN*2+3*MSQL_FIELD_NAME_LEN+1*MSQL_TABLE_NAME_LEN)
HUGE_STRING_LENGTH
, the above two compile
time directives are supplies. The MAX_FIELD_LEN
contains the maximum number of
characters in your user, password and group fields. The maximum query length is derived
from those values.
We only do the following two queries:
"select PWDFIELD from PWDTABLE where USERFIELD='UID'"
"select GROUPFIELD from GROUPTABLE where USERFIELD='UID' and GROUPFIELD='GID'"
This leads to the above limit for the query string. We are ignoring escaping a wee bit here assuming not more than 24 escapes.)
Auth_MSQL_nopasswd
' option
Auth_MSQLgrp_field
'
as indicated above.
*host
to host
fixed. Credits
go to Rob Stout, <stout@lava.et.tudelft.nl> for
spotting this one.
palloc
return code check(s), should be
backward compatible with 1.11 version of Vivek Khera
<khera@kciLink.com> msql
module, fixed broken err msg in group control, changed
command table messages to make more sense when displayed
in that new module management tool. Added
Auth_MSQL_EncryptedPasswords
on/off functionality.
msqlClose() statements added upon error. Support for
persistent connections with the mSQL database (riscy).
Escaping of ' and \. Replaced some
MAX_STRING_LENGTH
claims.
Dirk.vanGulik@jrc.it
>.
Feel free to contact me if you have any problems, ice-creams or bugs. This
documentation, courtesy of Nick Himba,
<himba@cs.utwente.nl>
.
http://www.apache.org
. A snapshot of a development version
usually resides at
http://me-www.jrc.it/~dirkx/mod_auth_msql.c
. Please make sure
that you always quote the version you use when filing a bug report.
Furthermore a test/demonstration suite (which assumes that you have
both mSQL and Apache compiled and installed) is available at the contrib
section of
ftp://ftp.apache.org/apache/dist/contrib
or
http://me-www.jrc.it/~dirkx/apache-msql-demo.tar.gz
and
its
README
file.