mod_auth_msql.cfile and is compiled in by default. It allows access control using the public domain mSQL database
ftp://ftp.bond.edu.au/pub/Minerva/msql, a fast but limited SQL engine which can be contacted over an internal Unix domain protocol as well as over normal tcp/ip socket communication. It is only available in Apache 1.1 and later.
Full description / Example / Compile time options / RevisionHistory / Person to blame / Sourcecode
- Auth_MSQLhost < FQHN | IP Address | localhost >
localhost, it is passed to the mSQL library as a null pointer. This effectively forces it to use /dev/msql rather than the (slower) socket communication.
- Auth_MSQLdatabase < mSQL database name >
relshow [<hostname> dbase]to verify the spelling of the database name).
- Auth_MSQLpwd_table < mSQL table name >
- Auth_MSQLgrp_table < mSQL table name in the above database >
- Auth_MSQLuid_field < mSQL field name >
Auth_MSQLpwd_tableand optionally in the
- Auth_MSQLpwd_field < mSQL field name >
- Auth_MSQLgrp_field < mSQL field name >
BACKWARD_VITEKoption then the uid and pwd field names default to 'user' and 'password'. However you are strongly encouraged to always specify these values explicitly given the security issues involved.
- Auth_MSQL_nopasswd < on | off >
- Auth_MSQL_Authoritative < on | off >
- Auth_MSQL_EncryptedPasswords < on | off >
% msqladmin create www
% msql www
-> create table user_records (
-> User_id char(32) primary key,
-> Cpasswd char(32),
-> Xgroup char(32)
-> ) \g
User_idcan be as long as desired. However some of the popular web browsers truncate names at or stop the user from entering names longer than 32 characters. Furthermore the 'crypt' function on your platform might impose further limits. Also use of the
require users uid [uid..]directive in the
access.conffile where the uid's are separated by spaces can possibly prohibit the use of spaces in your usernames. Also, please note the
MAX_FIELD_LENdirective somewhere below.
To use the above, the following example could be in your
access.conf file. Also there is a more elaborate description
below this example.
localhost, it is assumed that Apache and the mSQL database run on the same (physical) machine and the faster /dev/msql communication channel will be used. Otherwise, it is the machine to contact by tcp/ip. Consult the mSQL documentation for more information.
msql.acl(access control file) of mSQL does indeed allow the effective uid of the web server read access to this database. Check the httpd.conf file for this uid.
- Auth_MSQLpwd_table user_records
- Auth_MSQLuid_field User_id
user_recordtable. If this module is compiled with the
BACKWARD_VITEKcompatibility switch, the defaults
passwordare assumed if you do not specify them. Currently the user_id field *MUST* be a primary key or one must ensure that each user only occurs once in the table. If a uid occurs twice access is denied by default; but see the
ONLY_ONCEcompiler directive for more information.
- Auth_MSQL_nopasswd off
- AuthName example mSQL realm
<limit get post head>
allow from all
valid-user; allow in any user which has a valid uid/passwd pair in the above pwd_table.
require user smith jones
require group has_paid
#define ONLY_ONCE 1
ONLY_ONCEdirective set, access is denied if the uid occurs more than once in the uid/passwd table. If you choose not to set it, the software takes the first pair returned and ignores any further pairs. The SQL statement used for this is
"select password form pwd_table where user='uid'"
this might lead to unpredictable results. For this reason as well as for performance reasons you are strongly advised to make the uid field a primary key. Use at your own peril :-)
msqlClose(). If an error occurs an attempt is made to reopen the connection for the next http request.
This has a number of very serious drawbacks
In short, use this at your own peril and only in a highly controlled and monitored environment.
#define VITEK_uid_name "user"
#define VITEK_gid_name "passwd"
khera@kciLink.com> and was subsequently distributed with some early versions of Apache. It can be obtained from
ftp://ftp.kcilink.com/pub/mod_auth_msql.c*. Older 'vitek' versions had the field/table names compiled in. Newer versions, v.1.11 have more
access.confconfiguration options. However these where chosen not to be in line the 'ewse' version of this module. Also, the 'vitek' module does not give group control or 'empty' password control.
To get things slightly more in line this version (0.9) should be backward compatible with the 'vitek' module by:
If this troubles you, remove the 'BACKWARD_VITEK' define.
#define MAX_FIELD_LEN (64)
#define MAX_QUERY_LEN (32+24+MAX_FIELD_LEN*2+3*MSQL_FIELD_NAME_LEN+1*MSQL_TABLE_NAME_LEN)
HUGE_STRING_LENGTH, the above two compile time directives are supplies. The
MAX_FIELD_LENcontains the maximum number of characters in your user, password and group fields. The maximum query length is derived from those values.
We only do the following two queries:
"select PWDFIELD from PWDTABEL where USERFIELD='UID'"
"select GROUPFIELD from GROUPTABLE where USERFIELD='UID' and GROUPFIELD='GID'"
This leads to the above limit for the query string. We are ignoring escaping a wee bit here assuming not more than 24 escapes.)
Auth_MSQLgrp_field' as indicated above.
hostfixed. Credits go to Rob Stout,
pallocreturn code check(s), should be backward compatible with 1.11 version of Vivek Khera
Auth_MSQL_EncryptedPasswordson/off functionality. msqlClose() statements added upon error. Support for persistent connections with the mSQL database (riscy). Escaping of ' and \. Replaced some
Dirk.vanGulik@jrc.it>. Feel free to contact me if you have any problems, ice-creams or bugs. This documentation, courtesy of Nick Himba,
http://www.apache.org. A snapshot of a development version usually resides at
http://me-www.jrc.it/~dirkx/mod_auth_msql.c. Please make sure that you always quote the version you use when filing a bug report.
Furthermore a test/demonstration suite (which assumes that you have
both mSQL and Apache compiled and installed) is avaible at the contrib