Click here

Apache Guide: Apache Authentication, Part 1 Page 2

By Rich Bowen (Send Email)
Jul 24, 2000

The directives above only let one person (specifically someone with a username of rbowen) into the directory. In most cases, you'll want to let more than one person in. This is where the AuthGroupFile comes in. In the example above, we've pointed AuthGroupFile to /dev/null, which is Unix-speak for "nowhere" or "off into space." (The Windows NT equivalent of this is nul.)

If you want to let more than one person in, you'll need to create a group file that associates group names with a list of users in that group. The format of this file is pretty simple, and you can create it with your favorite editor. The contents of the file will look like this:


       GroupName: rbowen dpitts sungo rshersey





That's just a list of the members of the group in a long line separated by
spaces.




To add a user to your already existing password file, type:


       htpasswd /usr/local/apache/passwd/password dpitts





You'll get the same response as before, but it will be appended to the
existing file, rather than creating a new file. (It's the -c that
makes it create a new password file.)




Now, you need to modify your .htaccess file to look like the
following:


        AuthType Basic
        AuthName "By Invitation Only"
        AuthUserFile /usr/local/apache/passwd/passwords
        AuthGroupFile /usr/local/apache/passwd/groups
        require group GroupName





Now, anyone that is listed in the group GroupName and has an
entry in the password file, will be let in if they type the
correct password.




There's another way to let multiple users in that is less specific. Rather
than creating a group file, you can just use the following directive:


       require valid-user





Using that rather than the require user rbowen line will allow
anyone in that is listed in the password file and who correctly enters their
password. You can even emulate the group behavior here by keeping a separate
password file for each group. The advantage of this approach is that Apache
only has to check one file, rather than two. The disadvantage is that you have
to maintain a bunch of password files, and remember to reference the right one
in the AuthUserFile directive. 


Possible Problems




Because of the way that basic authentication is specified, your username and
password must be verified every time you request a document from the server.
This is even if you're reloading the same page, and for every image on the page
(if they come from a protected directory). As you can imagine, this slows
things down a little. The amount that it slows things down is proportional to
the size of the password file, because Apache must open up that file and go
down the list of users until it gets to your name. And it has to do this every
time a page is loaded.




A consequence of this is that there's a limit to how many users you can put
in one password file. I don't exactly know what that limit is, but I've
experienced problems when I've put more than about 1,500 users in one file.
People are denied access, even though you know that they have a valid
username and password. It appears that what's happening is that it just takes
too long to look up the password, and in the meantime, access is denied.




In the next article, we'll look at one possible solution to this problem. 



Managing Your Password
Files with Perl




This may seem a little random, but it looked like a good time to throw this
in.

Page 2 of 3
Previous Page   1 2 3 Next Page  


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.