Apache Guide: Apache Authentication, Part 2
In this article, I'll talk about using databases for authentication, rather
than the standard text-file
There are basically three reasons to use a database, rather than a text file, to store data.
The first reason is speed. Accessing data stored in a database is much faster than accessing data stored in a text file. A database is designed for rapid location of information. A text file, you have to read through each record until you find what you are looking for.
The second reason is ease of data retrieval. A database--at least, a decent database--provides you with a language (usually SQL) for querying the database for specific information.
The third reason is data integrity. Since a database handles a lot of things for you, which you would have to handle for yourself when using a text file, you are less likely to screw up your data, and lose information, when using a real database.
All of the above three reasons are important when selecting a method of authentication on your Apache server. If you're running a site with a very small number of user accounts, it may not be worth the hassle to try to use a database for your authentication. But, as your list of users grows, these things will become real assets.
As your list of users grows, it takes proportionately longer to find a given user in the password file. Past a certain number of people (about 2,000, in my experience) the look-up just takes too long. Users that are listed at the bottom of the file will just be denied access, because Apache gives up looking for them before it can get that far in the file.
Managing the user lists is easier also. Rather than trying to open a large text file, and scroll through it looking for a name, you can use database queries to find the user you're looking for, and change their password, or remove them, or add a new user.
If you let your users change their password, then you are at risk of corrupting your data. Consider the situation where two users try to exit their password at nearly the same time. User A loads the file into memory, and changes their password, and starts to write the file back to disk. At that moment, user B loads the file into memory to look for their password. Oops. The file has not been written back to disk yet, so user B only gets part of the file. When they write the file back to disk, most of the users mysteriously disappear. Actually, you'll (hopefully) implement some kind of file locking to avoid this completely, but using a database removes the concern completely.
There are several Apache modules that let you use a database for your
authentication. I'm going to talk about just two of them:
mod_auth_mysql. I'll talk about
mod_auth_db this week and leave
next week, since there's a little more to say about it.
mod_auth_db lets you keep your usernames and passwords in DB
If you compiled Apache with
mod_so enabled, enabling
mod_auth_db should be just a matter of editing your
httpd.conf file and uncommenting the line that refers to
mod_auth_db. This should look something like:
LoadModule db_auth_module libexec/mod_auth_db.so
and, then ...AddModule mod_auth_db.c