Apache Guide: Apache Authentication, Part 2

By Rich Bowen (Send Email)
Posted Jul 31, 2000


In this article, I'll talk about using databases for authentication, rather than the standard text-file htpasswd files.

In the second part of his series on Apache authentication, Rich Bowen explains how to use databases for authentication, rather than the standard text-based authentication files.

There are basically three reasons to use a database, rather than a text file, to store data.

The first reason is speed. Accessing data stored in a database is much faster than accessing data stored in a text file. A database is designed for rapid location of information. A text file, you have to read through each record until you find what you are looking for.

The second reason is ease of data retrieval. A database--at least, a decent database--provides you with a language (usually SQL) for querying the database for specific information.

The third reason is data integrity. Since a database handles a lot of things for you, which you would have to handle for yourself when using a text file, you are less likely to screw up your data, and lose information, when using a real database.

Why Use a Database for Authentication?

All of the above three reasons are important when selecting a method of authentication on your Apache server. If you're running a site with a very small number of user accounts, it may not be worth the hassle to try to use a database for your authentication. But, as your list of users grows, these things will become real assets.

As your list of users grows, it takes proportionately longer to find a given user in the password file. Past a certain number of people (about 2,000, in my experience) the look-up just takes too long. Users that are listed at the bottom of the file will just be denied access, because Apache gives up looking for them before it can get that far in the file.

Managing the user lists is easier also. Rather than trying to open a large text file, and scroll through it looking for a name, you can use database queries to find the user you're looking for, and change their password, or remove them, or add a new user.

If you let your users change their password, then you are at risk of corrupting your data. Consider the situation where two users try to exit their password at nearly the same time. User A loads the file into memory, and changes their password, and starts to write the file back to disk. At that moment, user B loads the file into memory to look for their password. Oops. The file has not been written back to disk yet, so user B only gets part of the file. When they write the file back to disk, most of the users mysteriously disappear. Actually, you'll (hopefully) implement some kind of file locking to avoid this completely, but using a database removes the concern completely.

OK, So How Do I Do This?

There are several Apache modules that let you use a database for your authentication. I'm going to talk about just two of them: mod_auth_db and mod_auth_mysql. I'll talk about mod_auth_db this week and leave mod_auth_mysql for next week, since there's a little more to say about it.

mod_auth_db

mod_auth_db lets you keep your usernames and passwords in DB files.

If you compiled Apache with mod_so enabled, enabling mod_auth_db should be just a matter of editing your httpd.conf file and uncommenting the line that refers to mod_auth_db. This should look something like:


        LoadModule db_auth_module     libexec/mod_auth_db.so

and, then ...

        AddModule mod_auth_db.c

Page 1 of 4


Comment and Contribute

Your name/nickname

Your email

(Maximum characters: 1200). You have characters left.