Apache Guide: Apache Authentication, Part 2 Page 3

If you are going to be doing more with these files, you will probably want
something a little easier to automate. Perhaps the best tool for this will be
Perl, using the DB_File module. The technique that is used with
this module is a tied hash, which, simplified, means that the module
causes the file to act like a hash, so that modifying the hash directly changes
the DB file. Pretty cool.

The following Perl code, for example, will add a user rbowen,
with password mypassword, to your password file:

        use DB_File;
        tie %database, 'DB_File', "passwords.dat"
                or die "Can't initialize database: n";
         = 'rbowen';
         = 'mypassword';
        @chars=(0..9,'a'..'z');
         = '', map { [int rand @chars] } (0..1);
         = crypt(, );
        {} = ;
        untie %database;

Passwords are stored in Unix crypt format, just as they were in

the "regular" password files. The 'salt' that is created in the

middle there is part of the process, cenerating a random starting point for

that encryption. If enough people care, I'll explain this Perl code in a little

more detail. Otherwise, just trust me, it works. I copied it from a web site

that actually works. Of course, in the real world, the username and password

are read from a web form, or something like that. 
What About Groups?

In last week's article, we talked about putting users into groups and

requiring a particular group of users. You can do the same thing with

mod_auth_db, it just works a little differently. You'll notice

that in my sample configuration, above, I had the following lines:
        AuthDBUserFile  /usr/local/apache/passwd/passwords.dat
        AuthDBGroupFile /usr/local/apache/passwd/passwords.dat

The user file and group file are pointing at the same location. What's up

with that? It turns out that mod_auth_db stores both types of

information in the same file.

Because DB files, as I mentioned early on in this article, just store a

key/value pair, something has to be done to work around this limitation. What

the authors of mod_auth_db decided to to was to put the group name

in as part of the value, separated from the password by a colon.

So, if you were still using the Perl code above, you'd replace the line:

        {} = ;

with
        {} = ":";

or something to that effect. You can specify more than one group by listing

the groups, separated by commas.

I'm not aware of any nice way to do this with dbmmanage.

Once you have your passwords and groups in the file, you can require a group

in the regular way:
        require group administrators

This is not the only way to do this, it's just the way that I do it. You can

also have a separate group file, just like you do with regular text file

authentication. If you ahve a separate group file, it would contain a list of

username:group pairs. Again, you can have more than one group per

username: just list them as a comma-separated list. And, as with the other

method, I'm not aware of any nice way to do this with dbmmanage.

What about Microsoft Windows?