ServersApache Guide: Apache Authentication, Part 2 Page 3

Apache Guide: Apache Authentication, Part 2 Page 3

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.




If you are going to be doing more with these files, you will probably want
something a little easier to automate. Perhaps the best tool for this will be
Perl, using the DB_File module. The technique that is used with
this module is a tied hash, which, simplified, means that the module
causes the file to act like a hash, so that modifying the hash directly changes
the DB file. Pretty cool.

The following Perl code, for example, will add a user rbowen,
with password mypassword, to your password file:

        use DB_File;
        tie %database, 'DB_File', "passwords.dat"
                or die "Can't initialize database: n";
         = 'rbowen';
         = 'mypassword';
        @chars=(0..9,'a'..'z');
         = '', map { [int rand @chars] } (0..1);
         = crypt(, );
        {} = ;
        untie %database;

Passwords are stored in Unix crypt format, just as they were in
the "regular" password files. The 'salt' that is created in the
middle there is part of the process, cenerating a random starting point for
that encryption. If enough people care, I'll explain this Perl code in a little
more detail. Otherwise, just trust me, it works. I copied it from a web site
that actually works. Of course, in the real world, the username and password
are read from a web form, or something like that.

What About Groups?

In last week's article, we talked about putting users into groups and
requiring a particular group of users. You can do the same thing with
mod_auth_db, it just works a little differently. You'll notice
that in my sample configuration, above, I had the following lines:

        AuthDBUserFile  /usr/local/apache/passwd/passwords.dat
        AuthDBGroupFile /usr/local/apache/passwd/passwords.dat

The user file and group file are pointing at the same location. What's up
with that? It turns out that mod_auth_db stores both types of
information in the same file.

Because DB files, as I mentioned early on in this article, just store a
key/value pair, something has to be done to work around this limitation. What
the authors of mod_auth_db decided to to was to put the group name
in as part of the value, separated from the password by a colon.

So, if you were still using the Perl code above, you'd replace the line:

        {} = ;

with

        {} = ":";

or something to that effect. You can specify more than one group by listing
the groups, separated by commas.

I'm not aware of any nice way to do this with dbmmanage.

Once you have your passwords and groups in the file, you can require a group
in the regular way:

        require group administrators

This is not the only way to do this, it's just the way that I do it. You can
also have a separate group file, just like you do with regular text file
authentication. If you ahve a separate group file, it would contain a list of
username:group pairs. Again, you can have more than one group per
username: just list them as a comma-separated list. And, as with the other
method, I'm not aware of any nice way to do this with dbmmanage.

What about Microsoft Windows?

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends & analysis

Latest Posts

Related Stories