Apache Guide: Apache Authentication, Part 2 Page 3

If you are going to be doing more with these files, you will probably want something a little easier to automate. Perhaps the best tool for this will be Perl, using the DB_File module. The technique that is used with this module is a tied hash, which, simplified, means that the module causes the file to act like a hash, so that modifying the hash directly changes the DB file. Pretty cool.

The following Perl code, for example, will add a user rbowen, with password mypassword, to your password file:

        use DB_File;
        tie %database, 'DB_File', "passwords.dat"
                or die "Can't initialize database: \n";
         = 'rbowen';
         = 'mypassword';
         = '', map { [int rand @chars] } (0..1);
         = crypt(, );
        {} = ;
        untie %database;

Passwords are stored in Unix crypt format, just as they were in the "regular" password files. The 'salt' that is created in the middle there is part of the process, cenerating a random starting point for that encryption. If enough people care, I'll explain this Perl code in a little more detail. Otherwise, just trust me, it works. I copied it from a web site that actually works. Of course, in the real world, the username and password are read from a web form, or something like that.

What About Groups?

In last week's article, we talked about putting users into groups and requiring a particular group of users. You can do the same thing with mod_auth_db, it just works a little differently. You'll notice that in my sample configuration, above, I had the following lines:

        AuthDBUserFile  /usr/local/apache/passwd/passwords.dat
        AuthDBGroupFile /usr/local/apache/passwd/passwords.dat

The user file and group file are pointing at the same location. What's up with that? It turns out that mod_auth_db stores both types of information in the same file.

Because DB files, as I mentioned early on in this article, just store a key/value pair, something has to be done to work around this limitation. What the authors of mod_auth_db decided to to was to put the group name in as part of the value, separated from the password by a colon.

So, if you were still using the Perl code above, you'd replace the line:

        {} = ;


        {} = ":";

or something to that effect. You can specify more than one group by listing the groups, separated by commas.

I'm not aware of any nice way to do this with dbmmanage.

Once you have your passwords and groups in the file, you can require a group in the regular way:

        require group administrators

This is not the only way to do this, it's just the way that I do it. You can also have a separate group file, just like you do with regular text file authentication. If you ahve a separate group file, it would contain a list of username:group pairs. Again, you can have more than one group per username: just list them as a comma-separated list. And, as with the other method, I'm not aware of any nice way to do this with dbmmanage.

What about Microsoft Windows?

This article was originally published on Jul 31, 2000
Page 3 of 4

Thanks for your registration, follow us on our social networks to keep up-to-date