Auth mysql

From ToXiC

Jump to: navigation, search

La documentation trouvée ici est répétée ci dessous :

Documentation


Loading mod_auth_mysql
======================

To get Apache to load the module, you need to  add the following directive to
your httpd.conf (look for the other LoadModule commands):

LoadModule mysql_auth_module modules/mod_auth_mysql.so


If using Apache 1.x, you may also need to add:

AddModule mod_auth_mysql.c


Stop and start Apache and see if it starts up without any errors.

IMPORTANT!  If Apache suffers a segfault on startup with this module included,
but starts fine with the module absent, you are most likely using two different
versions of MySQL libraries.  This can happen if, for instance, you compile
mod_auth_mysql against MySQL 4.0.20 libraries, but use the precompiled version
of mod_php.so (or compile it yourself with default MySQL options), which uses
earlier versions of the MySql libraries.  The solution is to recompile all
modules using MySQL with the same libraries.


Configuring your system
=======================

Authentication options may be placed in the appropriate <Directory> entry in
your httpd.conf file, or in a .htaccess file in the directory you wish to
protect.  Using the httpd.conf file is preferred, but you must restart Apache
after making any changes.  If you change the .htaccess file, you do not need to
restart Apache, but there is additional run-time overhead (Apache must read
every .htaccess file from the file's directory back up to the DocumentRoot on
EVERY request).  See the Apache documentation on .htaccess for more information
on this.  My recommendation is to use .htaccess until you get everything
working, then move the options to the <Directory> entry in your httpd.conf (and
test again!).

Apache has several options available for authentication.  It is important for
you to understand these options to be able to use mod_auth_mysql effectively.
See the Apache documentation "Authentication, Authorization and Access" for
more details on how it works.


EXAMPLE of Basic Authentication
===============================

By default, mod_auth_mysql assumes that each MySQL database has a table like the
following example:

CREATE TABLE user_info (
  user_name CHAR(30) NOT NULL,
  user_passwd CHAR(20) NOT NULL,
  user_group CHAR(10),
    [ any other fields if needed ]
  PRIMARY KEY (user)
)

User_name must be a unique, non-empty field.  Its length is however long you
want it to be.  Password length of 20 follows new-style crypt() usage; the
older crypt uses shorter encrypted passwords.  Any other fields in the named
table will be ignored.  The actual field names are configurable using the
parameters listed below.  The defaults are "user_name" and "user_passwd"
respectively, for the user ID and the password, and "user_group" for the group
which is optional. 

In your httpd.conf or .htaccess file:

 AuthName "MySQL Testing"
 AuthType Basic
 AuthMySQLHost localhost
 AuthMySQLDB test
 AuthMySQLUserTable user_info
 AuthMySQLEnable On
 require valid-user

CONFIGURATION PARAMETERS
========================

Configuration paramaters generally contain a single value:

  On | Off : Whether this value is active or not
  Number: A valid integer value for the paramater
  String: A string containing the value.  The string may include spaces if the
  entire string 

Following are the options for configuring mod_auth_mysql.

AuthMySQLEnable On
AuthMySQLHost localhost
AuthMySQLPort <default port in MySQL>
AuthMySQLSocket <default socket in MySQL>
AuthMySQLUser <no default -- NULL>
AuthMySQLPassword <no default -- NULL>
AuthMySQLDB test
AuthMySQLUserTable user_info
AuthMySQLUserCondition <no default>
AuthMySQLNameField user_name
AuthMySQLPasswordField user_passwd
AuthMySQLNoPasswd Off
AuthMySQLPwEncryption crypt
AuthMySQLSaltField <>
AuthMySQLGroupTable <defaults to value of AuthMySQLUserTable>
AuthMySQLGroupCondition <no default>
AuthMySQLGroupField <no default>
AuthMySQLKeepAlive Off
AuthMySQLAuthoritative On
AuthMySQLCharacterSet <no default>


AuthMySQLEnable On | Off
  Whether or not mod_auth_mysql should attempt to authorize the user.
    Off: No authorization will be done by this module
    On:  Attempt to authorize the user

AuthMySQLHost localhost | host_name_or_ip_address
  Identifies the MySQL host.

AuthMySQLPort tcp/ip_port_number
  The tcp/ip port which should be used to access MySQL.  MySQL normally uses
  port 3306, but this can be changed in the MySQL configuration.  See the MySQL
  documentation for more details.
  
AuthMySQLSocket full_path_to_socket_file
  The UNIX socket which should be used to access MySQL host "localhost" on a
  UNIX system.  The default is /tmp/mysql.sock, but this can be changed in the
  MySQL configuration.  See the mySQL documentation for more details.

AuthMySQLUser userid
  The userid to be used to access MySQL.  This user must have SELECT access to
  the appropriate tables.  As the password must be in plain text (see
  AuthMySQLPassword below), it is recommended you use a userid with limited
  privileges (do NOT use "root"!).

AuthMySQLPassword password
  The password for the userid specified in AuthMySQLUser.  An, as the password
  must be in plain text, it is recommended you use a userid with limited
  privileges (do NOT use "root"!).
  
AuthMySQLDB database_name
  The name of the MySQL database containing the authorization information.  On
  systems with case sensitive file systems (i.e. Unix), this field is case
  sensitive.

AuthMySQLUserTable mysql_table_name
  The name of the MySQL table in AuthMySQLDB which contains the userids and
  passwords.  On systems with case sensitive file systems (i.e. Unix), this
  field is case sensitive.

  If this field contains two or more table names, you will need to join the
  tables in the AuthMySQLUserCondition (below).

AuthMySQLUserCondition
  Additional conditions to be placed in the WHERE clause when retrieving user
  information.  Whatever is in this string is appended after an AND condition
  in the SQL statement.

  If two or more tables have been specified in the AuthMySQLUserTable option
  above, this option must contain the information required to join the tables.

AuthMySQLNameField mysql_column_name
  The name of the column in AuthMySQLUserTable which contains the userids to be
  authenticated.  The column must contain unique, non-empty field values.  Its
  length is however long you want it to be.  This value is case sensitive.

  Values in this field are case sensitive ONLY if you define the column as
  binary data (i.e. BINARY, VARBINARY, etc.).  It is NOT case sensitive if the
  column is defined with character data (i.e. CHAR, VARCHAR).  See the MySQL
  documentation for more information.

AuthMySQLPasswordField mysql_column_name
  The name of the column in AuthMySQLUserTable which contains the passwords.
  This value is case sensitive.  It's length may be as long as you want it to
  be for plaintext passwords.  If the password is encrypted, the field must be
  long enough to contain the encrypted data.  See AuthMySQLPwEncryption below.

  Passwords values are case sensitive.

AuthMySQLNoPasswd Off
  No password is required for this resource. 

AuthMySQLPwEncryption none | crypt | scrambled | md5 | aes | sha1
  The encryption type used for the passwords in AuthMySQLPasswordField:
    none: not encrypted (plain text)
    crypt: UNIX crypt() encryption
    scrambled: MySQL PASSWORD encryption
    md5: MD5 hashing
    aes: Advanced Encryption Standard (AES) encryption
    sha1: Secure Hash Algorihm (SHA1)

  WARNING: When using aes encryption, the password field MUST be a BLOB type
  (i.e.  TINYBLOB).  MySQL will strip trailing x'20' characters (blanks), EVEN
  IF THE COLUMN TYPE IS BINARY!

AuthMySQLSaltField <> | <string> | mysql_column_name

  Contains information on the salt field to be used for crypt and aes
  encryption methods.  It can contain one of the following:
    <>: password itself is the salt field (use with crypt() only)
    <string>: "string" as the salt field
    mysql_column_name: the salt is take from the mysql_column_name field in the
      same row as the password

  This field is required for aes encryption, optional for crypt encryption.
  It is ignored for all other encryption types.

AuthMySQLGroupTable 
  Contains the name of the table with the group information when authorizing by
  groups (Apache option require group).

  As with the AuthMySQLUserTable, you can specify two or more tables in this
  option, in which case you will need to join the tables in the
  AuthMySQLGroupCondition below.  

AuthMySQLGroupCondition
  Additional conditions to be placed in the WHERE clause when retrieving group
  information.  Whatever is in this string is appended after an AND condition
  in the SQL statement.

  If two or more tables have been specified in the AuthMySQLGroupTable option
  above, this option must contain the information required to join the tables.

AuthMySQLGroupField
  This option contains the name of the column containing the group information
  when Apache group authorization is required.  Values in the Apache require group
  option will be matched against the retrieved rows.
    
AuthMySQLKeepAlive
  Indicates whether to keep the connection to MySQL open or close it after each
  request.  Keeping the connection open can improve performance at the cost of
  the resources necessary to maintain the connection.  If this is Off, the connection
  will be closed after each request.  

  Currently, only one connection to the server can have AuthMySQLKeepAlive on.  

  Note: This parameter currently does not work with Apache 2.x and is ignored.
  We are aware of the bug.

AuthMySQLAuthoritative
  Used to indicate if other modules should be called when mod_auth_mysql is not
  able to authorize the user.  If this is On, no other modules will be called
  and the request will fail.  If this is off, Apache will attempt to use
  mod_auth and/or any other active modules to authorize the user.

AuthMySQLCharacterSet
  Used to override the default characterset for the connection.  This
  parameter must specify a valid character set in MySQL.  It is generally
  required only in MySQL 4.1 and above, where the characterset encoding 
  for the tables being used is different that the default specified in
  the MySQL configuration.

The following parameters have been depricated and replaced by the single 
parameter AuthMySQLPwEncryption:

 AuthMySQLCryptedPasswords On | Off
 AuthMySQLScrambledPasswords On | Off
 AuthMySQLMD5Passwords On | Off
 AuthMySQLAESPasswords On | Off
 AuthMySQLSHA1Passwords On | Off

These parameters will be removed in a future release. 

Additional Information
======================

AuthMySQLUserCondition and AuthMySQLGroupCondition

  The optional directives AuthMySQLUserCondition and AuthMySQLGroupCondition
  can be used to restrict queries made against the User and Group tables.  The
  value for each of these should be a string that you want added to the end of
  the where-clause when querying each table.  For example, if your user table
  has an "active" field and you only want users to be able to login if that
  field is 1, you could use a directive like this: AuthMySQLUserCondition
  active=1

  You can specify parameters for system options.  These parameters will be
  replaced by the appropriate values in the query.  See Formats below.

Groups
  A user can be a member of multiple groups, but in this case the user id field
  *cannot* be PRIMARY KEY.  You need to have multiple rows with the same user
  ID, one per group to which that ID belongs.  In this case, you MUST put the
  GroupTable on a separate table from the user table.  This is to help prevent
  the user table from having inconsistent passwords in it.  If each user is
  only in one group, then the group field can be in the same table as the
  password field.  A group-only table might look like this:

  CREATE TABLE user_group (
    user_name char(50) DEFAULT '' NOT NULL,
    user_group char(20) DEFAULT '' NOT NULL,
    create_date int,
    expire_date int,
    PRIMARY KEY (user_name,user_group)
  );

  Note that you still need a user table which has the passwords in it.

  There are two options to using groups.  You can put the "user_group" field
  into the same table as the user database if each user is in only one group,
  or you can have a separate table that contains the fields "user_name" and
  "user_group" if each user is a member of multiple groups.

  If the user_group field is part of the full user table, the table has three
  fields at least: user_name, user_group, user_passwd.  The user_group field
  must be "PRIMARY KEY" in the user database containing a password.  The
  htaccess file would be this:

    AuthName My Authorization
    AuthType Basic
    AuthGroupFile /dev/null  # do NOT include this directive if using Apache2!!!
    AuthMySQLHost localhost
    AuthMySQLDB authdata
    AuthMySQLUserTable user_info
    AuthMySQLGroupField user_group
    require group admin

  If you have a separate database for groups, the two tables would be

    user_info: user_name, user_passwd (user_name must be PRIMARY KEY)
    user_group: user_name, user_group (user is not PRIMARY KEY, as we have
	multiple tuples for user_name,user_group to let a user be in
	multiple groups)

  and htaccess would have this:

    AuthName My Authorzation
    AuthType Basic
    AuthGroupFile /dev/null  # do NOT include this directive if using Apache2!!!
    AuthMySQLHost localhost
    AuthMySQLDB authdata
    AuthMySQLUserTable user_info
    AuthMySQLGroupTable my_groups
    AuthMySQLGroupField user_group
    require group admin

  Assuming that the required group name is "admin".

Multiple Tables

  If you have user information stored in two (or more) different tables, you
  can join the tables like this:

    AuthName My Authorization
    AuthType Basic
    AuthGroupFile /dev/null  # do NOT include this directive if using Apache2!!!
    AuthMySQLHost localhost
    AuthMySQLDB test
    AuthMySQLUserTable "user_info, user_status"
    AuthMySQLUserCondition = "user_info.user_name = user_status.user_name and user_status.status = 'OK'"
    require valid-user

Formats 
=======

  You can specify the following paramaters in the AuthMySQLUserCondition and
  AuthMySQLGroupCondition clauses.  They will be replaced by the appropriate
  values in the query.

    %h  DNS name of the remote host
    %a  IP address of the remote host
    %f  The filename being requested
    %V  Hostname of the Apache server
    %v  Virtual hostname
    %H  Protocol sent with the request (i.e. HTTP/0.9)
    %m  Request method (i.e. GET, HEAD, POST, etc.)
    %q  Arguments following the ? in the request
    %r  Request line
    %U  Path portion of the URI
   
These parameters can be used to further limit access.  For instance, if you
wish to limit users to a single ip address, you could add the following column
to your user_info table:

  ip_address VARCHAR (15)

You could then do something similar to this:

    AuthName My Authorization
    AuthType Basic
    AuthGroupFile /dev/null  # do NOT include this directive if using Apache2!!!
    AuthMySQLHost localhost
    AuthMySQLDB test
    AuthMySQLUserTable user_info
    AuthMySQLUserCondition = "ip_address = '%a'"
    require valid-user

Personal tools