http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLoginSiteProtection.

html
Apache authentication and autorization Intro:
Apache authentication can be configured to require web site visitors to login with a user id and
password. This is different than adding a login form on a web page and creating your own
authentication. This tutorial describes the various methods available for authentication with
Apache and its' configuration. Login protection is applied to the web pages stored in a directory.
The login dialog box which requests the user id and password is provided by the web browser at
the request of Apache. Apache allows the configuration to be entered in its' configuration files
(i.e. main configuration file /etc/httpd/conf/httpd.conf, supplementary configuration files
/etc/httpd/conf.d/​component​.conf or in a file which resides within the directory to be password
protected. Five forms of authentication are detailed here: Apache password file authentication,
digest file authentication, LDAP, NIS and MySQL.
Apache authentication methods using local files to store passwords, have no association with
system user accounts. If using LDAP or NIS for system login authentication, its use can be
extended to support Apache web site logins.
Terms:
● Authentication: Prove it is you. Authenticate the login by requiring a password only the
user would know.
● Authorization: Only certain users or members of a privaleged group are allowed.
Typically Authentication or Authentication and Authorization are required for access.
Apache configuration files: (refered to generically in this tutorial as httpd.conf or reside as the
file .htpasswd, in the directory being protected.)
● Red Hat / Fedora Core / CentOS: /etc/httpd/conf/httpd.conf or
/etc/httpd/conf.d/​application​.conf
● Novell SuSE: /etc/apache2/httpd.conf or /etc/apache2/conf.d/​application​.conf
● Ubuntu (dapper 6.06) / Debian: /etc/apache2/apache2.conf or
/etc/apache2/conf.d/​application​.conf

Apache password file authentication:

Directory protection using .htaccess and .htpasswd

This tutorial applies to Apache based web servers. It requires:
1. Editing the server configuration file (httpd.conf) to enable/allow a directory structure on
the server to be password protected. Basically the default <Directory> access
permission statement need modification.
2. The creation and addition of two files specifying the actual logins and passwords.
(.htaccess and .htpasswd)
Use this sparingly because Apache will have to check all directories and subdirectories
specified in the configuration file for the existence of the.htaccess file adding to a servers
latency.
When trying to access a file in a protected directory, the user will be presented with a window
(dialog box) requesting a username and password. This protection applies to all sub-directories.
Other .htaccess files in sub directories may respecify access rules.
Apache authentication uses the modules mod_auth and mod_access.

Apache configuration file:

File: /etc/httpd/conf/httpd.conf (older systems used access.conf)
Default:​ This disables the processing of .htaccess files for the system.
<Directory />
AllowOverride None
</Directory>
or for a specified directory:
<Directory ​/home/domain/public_html​>
AllowOverride None
</Directory>

Change to and/or specify directory to protect:

<Directory ​/home/domain/public_html/membersonly​>
AllowOverride All
</Directory>

OR
<Directory ​/home/domain/public_html/membersonly​>
AllowOverride AuthConfig
</Directory>

AllowOverride parameters: AuthConfig FileInfo Indexes Limits Options

The name of the "distributed" and user controlled configuration file .htaccess is defined with the
directive: (default shown)
AccessFileName .htaccess

Password protection by a single login:

Password files:
1. Create the directory you want to password protect (example: membersonly)
2. Create a file /home/​domain​/public_html/membersonly/.htaccess in that director that looks
something like this:
 3. AuthName "​Add your login message here."​
AuthType Basic
AuthUserFile /home/​domain​/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
require user ​name-of-user

4. In this case the "name-of-user" is the login name you wish to use for accessing the web
site.
5. [Pitfall]​ The literature is full of examples of the next method but I never got it to work.
6. One can use Apache directives to specify access and restriction:
7. AuthName "​Add your login message here."​
AuthType Basic
AuthUserFile /home/​domain​/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
<Limit GET POST>
require user ​name-of-user
</Limit>

8.
9. Also see: ​List of Apache directives​. If an incorrect directive is used in the .htaccess file it
will result in a server error. Check your log files:/var/log/httpd/error_log.
10. The name of the access file .htaccess is specified by the httpd.conf directive
AccessFileName.
11. Create (or clobber if it already exists) the password file
/home/​domain​/public_html/membersonly/.htpasswd using the program htpasswd:
12. htpasswd -c .htpasswd ​name-of-user

13. Add a new user to the existing password file:

14. htpasswd .htpasswd ​name-of-user

15. Man page: ​htpasswd

16. Example file: .htpasswd
17. user1:KgvCSeExtS4kM
USER1:KgvCSeExtS4kM
User1:KgvCSeExtS4kM

Flexible password protection by group access permissions:

This example differs from the previous example in that it allows for greater control and flexibility
by using groups.
Password files:
1. Create a file .htgroup in that directory that contains the groupname and list of users:
2. ​member-users:​ user1 user2 user3 ... etc

3.
4. Where ​member-users​ is the name of the group.
5. Modify .htaccess in the membersonly directory so it looks something like:
6. AuthName "​Add your login message here.​"
AuthType Basic
AuthUserFile /home/​domain​/public_html/membersonly/.htpasswd
AuthGroupFile /home/​domain/​ public_html/membersonly/.htgroup
require group ​member-users

7. Create the password file .htpasswd using the program htpasswd for each user as above.
You don't need the -c option if you are using the same .htpasswd file. (-c is only to create
a new file)
8. htpasswd -c /home/​domain​/public_html/membersonly/.htpasswd user1
htpasswd /home/​domain​/public_html/membersonly/.htpasswd user2

Restrict access based on domain or IP address:

Allow specified domain to access site:
Order deny, allow
Deny from all
Allow from ​allowable-domain​.com
Allow from ​XXX.XXX.XXX
Deny from ​evil-domain​.com

Specify first three (or one, or two, ...) octets of IP address defining allowable domain.

Placing Authentication directives in httpd.conf exclusively instead of using

.htaccess:
The purpose of using the "distributed configuration file" .htaccess is so that users may control
authentication. It can also be set in the Apache configuration file httpd.conf WITHOUT using the
.htaccess file. This can improve server performance as the server will not have to look for the
.htaccess file in each subdirectory.
File: httpd.conf (portion)
 ..
...

​
<Directory ​/home/domain/public_html/membersonly>
AllowOverride AuthConfig
AuthName "​Add your login message here.​"
AuthType Basic
AuthUserFile /home/​domain​/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
require user ​name-of-user
</Directory>

...
..

Perl CGI Script to Modify User Passwords:

This allows users to manage / change their own passwords.
Use the Perl CGI script ​htpasswd.pl​ [​cache​]
● Edit location of Perl .i.e.: /usr/bin/perl
● Not /usr/local/bin/perl
● Edit the script to specify location of the password file i.e.
/var/www/PasswordDir/.htpasswd
● SELinux users must add the correct attribute i.e. chcon -R -h -t httpd_sys_content_t
/var/www/PasswordDir
● The password file must be located in a directory where CGI is allowed to modify files.
● File: httpd.conf (portion)
● ..
...

<Directory "/var/www/PasswordDir">
Options -Indexes
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
...
..
 Using Digest File for Apache Authentication:
This method authenticates a user login using Apache 2.0 on Linux. The logins have no
connection to user accounts.
<Location ​/home/domain/public_html/membersonly​>
AuthType Digest
AuthNAme "Members Only Area"
AuthDigestDomain ​/home/domain/public_html/membersonly
AuthDigestFile /etc/httpd/conf/digestpw
require valid-user
</Location>

For more on digest authentication see:

● Apache.org: Module mod_auth_digest
● RFC 2617: HTTP Authentication: Basic and Digest Access Authentication
● Man page: ​htdigest

Using LDAP for Apache Authentication:

This method authenticates using Apache 2.0/2.2 and the LDAP authentication modules on Linux
(supplied by default with most Linux distros) and an LDAP server. LDAP can be used to
authenticate user accounts on Linux and other computer systems as well as web site logins.
Also see ​YoLinux TUTORIAL: LDAP system authentication​.
Try this out with your Apache server authenticating to our open LDAP server using our Three
Stooges example.

Apache LDAP modules:

Note that the following configurations work if the LDAP modules are enabled:
● Apache 2.0 (Red Hat Enterprise 4/CentOS4): ​mod_ldap​, ​mod_auth_ldap
● Apache 2.2 (Red Hat Enterprise 5/CentOS 5): ​mod_ldap​, ​mod_authnz_ldap
These are turned on by default. See /etc/httpd/conf/httpd.conf
● Apache 2.0:
● LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so

● Apache 2.2:
● LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
 Apache Authentication Configuration:

Apache 2.0:
Authenticate to an Open LDAP server. (No bind name/password required to access LDAP
server)
File: httpd.conf (portion)
..
...

​
<Directory ​/var/www/html>
AuthType Basic
AuthName "Stooges Web Site: Login with email address"
AuthLDAPURL ldap://ldap.yolinux.com:389/o=stooges?mail
require valid-user
</Directory>
...
..

or create the file /var/www/html/.htaccess

AuthName "Stooges Web Site: Login with email address"
AuthType Basic
AuthLDAPURL ldap://ldap.​your-domain​.com:389/o=stooges?mail
require valid-user

Point your browser to ​http://localhost/

Login with the user id "LFine@isp.com" and password "larrysecret".
You will be asked to use a user id (email address) and password to enter the site.
Bind with a bind DN: (password protected LDAP repository)
File: httpd.conf (portion)
..
...

​
<Directory ​/var/www/html>
AuthType Basic
AuthName "Stooges Web Site: Login with email address"
AuthLDAPEnabled on
AuthLDAPURL ldap://ldap.​your-domain.​ com:389/o=stooges?mail
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
 AuthLDAPBindPassword ​secret1
require valid-user
</Directory>
...
..

Examples:
● require valid-user: Allow all users if authentication (password) is correct.
● require user greg phil bob: Allow only greg phil bob to login.
● require group accounting: Allow only users in group "accounting" to authenticate.
For this LDAP authentication example to work, configure your LDAP server with our ​YoLinux
Three Stooges example​ and set the password in the /etc/openldap.slapd.conf file.
This example specified the use of the email address as a login id. If using user id's specify:
AuthLDAPURL ldap://ldap.​your-domain​.com:389/o=stooges?uid

Apache 2.2:
Authenticate using Apache httpd 2.2 AuthzLDAP:
User Authentication:
File: httpd.conf (portion)
..
...

<Directory ​/var/www/html> ​
AuthType Basic
AuthName "Stooges Web Site: Login with user id"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.​your-domain.​ com:389/o=stooges?uid?sub
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword ​secret1
require ldap-user lary curley moe joe bob mary
</Directory>
...
..

There are two configurations for the directive AuthzLDAPAuthoritative:

AuthzLDAPAuthoritative on (default)
AuthzLDAPAuthoritative on
 ...

require ldap-user lary curley moe joe bob mary

AuthzLDAPAuthoritative off
AuthzLDAPAuthoritative off

...

require valid-user

This configuration allows a waterfall of other authentication methods to be employed along side
LDAP.
Group Authentication:
LDAP LDIF file: (part of our ​stooges example​)
dn: cn=users,ou=group,o=stooges
cn: users
objectClass: top
objectClass: posixGroup
gidNumber: 100
memberUid: larry
memberUid: moe

Apache Configuration:
...

​
<Directory ​/var/www/html>
Order deny,allow
Deny from All
AuthType Basic
AuthName "Stooges Web Site: Login with user id"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.​your-domain.​ com:389/o=stooges?uid?sub
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword ​secret1
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=users,ou=group,o=stooges
Require ldap-attribute gidNumber=100
 Satisfy any
</Directory>
...

Note:
● Allow users (LDAP attribute: memberUid) in group gidNumber: 100 of objectClass:
posixGroup which match to the login uid, authentication approval.
● The directive AuthLDAPGroupAttribute identifies the attribute to match with the login uid.
● AuthLDAPGroupAttributeIsDN:
○ on (default): Use DN (Distinguished name) cn=Moe
Howard,ou=MemberGroupA,o=stooges
○ off: Use username moe
● Multiple Require ldap-group ... statements may be included to allow multiple groups.
● Multiple Require ldap-attribute ... statements may be included to allow multiple groups.
● The directive Satisfy any is required if testing multiple conditions. Only one positive in
any of the conditions is required to authenticate. Thus you can combine the following
authorization schemes as well:
○ Require ldap-user
○ Require ldap-dn
○ Require ldap-attribute
○ Require ldap-filter

Concurrent File and LDAP authentication:

Apache can use both File and LDAP authentication concurently. This is sometimes required to
run cron jobs with a login where you do not want to use a system login or login managed by a
directory server in another department.
<Directory /ABC>
Order deny,allow
Deny from All
AuthType Basic
AuthBasicProvider file ldap
AuthName "Directory services login"
AuthBasicAuthoritative off
AuthUserFile /srv/htpasswd
AuthGroupFile /dev/null
AuthzLDAPAuthoritative off
AuthLDAPURL "ldap://ldap.megacorp.com:389/ou=person,o=megacorp.com,c=us?uid?sub"
# This user created for local cron jobs. It is not a system user and allows
# the cron job to perform its task.
# This user is not in the LDAP directory but in the password file /srv/htpasswd
 Require user ​cronuserjobx
Require ldap-user ​usera userb
</Directory>

Note:
● AuthBasicProvider file ldap - Check password "file" authentication then LDAP
● AuthBasicAuthoritative off - Allows fall back to another auth scheme, in this case LDAP
● AuthzLDAPAuthoritative off - Allows fall back to other auth scheme besides LDAP, in this
case file

Debugging Apache Authentication:

Set LogLevel debug when debugging authentication. This will log all the LDAP connection
events and the LDAP attributes requested.

Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":
AuthLDAPURL
ldap://ldap.​your-domain​.com:389/ou=Employees,ou=Accounts,dc=sos,dc=com?sAMAccountNa
me?sub
Also note that encrypted connections will use the URL prefix "ldaps://" and the added directives:
● LDAPTrustedCA ​directory-path/filename
● LDAPTrustedCAType ​type
● Where the "type" is one of:
○ DER_FILE: file in binary DER format
○ BASE64_FILE: file in Base64 format
○ CERT7_DB_PATH: Netscape certificate database file
Restart Apache after editing the configuration file: service httpd restart for configuration changes
to take effect.
See /var/log/httpd/error_log for configuration errors.

Links:
● YoLinux Tutorial: Configuration of an LDAP server​ - includes a quick start example using
the Three Stooges.
● YoLinux Tutorial: Apache web server configuration
Apache documentation:
● Apache 2.0:
○ mod_ldap
○ mod_auth_ldap
● Apache 2.2:
○ mod_ldap
○ mod_authnz_ldap
Other LDAP modules:
● Apache LDAP module auth_ldap​ - (Apache 1.3)
● Apache LDAP module mod_ldap_userdir​ (Apache 2.x)
● Apache mod_auth_ldap​ web server module for authentication with Netscape or
OpenLDAP servers (HowTo)

Using NIS for Apache Authentication:

This method authenticates using Apache on Linux and an NIS server. The advantage of using
NIS, is the comonality of computer system accounts and web site logins. This configuration
requires that the system the Apache web server is running on, must be using NIS authentication
for system logins.
This requires a NIS server. See the ​YoLinux.com NIS configuration tutorial​.
Requires the Linux RPM package mod_perl and the following Perl modules:
● ExtUtils-AutoInstall
● Net-NIS
● Apache2-AuthenNIS or Apache-AuthenNIS
The version of Apache determines which Perl modules to use:
● Apache 2.2 (RHEL5, CentOS5, FC6): Use the Perl module Apache2-AuthenNIS.
● Apache 2.0 (RHEL4, CentOS4, FC3): Use the Perl module Apache-AuthenNIS.
Download / Install Perl modules:
● Download "ExtUtils-AutoInstall" as an RPM from ​Dag​ RPMs:
perl-ExtUtils-AutoInstall-0.63-1.2.el4.rf.noarch.rpm
● Install: rpm -ivh perl-ExtUtils-AutoInstall-0.63-1.2.el4.rf.noarch.rpm
● Net-NIS​: (​CPAN​)
○ tar xzf Net-NIS-0.34.tar.gz
○ cd Net-NIS-0.34/
○ perl Makefile.PL
○ make
○ make install
● Apache(2)-AuthenNIS:
● Apache 2.2 ● Apache 2.0

● Apache2-AuthenNIS​: (​CPAN​) ● Apache-AuthenNIS​: (​CPAN​)

○ tar xzf ○ tar xzf
Apache2-AuthenNIS-0.15.t Apache-AuthenNIS-0.13.ta
ar.gz r.gz
○ cd ○ cd
Apache2-AuthenNIS-0.15 Apache-AuthenNIS-0.13
○ perl Makefile.PL ○ perl Makefile.PL
○ make ○ make
○ make install ○ make install
Or install from CPAN via the internet:
● perl -MCPAN -e shell
● (Answer no)
● install ExtUtils::AutoInstall
● install Net::NIS
● install Apache2::AuthenNIS (or Apache::AuthenNIS)
● quit
Test Perl module:
File: testApache2AuthenNIS.pl
#!/usr/bin/perl
BEGIN{push @INC, "/usr/lib/perl5/site_perl/5.8.8/Apache2";}
eval "use Apache2::AuthenNIS"; $hasApacheAuth = $@ ? 0 : 1;
printf "Apache2::AuthenNIS". ($hasApacheAuth ? "" : " not") . " installed";
printf "\n";

Test: [root]# ./testApache2AuthenNIS.pl

● Good: Apache2::AuthenNIS installed
● Not good: Apache2::AuthenNIS not installed
OR
File: testApacheAuthenNIS.pl
#!/usr/bin/perl
BEGIN{push @INC, "/usr/lib/perl5/site_perl/5.8.5/Apache";}
eval "use Apache::AuthenNIS"; $hasApacheAuth = $@ ? 0 : 1;
printf "Apache::AuthenNIS". ($hasApacheAuth ? "" : " not") . " installed";
printf "\n";

Test: [root]# ./testAuthenNIS.pl

● Good: Apache::AuthenNIS installed
● Not good: Apache::AuthenNIS not installed

Apache NIS authentication Examples:

1. require valid-user: Allow all users if authentication (password) is correct.
2. require user greg phil bob: Allow only greg phil bob to login.
3. require group accounting: Allow only users in group "accounting" to authenticate.

1) Restric access to NIS authenticated users:

Apache Configuration File: httpd.conf (portion)
..
...
 <Directory ​/home/domain/public_html/membersonly> ​
AuthType Basic
AuthName "​Add your login message here."​
PerlAuthenHandler Apache2::AuthenNIS ​- or Apache::AuthenNIS
PerlSetVar AllowAlternateAuth no
require valid-user
</Directory>

...
..

2) Restrict to listed users greg, phil and bob, but still authenticate to NIS:
Apache Configuration File: httpd.conf (portion)
..
...

<Directory ​/home/domain/public_html/membersonly> ​
AuthType Basic
AuthName "​Add your login message here."​
PerlAuthenHandler Apache2::AuthenNIS ​- or Apache::AuthenNIS
PerlSetVar AllowAlternateAuth no
require user ​greg phil bob
</Directory>

...
..

3) Restrict access to NIS members of a specific NIS group:

Apache Configuration File: httpd.conf (portion)
..
...

<Directory ​/home/domain/public_html/membersonly> ​
AuthType Basic
AuthName "​Add your login message here."​
PerlAuthenHandler Apache2::AuthenNIS ​- or Apache::AuthenNIS
PerlAuthzHandler Apache2::AuthzNIS ​- or Apache::AuthzNIS
PerlSetVar AllowAlternateAuth no
require group ​accounting
 </Directory>

...
..

Note Apache2::AuthzNIS only checks for group membership by group name (not GID).
Apache2::AuthenNIS still required to authenticate the user (check password).

Example showing password protection for user web directories:

Apache Configuration File: httpd.conf (portion)
..
...

<IfModule mod_userdir.c>
UserDir public_html
</IfModule>

<Directory ​/home/*/public_html​>
AuthType Basic
AuthName "​Add your login message here."​
PerlAuthenHandler Apache2::AuthenNIS ​- or Apache::AuthenNIS
PerlSetVar AllowAlternateAuth no
require user ​valid-user

AllowOverride FileInfo AuthConfig Limit

Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>

...
..

Also see ​YoLinux SysAdmin: Perl Admin

Links:
 ● NIS+ (More secure than NIS):
○ Apache::AuthenNISPlus
● Group NIS authentication:
○ Apache2::AuthzNIS
○ Apache::AuthzNIS
Note:
● Apache allows further restriction by client IP network address or subnet.
● Passwords can also be sent over an encrypted https connection by use of the Apache
directive SSLRequireSSL. See ​Apache SSL/TLS encryption
[Potential Pitfall]:​ This method of authentication will fail if using "adjunct password maps". This
Perl module requires the use of the library callyp_match() which must have access to the
encrypted passwords. If "adjunct password maps" are used, then this is not accessible to
processes other than root thus the web server daemon process apache will not be able to
access the data required. Test your system using the commandypcat passwd | head. If the
second field is prefixed with "##", then this perl module will not work. If the second field is an
encrypted password, then this perl module can work.

CGI to allow users to modify their NIS Passwords:

For those users who get a shell of /sbin/nologin, the "cgipaf" web interface is ideal for user
management of NIS passwords. Cgipaf uses PHP, cgi (written in C) and your system PAM
authentication (or /etc/passwd, /etc/shadow files). Cgipaf also can manage mail accounts using
procmail.
Download from ​http://www.wagemakers.be/english/programs/cgipaf
Installation/configuration:
● tar xf cgipaf-1.3.1.tar.gz
● cd cgipaf-1.3.1/
● ./configure --bindir=/var/www/cgi-bin --datadir=/srv/cgipaf --sysconfigdir=/etc/cgipaf
--prefix=/opt
● Note: nothing ends up in /opt
● make
● make install
● cd /srv/cgipaf
● ln -s cgipasswd.php index.php
File: /etc/httpd/conf.d/cgipaf.conf (Red Hat style systems)
Alias /NIS/ "/srv/cgipaf/"

<Directory "/srv/cgipaf">
SSLRequireSSL
Options Indexes FollowSymLinks
AllowOverride None
Order allow, deny
 Allow from all
</Directory>

Note the Apache 2 directive "SSLRequireSSL" will only allow https encrypted access. This is
important when managing passwords over the web.
The PHP pages reside in /srv/cgipaf/. The compiled C cgi will reside in /var/www/cgi-bin. The
configuration file will be/etc/cgipaf/cgipaf.conf.
See the web page at http://localhost/NIS/

Using a MySQL database for Apache Authentication:

Two Apache modules are available for database authentication:
● MySQL: mod_auth_mysql (This tutorial)
○ Red Hat RPM package: mod_auth_mysql
○ SuSE RPM package: apache2-mod_auth_mysql
● DBM database file: mod_auth_dbm
● (Fast even for 1000's of users.)
Apache Configuration:
● Red Hat: /etc/httpd/conf/httpd.conf or /etc/httpd/conf.d/​application​.conf
● SuSE: /etc/apache2/httpd.conf or /etc/apache2/conf.d/​application.​ conf
..
...

​
<Directory ​/home/domain/public_html/membersonly>
AuthType Basic
AuthName "​Add your login message here."​
AuthMySQLHost ​localhost
AuthMySQLUser ​db_user
AuthMySQLPassword ​db_password
AuthMySQLDB ​database_name_used_for_authentication
AuthMysqlUserTable ​http_auth
AuthMySQLPwEncryption none
AuthMySQLEnable on
require valid-user
</Directory>

...
..

Examples:
● require valid-user: Allow all users if authentication (password) is correct.
 ● require user greg phil bob: Allow only greg phil bob to login.
● require group accounting: Allow only users in group "accounting" to authenticate.
Directives:
Directive Description

AuthMySQLEnable ​On If 'Off', MySQL authentication will

pass on the authentication job to
the other authentication modules
i.e password files.

AuthMySQLHost​host_name Name of MySQL Database hosr.

i.e. 'localhost'

AuthMySQLPort​TCP_Port_number Port number of MySQL Database.

Default: 3306

AuthMySQLDB​database_name Name of MySQL Database.

AuthMySQLUser ​user_id MySQL Database login id.

AuthMySQLPassword​user_password MySQL Database login password.

Plain text.

AuthMySQLUserTable​user_table_name Name of MySQL Databse table in

the database which holds the user
name and passwords.

AuthMySQLGroupTable​group_table_name Databse table holding group info.

AuthMySQLNameField​user_field_name If not using default field name

'user_name', then specify. Not case
sensitive id CHAR or VARCHAR.

AuthMySQLPasswordField​password_field_nam If not using default field name

e 'user_passwd', then specify.
Passwords are case sensitive.

AuthMySQLGroupField​group_field_name If not using default field name

'groups', then specify.

AuthMySQLNoPasswd ​Off Off: Passwords can be null ('').

On: password must be specified.

AuthMySQLPwEncryption​none Options: none, crypt, scrambled

(MySQL password encryption),
 md5, aes, sha. If you are going to
use plain-text passwords for mysql
authentication, you must include
this directive with the argument
"none".

AuthMySQLSaltField​salt_string Salt field to be used for crypt and

mysql_column_name aes.

AuthMySQLAuthoritative ​on Authenticate using other

authentication modules after the
user is successfully authenticated
by the MySQL auth module.
Default on: request is not passed
on.

AuthMySQLKeepAlive ​Off Off: Close the MySQL link after

each authentication request.
MySQL Admin:
● mysqladmin -h localhost -u root -p​password​ create http_auth
● mysql -h localhost -u root -p​password
● mysql>​ use http_auth
● mysql>​ create table mysql_auth ( user_name char(30) NOT NULL,user_passwd
char(60) NOT NULL,user_group char(25),primary key (user_name) );
● mysql>​ insert into mysql_auth values('Fred','supersecret','worker');
Links:
● Home page for mod_auth_mysql
● Home page for mod_auth_dbm [​Apache 1.3​] - [​Apache 2.0​]
● YoLinux MySQL tutorial

Login URL Tricks:

Here is a trick to incorporate a login and password into a URL. Typicall one would attempt to
enter the password protected area of the web site and the user would be confronted with a login
dialog box into which one would enter the user id and password. Another option is to enter a
URL with the login and password embedded.
http://​login-id​:​password@
​ ​UrlOfDomain.com/protectedPath/WebPage.html

Links:
Apache:
● Users authentication with .dbmpasswd password file
● Apache::AuthenSmb​, ​Apache2::AuthenSmb​ - Microsoft Active Directory authentication
 ● Apache::AuthenMSAD​, ​Apache2::AuthenMSAD​ - Samba NT PDC authentication
● Apache::AuthenNTLM​, ​Apache2::AuthenNTLM​ - Microsoft NTLM LAN protocol suported
by MS/Internet Explorer. Login/password credentials passed on the web server by IE
browser.
Other forms of web authentication:
● Facebook Platform authentication​ - Using OAuth protocol, the Facebook API allows
developers to use Javascript, PHP, Python, etc.
● IETF OAuth 2.0 Protocol draft
● OpenID​ - decentralized URL based auth
● Authentication Server Providers:
○ Yahoo OpenID
○ Google OpenID
○ OpenID for Google Apps API
○ Launchpad
○ Verisign OpenID​ - two factor auth
● API:
○ mod_auth_openid​ - Apache 2
○ OpenId4Java
○ List of OpenID Libraries​ - developer interfaces
● SAML: Security Assertion Markup Language​ - XML based authentication
● Authentication Server Providers:
○ Google SAML