Apache MySQL Authentication for Debian Etch

This how-to describes the setup of redirecting the authentication of the Apache Web Server to a MySQL Database for Debian Etch.

Usually, this is done by Apache's auth-mysql module. But, the relating Debian package libapache2-mod-auth-myaql is currently not maintained and therefore not in the stable release ( http://packages.qa.debian.org/liba/libapache-mod-auth-mysql.html).

There are two possible solutions:

  • Using MySQL authentication via PAM
  • Compiling the Apache module auth-mysql

Debian recommends to use PAM->MySQL authentication. It works fine, but the current Debian package does not support (non-crypt) MD5-password storage.

Thus, finally self-compiling the auth-mysql module appears to be the best solution. But, we have to pay attention to possible security advices concerning the module.

PAM-MySQL Authentication

The recommended Debian way is to use the packages libapache2-mod-auth-pam and libpam-mysql instead.

# apt-get install libapache2-mod-auth-pam libpam-mysql

The usage of the PAM authentication module has to be configured in Apache2. To use MySQL authentication with our IdP configuration, we change the shibboleth authentication location in the idp configuration script as follows:

  <Location /shibboleth-idp/SSO>
    AuthPAM_Enabled 	on
    AuthPAM_FallThrough off
    AuthUserFile /dev/null
    AuthBasicAuthoritative Off
    AuthName               "Shibboleth IdP"
    AuthType               Basic
    require                valid-user
  </Location>

With regard to the security advice of the file "/usr/share/doc/libapache2-mod-auth-pam/README.Debian"

SECURITY

  To use with standard Debian configuration you have to add "www-data" user to
  "shadow" group. Be careful! It means it can be readable by anyone who can run
  its own CGI script!

  The passwords are sent by net as clear text. You should use SSL to protect
  them.

we should add the user www-data to the shadow group.

# adduser www-data shadow

Next, we have to configure the PAM-MySQL module for Apache2. Edit /etc/pam.d/apache2, add the following line setting the values such as they match your configuration

auth sufficient pam_mysql.so verbose=1 user=webuser passwd=  host=160.45.63.30 db=drupal5 table=drupal5._shared_users usercolumn=drupal5._shared_users.name passwdcolumn=drupal5._shared_users.pass crypt=3

More detailed information about the possible values can be retrieved reading /usr/share/doc/libpam-mysql/README.gz

# zless /usr/share/doc/libpam-mysql/README.gz

Finally, restart apache2 and see if it works.

Compiling and Installing Apache's auth-mysql module

Regarding this objective, we mainly rely on the following documentation  http://forum.nuxwin.com/index.php/topic,736.msg3590.html#msg3590 (in french).

We need to install the following packages in order to compile and install the module:

 apt-get install apache2-prefork-dev libmysqlclient15-dev gcc patch

Create the directory /usr/src/auth_mysql and change to it:

# mkdir /usr/src/auth_mysql
# cd /usr/src/auth_mysql

Download the module's source files and the relating patch for Apache 2.2

# wget http://download.nuxwin.com/apache2.2-modules/auth_mysql/mod_auth_mysql-3.0.0.tar.gz
# wget http://download.nuxwin.com/apache2.2-modules/auth_mysql/patch/apache2.2.diff

Unpack the sources and apply the patch file to the sources:

tar xzf mod_auth_mysql-3.0.0.tar.gz
# cp apache2.2.diff mod_auth_mysql-3.0.0/
# cd mod_auth_mysql-3.0.0
# patch -p0 < apache2.2.diff mod_auth_mysql.c

Compiling the module and check the output produced:

# apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c

/usr/share/apr-1.0/build/libtool --silent --mode=compile --tag=disable-static i486-linux-gnu-gcc -prefer-pic -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DLINUX=2 -D_REENTRANT -I/usr/include/apr-1.0 -I/usr/include/openssl -I/usr/include/postgresql -I/usr/include/xmltok -pthread     -I/usr/include/apache2  -I/usr/include/apr-1.0   -I/usr/include/apr-1.0 -I/usr/include/postgresql -I/usr/include/mysql  -c -o mod_auth_mysql.lo mod_auth_mysql.c && touch mod_auth_mysql.slo
/usr/share/apr-1.0/build/libtool --silent --mode=link --tag=disable-static i486-linux-gnu-gcc -o mod_auth_mysql.la  -L/usr/lib/mysql -lmysqlclient -lm -lz -rpath /usr/lib/apache2/modules -module -avoid-version    mod_auth_mysql.lo

Install the module and check the output produced:

# apxs2 -i mod_auth_mysql.la

/usr/share/apache2/build/instdso.sh SH_LIBTOOL='/usr/share/apr-1.0/build/libtool' mod_auth_mysql.la /usr/lib/apache2/modules
/usr/share/apr-1.0/build/libtool --mode=install cp mod_auth_mysql.la /usr/lib/apache2/modules/
cp .libs/mod_auth_mysql.so /usr/lib/apache2/modules/mod_auth_mysql.so
cp .libs/mod_auth_mysql.lai /usr/lib/apache2/modules/mod_auth_mysql.la
PATH="$PATH:/sbin" ldconfig -n /usr/lib/apache2/modules
----------------------------------------------------------------------
Libraries have been installed in:
   /usr/lib/apache2/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
   - add LIBDIR to the `LD_LIBRARY_PATH' environment variable
     during execution
   - add LIBDIR to the `LD_RUN_PATH' environment variable
     during linking
   - use the `-Wl,--rpath -Wl,LIBDIR' linker flag
   - have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(Cool manual pages.
----------------------------------------------------------------------
chmod 644 /usr/lib/apache2/modules/mod_auth_mysql.so

Create the module's load configuration file:

# echo "LoadModule mysql_auth_module /usr/lib/apache2/modules/mod_auth_mysql.so" > /etc/apache2/mods-available/auth_mysql.load

Enable the module and restart apache2:

# a2enmod auth_mysql
# /etc/init.d/apache2 force-reload

You can check your configuration observing the following log-files

  • /var/log/apache2/access.log
  • /var/log/apache2/error.log
  • /var/log/auth.log

Subversion w/ mod_auth_mysql

Configure Apache to use mod_auth_mysql for subversion: httpd.conf

<VirtualHost *>
<Location /svn>
  DAV            svn
  SVNPath        /var/lib/svn/edit
  SVNIndexXSLT   /svnindex/svnindex.xsl

  AuthType  Basic 
  AuthName  "EDIT Subversion, use BDTracker account"
  AuthzSVNAccessFile  /var/lib/svn/access-edit.conf
  Satisfy Any
  Require valid-user

  # how to authenticate a user
  AuthBasicAuthoritative Off
  AuthMySQLHost 192.168.2.10
  AuthMySQLUser xxx
  AuthMySQLPassword XXX
  AuthMySQLDB drupal5
  AuthMySQLUserTable _shared_users
  AuthMySQLNameField name
  AuthMySQLPasswordField pass
  AuthMySQLPwEncryption md5
</Location>

</VirtualHost>   

or for multiple repositories:

<Location /svn/>
 DAV            svn
 SVNParentPath  /var/lib/svn
 SVNIndexXSLT   /svnindex/svnindex.xsl
 SVNListParentPath on

 AuthType  Basic
 AuthName  "BGBM Subversion - EDIT BDTracker account"
 AuthzSVNAccessFile /var/lib/svn/access.conf
 Satisfy Any
 Require valid-user

 # how to authenticate a user
 AuthBasicAuthoritative Off
 AuthMySQLAuthoritative on
 AuthMySQLHost 192.168.2.10
 AuthMySQLUser xxx
 AuthMySQLPassword xxx
 AuthMySQLDB drupal5
 AuthMySQLUserTable _shared_users
 AuthMySQLNameField name
 AuthMySQLPasswordField pass
 AuthMySQLPwEncryption md5

</Location>

Trac w/ mod_auth_mysql

Configure Apache to use mod_auth_mysql for Trac: httpd.conf

<Location "/trac">
    SetHandler mod_python
    PythonHandler trac.web.modpython_frontend
    PythonOption TracEnv /var/trac/test
    PythonOption TracUriRoot /trac
</Location>

<Location "/trac/login">
  AuthName "EDIT Trac"
  AuthType Basic

  AuthBasicAuthoritative off
  AuthMySQLAuthoritative on

  AuthMySQLHost 192.168.2.10
  AuthMySQLUser xxx
  AuthMySQLPassword xxx
  AuthMySQLDB drupal5
  AuthMySQLUserTable _shared_users
  AuthMySQLNameField name
  AuthMySQLPasswordField pass
  AuthMySQLPwEncryption md5

  Require valid-user
</Location>