ApacheMySQLAuthentication » History » Revision 11
« Previous |
Revision 11/22
(diff)
| Next »
Markus Döring, 08/21/2007 06:08 PM
Apache MySQL Authentication for Debian Etch¶
This how-to describes the setup of redirecting the authentication of the Apache Web Server to a MySQL Database for Debian Etch.
Usually, this is done by Apache's auth-mysql module. But, the relating Debian package libapache2-mod-auth-myaql is currently not maintained and therefore not in the stable release (http://packages.qa.debian.org/liba/libapache-mod-auth-mysql.html).
There are two possible solutions:
Using MySQL authentication via PAM
Compiling the Apache module auth-mysql
Debian recommends to use PAM->MySQL authentication. It works fine, but the current Debian package does not support (non-crypt) MD5-password storage.
Thus, finally self-compiling the auth-mysql module appears to be the best solution. But, we have to pay attention to possible security advices concerning the module.
PAM-MySQL Authentication¶
The recommended Debian way is to use the packages libapache2-mod-auth-pam and libpam-mysql instead.
# apt-get install libapache2-mod-auth-pam libpam-mysql
The usage of the PAM authentication module has to be configured in Apache2. To use MySQL authentication with our IdP configuration, we change the shibboleth authentication location in the idp configuration script as follows:
<Location /shibboleth-idp/SSO> AuthPAM_Enabled on AuthPAM_FallThrough off AuthUserFile /dev/null AuthBasicAuthoritative Off AuthName "Shibboleth IdP" AuthType Basic require valid-user </Location>
With regard to the security advice of the file "/usr/share/doc/libapache2-mod-auth-pam/README.Debian"
SECURITY To use with standard Debian configuration you have to add "www-data" user to "shadow" group. Be careful! It means it can be readable by anyone who can run its own CGI script! The passwords are sent by net as clear text. You should use SSL to protect them.
we should add the user www-data to the shadow group.
# adduser www-data shadow
Next, we have to configure the PAM-MySQL module for Apache2.
Edit /etc/pam.d/apache2, add the following line setting the values such as they match your configuration
auth sufficient pam_mysql.so verbose=1 user=webuser passwd= host=160.45.63.30 db=drupal5 table=drupal5._shared_users usercolumn=drupal5._shared_users.name passwdcolumn=drupal5._shared_users.pass crypt=3
More detailed information about the possible values can be retrieved reading /usr/share/doc/libpam-mysql/README.gz
# zless /usr/share/doc/libpam-mysql/README.gz
Finally, restart apache2 and see if it works.
Compiling and Installing Apache's auth-mysql module¶
Regarding this objective, we mainly rely on the following documentation http://forum.nuxwin.com/index.php/topic,736.msg3590.html#msg3590 (in french).
We need to install the following packages in order to compile and install the module:
apt-get install apache2-prefork-dev libmysqlclient15-dev gcc patch
Create the directory /usr/src/auth_mysql and change to it:
# mkdir /usr/src/auth_mysql # cd /usr/src/auth_mysql
Download the module's source files and the relating patch for Apache 2.2
# wget http://download.nuxwin.com/apache2.2-modules/auth_mysql/mod_auth_mysql-3.0.0.tar.gz # wget http://download.nuxwin.com/apache2.2-modules/auth_mysql/patch/apache2.2.diff
Unpack the sources and apply the patch file to the sources:
tar xzf mod_auth_mysql-3.0.0.tar.gz # cp apache2.2.diff mod_auth_mysql-3.0.0/ # cd mod_auth_mysql-3.0.0 # patch -p0 < apache2.2.diff mod_auth_mysql.c
Compiling the module and check the output produced:
# apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c /usr/share/apr-1.0/build/libtool --silent --mode=compile --tag=disable-static i486-linux-gnu-gcc -prefer-pic -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DLINUX=2 -D_REENTRANT -I/usr/include/apr-1.0 -I/usr/include/openssl -I/usr/include/postgresql -I/usr/include/xmltok -pthread -I/usr/include/apache2 -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -I/usr/include/postgresql -I/usr/include/mysql -c -o mod_auth_mysql.lo mod_auth_mysql.c && touch mod_auth_mysql.slo /usr/share/apr-1.0/build/libtool --silent --mode=link --tag=disable-static i486-linux-gnu-gcc -o mod_auth_mysql.la -L/usr/lib/mysql -lmysqlclient -lm -lz -rpath /usr/lib/apache2/modules -module -avoid-version mod_auth_mysql.lo
Install the module and check the output produced:
@-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the @
Create the module's load configuration file:
# echo "LoadModule mysql_auth_module /usr/lib/apache2/modules/mod_auth_mysql.so" > /etc/apache2/mods-available/auth_mysql.load
Enable the module and restart apache2:
# a2enmod auth_mysql # /etc/init.d/apache2 force-reload
You can check your configuration observing the following log-files
/var/log/apache2/access.log
/var/log/apache2/error.log
/var/log/auth.log
Subversion w/ mod_auth_mysql¶
Configure Apache to use mod_auth_mysql for subversion:
httpd.conf
<VirtualHost *> DAV svn SVNPath /var/lib/svn/edit SVNIndexXSLT /svnindex/svnindex.xsl AuthType Basic AuthName "EDIT SUbversion" # how to authenticate a user AuthBasicAuthoritative Off AuthMySQLHost 192.168.2.10 AuthMySQLUser subversion AuthMySQLPassword XXX AuthMySQLDB drupal5 AuthMySQLUserTable _shared_users AuthMySQLNameField name AuthMySQLPasswordField pass AuthMySQLPwEncryption md5 AuthzSVNAccessFile /var/lib/svn/access.conf # For any operations other than these, require an authenticated user. <LimitExcept GET PROPFIND OPTIONS REPORT> Require group edit </LimitExcept> </VirtualHost>
Trac w/ mod_auth_mysql¶
Configure Apache to use mod_auth_mysql for Trac:
httpd.conf
AuthName "EDIT Trac" AuthType Basic AuthBasicAuthoritative off AuthMySQLAuthoritative on AuthMySQLHost 192.168.2.10 AuthMySQLUser xxx AuthMySQLPassword xxx AuthMySQLDB drupal5 AuthMySQLUserTable _shared_users AuthMySQLNameField name AuthMySQLPasswordField pass AuthMySQLPwEncryption md5 Require valid-user
Updated by Markus Döring over 16 years ago · 11 revisions