Project

General

Profile

Edit History

WikiStart » DevelopmentNotes » Software » MySql & MariaDB »

ApacheMySQLAuthentication » History » Version 6

Lutz Suhrbier, 08/12/2007 03:06 PM

1 1 Lutz Suhrbier 





    2
    6
    Lutz Suhrbier
    
# Apache [[MySQL]] Authentication for Debian Etch





    3
    1
    Lutz Suhrbier
    





    4
    6
    Lutz Suhrbier
    
This how-to describes the setup of redirecting the authentication of the Apache Web Server to a [[MySQL]] Database for Debian Etch.





    5
    3
    Lutz Suhrbier
    





    6
    1
    Lutz Suhrbier
    





    7
    6
    Lutz Suhrbier
    
Usually, this is done by Apache's _auth-mysql_ module. But, the relating Debian package _libapache2-mod-auth-myaql_ is currently not maintained and therefore not in the stable release (http://packages.qa.debian.org/liba/libapache-mod-auth-mysql.html).





    8
    
    
    





    9
    
    
    





    10
    
    
    
There are two possible solutions:





    11
    
    
    





    12
    
    
    
* Using [[MySQL]] authentication via PAM





    13
    
    
    





    14
    
    
    
* Compiling the Apache module _auth-mysql_





    15
    
    
    





    16
    
    
    





    17
    
    
    
Debian recommends to use PAM->MySQL authentication. It works fine, but the current Debian package does not support (non-crypt) MD5-password storage.





    18
    
    
    





    19
    
    
    





    20
    
    
    
Thus, finally self-compiling the auth-mysql module appears to be the best solution. But, we have to pay attention to possible security advices concerning the module.





    21
    
    
    





    22
    
    
    





    23
    
    
    





    24
    1
    Lutz Suhrbier
    
## PAM-MySQL Authentication





    25
    3
    Lutz Suhrbier
    





    26
    6
    Lutz Suhrbier
    
The recommended Debian way is to use the packages libapache2-mod-auth-pam and libpam-mysql instead.





    27
    3
    Lutz Suhrbier
    





    28
    
    
    
~~~





    29
    1
    Lutz Suhrbier
    
# apt-get install libapache2-mod-auth-pam libpam-mysql





    30
    
    
    
~~~





    31
    
    
    





    32
    6
    Lutz Suhrbier
    
The usage of the PAM authentication module has to be configured in Apache2. To use [[MySQL]] authentication with our [[ShibbolethIdPInstallDebianEtch|IdP configuration]], we change the shibboleth authentication location in the idp configuration script as follows:





    33
    1
    Lutz Suhrbier
    





    34
    
    
    
~~~





    35
    6
    Lutz Suhrbier
    
  <Location /shibboleth-idp/SSO>





    36
    
    
    
    AuthPAM_Enabled 	on





    37
    
    
    
    AuthPAM_FallThrough off





    38
    
    
    
    AuthUserFile /dev/null





    39
    
    
    
    AuthBasicAuthoritative Off





    40
    5
    Lutz Suhrbier
    
    AuthName               "Shibboleth IdP"





    41
    1
    Lutz Suhrbier
    
    AuthType               Basic





    42
    
    
    
    require                valid-user





    43
    
    
    
  </Location>





    44
    
    
    
~~~





    45
    3
    Lutz Suhrbier
    





    46
    6
    Lutz Suhrbier
    
With regard to the security advice of the file "/usr/share/doc/libapache2-mod-auth-pam/README.Debian" 





    47
    1
    Lutz Suhrbier
    





    48
    3
    Lutz Suhrbier
    
~~~





    49
    6
    Lutz Suhrbier
    
SECURITY





    50
    3
    Lutz Suhrbier
    





    51
    
    
    
  To use with standard Debian configuration you have to add "www-data" user to





    52
    
    
    
  "shadow" group. Be careful! It means it can be readable by anyone who can run





    53
    
    
    
  its own CGI script!





    54
    
    
    





    55
    
    
    
  The passwords are sent by net as clear text. You should use SSL to protect





    56
    
    
    
  them.





    57
    6
    Lutz Suhrbier
    
~~~





    58
    
    
    
we should add the user www-data to the shadow group.





    59
    3
    Lutz Suhrbier
    





    60
    6
    Lutz Suhrbier
    
~~~





    61
    
    
    
# adduser www-data shadow





    62
    
    
    
~~~





    63
    3
    Lutz Suhrbier
    





    64
    6
    Lutz Suhrbier
    
Next, we have to configure the PAM-MySQL module for Apache2.





    65
    3
    Lutz Suhrbier
    





    66
    6
    Lutz Suhrbier
    
Edit _/etc/pam.d/apache2_, add the following line setting the values such as they match your configuration





    67
    3
    Lutz Suhrbier
    





    68
    
    
    
~~~





    69
    6
    Lutz Suhrbier
    
account required pam_mysql.so user=webadmin passwd=secret host=160.45.63.30 db=drupal5 table=_shared_users usercolumn=name passwdcolumn=pass crypt=1





    70
    3
    Lutz Suhrbier
    
~~~





    71
    6
    Lutz Suhrbier
    
More detailed information about the possible values can be retrieved reading _/usr/share/doc/libpam-mysql/README.gz_





    72
    3
    Lutz Suhrbier
    





    73
    6
    Lutz Suhrbier
    
~~~





    74
    
    
    
# zless /usr/share/doc/libpam-mysql/README.gz





    75
    
    
    
~~~





    76
    
    
    





    77
    3
    Lutz Suhrbier
    
Finally, restart apache2 and see if it works.





    78
    2
    Lutz Suhrbier
    





    79
    1
    Lutz Suhrbier
    





    80
    
    
    





    81
    
    
    





    82
    6
    Lutz Suhrbier
    
## Compiling and Installing Apache's _auth-myaql_ module





    83
    1
    Lutz Suhrbier
    





    84
    
    
    





    85
    
    
    
~~~





    86
    
    
    
 apt-get install apache2-prefork-dev apache2-prefork-dev





    87
    
    
    
  155  apt-get -f install





    88
    
    
    
  156  apt-get -f install





    89
    
    
    
  157  apt-get install apache2-prefork-dev apache2-prefork-dev





    90
    
    
    
  158  cd /usr/src/





    91
    
    
    
  159  mkdir auth_mysql





    92
    
    
    
  160  cd auth_mysql/





    93
    
    
    
  161  wget http://download.nuxwin.com/apache2.2-modules/auth_mysql/mod_auth_mysql-3.0.0.tar.gz





    94
    
    
    
  162  tar xzf mod_auth_mysql-3.0.0.tar.gz





    95
    
    
    
  163  ls





    96
    
    
    
  164  wget http://download.nuxwin.com/apache2.2-modules/auth_mysql/patch/apache2.2.diff





    97
    
    
    
  165  mv apache2.2.diff mod_auth_mysql-3.0.0/





    98
    
    
    
  166  cd mod_auth_mysql-3.0.0





    99
    
    
    
  167  patch -p0 < apache2.2.diff mod_auth_mysql.c





    100
    
    
    
  168  apt-get install patch





    101
    
    
    
  169  patch -p0 < apache2.2.diff mod_auth_mysql.c





    102
    
    
    
  170  apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c





    103
    
    
    
  171  apt-get install build-essentials





    104
    
    
    
  172  apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c





    105
    
    
    
  173  apt-get install gcc





    106
    
    
    
  174  apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c





    107
    
    
    
  175  apt-get install libmysqlclient15-dev





    108
    
    
    
  176  apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c





    109
    
    
    
  177  apxs2 -i mod_auth_mysql.la





    110
    2
    Lutz Suhrbier
    
  178  echo "LoadModule mysql_auth_module /usr/lib/apache2/modules/mod_auth_mysql.so" > /etc/apache2/mods-available/auth_mysql.load





    111
    1
    Lutz Suhrbier
    
  179  a2enmod auth_mysql





    112
    
    
    
  180  /etc/init.d/apache2 force-reload





    113
    
    
    
  181  /etc/init.d/apache2 force-reload





    114
    
    
    
  182  less /var/log/apache2/access.log





    115
    
    
    
  183  less /var/log/apache2/error.log





    116
    
    
    
  184  less /var/log/auth.log





    117
    
    
    
~~~