ApacheMySQLAuthentication » History » Version 6
Lutz Suhrbier, 08/12/2007 03:06 PM
1 | 1 | Lutz Suhrbier | |
---|---|---|---|
2 | 6 | Lutz Suhrbier | # Apache [[MySQL]] Authentication for Debian Etch |
3 | 1 | Lutz Suhrbier | |
4 | 6 | Lutz Suhrbier | This how-to describes the setup of redirecting the authentication of the Apache Web Server to a [[MySQL]] Database for Debian Etch. |
5 | 3 | Lutz Suhrbier | |
6 | 1 | Lutz Suhrbier | |
7 | 6 | Lutz Suhrbier | Usually, this is done by Apache's _auth-mysql_ module. But, the relating Debian package _libapache2-mod-auth-myaql_ is currently not maintained and therefore not in the stable release (http://packages.qa.debian.org/liba/libapache-mod-auth-mysql.html). |
8 | |||
9 | |||
10 | There are two possible solutions: |
||
11 | |||
12 | * Using [[MySQL]] authentication via PAM |
||
13 | |||
14 | * Compiling the Apache module _auth-mysql_ |
||
15 | |||
16 | |||
17 | Debian recommends to use PAM->MySQL authentication. It works fine, but the current Debian package does not support (non-crypt) MD5-password storage. |
||
18 | |||
19 | |||
20 | Thus, finally self-compiling the auth-mysql module appears to be the best solution. But, we have to pay attention to possible security advices concerning the module. |
||
21 | |||
22 | |||
23 | |||
24 | 1 | Lutz Suhrbier | ## PAM-MySQL Authentication |
25 | 3 | Lutz Suhrbier | |
26 | 6 | Lutz Suhrbier | The recommended Debian way is to use the packages libapache2-mod-auth-pam and libpam-mysql instead. |
27 | 3 | Lutz Suhrbier | |
28 | ~~~ |
||
29 | 1 | Lutz Suhrbier | # apt-get install libapache2-mod-auth-pam libpam-mysql |
30 | ~~~ |
||
31 | |||
32 | 6 | Lutz Suhrbier | The usage of the PAM authentication module has to be configured in Apache2. To use [[MySQL]] authentication with our [[ShibbolethIdPInstallDebianEtch|IdP configuration]], we change the shibboleth authentication location in the idp configuration script as follows: |
33 | 1 | Lutz Suhrbier | |
34 | ~~~ |
||
35 | 6 | Lutz Suhrbier | <Location /shibboleth-idp/SSO> |
36 | AuthPAM_Enabled on |
||
37 | AuthPAM_FallThrough off |
||
38 | AuthUserFile /dev/null |
||
39 | AuthBasicAuthoritative Off |
||
40 | 5 | Lutz Suhrbier | AuthName "Shibboleth IdP" |
41 | 1 | Lutz Suhrbier | AuthType Basic |
42 | require valid-user |
||
43 | </Location> |
||
44 | ~~~ |
||
45 | 3 | Lutz Suhrbier | |
46 | 6 | Lutz Suhrbier | With regard to the security advice of the file "/usr/share/doc/libapache2-mod-auth-pam/README.Debian" |
47 | 1 | Lutz Suhrbier | |
48 | 3 | Lutz Suhrbier | ~~~ |
49 | 6 | Lutz Suhrbier | SECURITY |
50 | 3 | Lutz Suhrbier | |
51 | To use with standard Debian configuration you have to add "www-data" user to |
||
52 | "shadow" group. Be careful! It means it can be readable by anyone who can run |
||
53 | its own CGI script! |
||
54 | |||
55 | The passwords are sent by net as clear text. You should use SSL to protect |
||
56 | them. |
||
57 | 6 | Lutz Suhrbier | ~~~ |
58 | we should add the user www-data to the shadow group. |
||
59 | 3 | Lutz Suhrbier | |
60 | 6 | Lutz Suhrbier | ~~~ |
61 | # adduser www-data shadow |
||
62 | ~~~ |
||
63 | 3 | Lutz Suhrbier | |
64 | 6 | Lutz Suhrbier | Next, we have to configure the PAM-MySQL module for Apache2. |
65 | 3 | Lutz Suhrbier | |
66 | 6 | Lutz Suhrbier | Edit _/etc/pam.d/apache2_, add the following line setting the values such as they match your configuration |
67 | 3 | Lutz Suhrbier | |
68 | ~~~ |
||
69 | 6 | Lutz Suhrbier | account required pam_mysql.so user=webadmin passwd=secret host=160.45.63.30 db=drupal5 table=_shared_users usercolumn=name passwdcolumn=pass crypt=1 |
70 | 3 | Lutz Suhrbier | ~~~ |
71 | 6 | Lutz Suhrbier | More detailed information about the possible values can be retrieved reading _/usr/share/doc/libpam-mysql/README.gz_ |
72 | 3 | Lutz Suhrbier | |
73 | 6 | Lutz Suhrbier | ~~~ |
74 | # zless /usr/share/doc/libpam-mysql/README.gz |
||
75 | ~~~ |
||
76 | |||
77 | 3 | Lutz Suhrbier | Finally, restart apache2 and see if it works. |
78 | 2 | Lutz Suhrbier | |
79 | 1 | Lutz Suhrbier | |
80 | |||
81 | |||
82 | 6 | Lutz Suhrbier | ## Compiling and Installing Apache's _auth-myaql_ module |
83 | 1 | Lutz Suhrbier | |
84 | |||
85 | ~~~ |
||
86 | apt-get install apache2-prefork-dev apache2-prefork-dev |
||
87 | 155 apt-get -f install |
||
88 | 156 apt-get -f install |
||
89 | 157 apt-get install apache2-prefork-dev apache2-prefork-dev |
||
90 | 158 cd /usr/src/ |
||
91 | 159 mkdir auth_mysql |
||
92 | 160 cd auth_mysql/ |
||
93 | 161 wget http://download.nuxwin.com/apache2.2-modules/auth_mysql/mod_auth_mysql-3.0.0.tar.gz |
||
94 | 162 tar xzf mod_auth_mysql-3.0.0.tar.gz |
||
95 | 163 ls |
||
96 | 164 wget http://download.nuxwin.com/apache2.2-modules/auth_mysql/patch/apache2.2.diff |
||
97 | 165 mv apache2.2.diff mod_auth_mysql-3.0.0/ |
||
98 | 166 cd mod_auth_mysql-3.0.0 |
||
99 | 167 patch -p0 < apache2.2.diff mod_auth_mysql.c |
||
100 | 168 apt-get install patch |
||
101 | 169 patch -p0 < apache2.2.diff mod_auth_mysql.c |
||
102 | 170 apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c |
||
103 | 171 apt-get install build-essentials |
||
104 | 172 apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c |
||
105 | 173 apt-get install gcc |
||
106 | 174 apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c |
||
107 | 175 apt-get install libmysqlclient15-dev |
||
108 | 176 apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c |
||
109 | 177 apxs2 -i mod_auth_mysql.la |
||
110 | 2 | Lutz Suhrbier | 178 echo "LoadModule mysql_auth_module /usr/lib/apache2/modules/mod_auth_mysql.so" > /etc/apache2/mods-available/auth_mysql.load |
111 | 1 | Lutz Suhrbier | 179 a2enmod auth_mysql |
112 | 180 /etc/init.d/apache2 force-reload |
||
113 | 181 /etc/init.d/apache2 force-reload |
||
114 | 182 less /var/log/apache2/access.log |
||
115 | 183 less /var/log/apache2/error.log |
||
116 | 184 less /var/log/auth.log |
||
117 | ~~~ |