ApacheMySQLAuthentication » History » Version 7
Lutz Suhrbier, 08/12/2007 03:26 PM
| 1 | 1 | Lutz Suhrbier | |
|---|---|---|---|
| 2 | 6 | Lutz Suhrbier | # Apache [[MySQL]] Authentication for Debian Etch |
| 3 | 1 | Lutz Suhrbier | |
| 4 | 6 | Lutz Suhrbier | This how-to describes the setup of redirecting the authentication of the Apache Web Server to a [[MySQL]] Database for Debian Etch. |
| 5 | 3 | Lutz Suhrbier | |
| 6 | 1 | Lutz Suhrbier | |
| 7 | 6 | Lutz Suhrbier | Usually, this is done by Apache's _auth-mysql_ module. But, the relating Debian package _libapache2-mod-auth-myaql_ is currently not maintained and therefore not in the stable release (http://packages.qa.debian.org/liba/libapache-mod-auth-mysql.html). |
| 8 | |||
| 9 | |||
| 10 | There are two possible solutions: |
||
| 11 | |||
| 12 | * Using [[MySQL]] authentication via PAM |
||
| 13 | |||
| 14 | * Compiling the Apache module _auth-mysql_ |
||
| 15 | |||
| 16 | |||
| 17 | Debian recommends to use PAM->MySQL authentication. It works fine, but the current Debian package does not support (non-crypt) MD5-password storage. |
||
| 18 | |||
| 19 | |||
| 20 | Thus, finally self-compiling the auth-mysql module appears to be the best solution. But, we have to pay attention to possible security advices concerning the module. |
||
| 21 | |||
| 22 | |||
| 23 | |||
| 24 | 1 | Lutz Suhrbier | ## PAM-MySQL Authentication |
| 25 | 3 | Lutz Suhrbier | |
| 26 | 6 | Lutz Suhrbier | The recommended Debian way is to use the packages libapache2-mod-auth-pam and libpam-mysql instead. |
| 27 | 3 | Lutz Suhrbier | |
| 28 | ~~~ |
||
| 29 | 1 | Lutz Suhrbier | # apt-get install libapache2-mod-auth-pam libpam-mysql |
| 30 | ~~~ |
||
| 31 | |||
| 32 | 6 | Lutz Suhrbier | The usage of the PAM authentication module has to be configured in Apache2. To use [[MySQL]] authentication with our [[ShibbolethIdPInstallDebianEtch|IdP configuration]], we change the shibboleth authentication location in the idp configuration script as follows: |
| 33 | 1 | Lutz Suhrbier | |
| 34 | ~~~ |
||
| 35 | 6 | Lutz Suhrbier | <Location /shibboleth-idp/SSO> |
| 36 | AuthPAM_Enabled on |
||
| 37 | AuthPAM_FallThrough off |
||
| 38 | AuthUserFile /dev/null |
||
| 39 | AuthBasicAuthoritative Off |
||
| 40 | 5 | Lutz Suhrbier | AuthName "Shibboleth IdP" |
| 41 | 1 | Lutz Suhrbier | AuthType Basic |
| 42 | require valid-user |
||
| 43 | </Location> |
||
| 44 | ~~~ |
||
| 45 | 3 | Lutz Suhrbier | |
| 46 | 6 | Lutz Suhrbier | With regard to the security advice of the file "/usr/share/doc/libapache2-mod-auth-pam/README.Debian" |
| 47 | 1 | Lutz Suhrbier | |
| 48 | 3 | Lutz Suhrbier | ~~~ |
| 49 | 6 | Lutz Suhrbier | SECURITY |
| 50 | 3 | Lutz Suhrbier | |
| 51 | To use with standard Debian configuration you have to add "www-data" user to |
||
| 52 | "shadow" group. Be careful! It means it can be readable by anyone who can run |
||
| 53 | its own CGI script! |
||
| 54 | |||
| 55 | The passwords are sent by net as clear text. You should use SSL to protect |
||
| 56 | them. |
||
| 57 | 6 | Lutz Suhrbier | ~~~ |
| 58 | we should add the user www-data to the shadow group. |
||
| 59 | 3 | Lutz Suhrbier | |
| 60 | 6 | Lutz Suhrbier | ~~~ |
| 61 | # adduser www-data shadow |
||
| 62 | ~~~ |
||
| 63 | 3 | Lutz Suhrbier | |
| 64 | 6 | Lutz Suhrbier | Next, we have to configure the PAM-MySQL module for Apache2. |
| 65 | 3 | Lutz Suhrbier | |
| 66 | 6 | Lutz Suhrbier | Edit _/etc/pam.d/apache2_, add the following line setting the values such as they match your configuration |
| 67 | 3 | Lutz Suhrbier | |
| 68 | ~~~ |
||
| 69 | 6 | Lutz Suhrbier | account required pam_mysql.so user=webadmin passwd=secret host=160.45.63.30 db=drupal5 table=_shared_users usercolumn=name passwdcolumn=pass crypt=1 |
| 70 | 3 | Lutz Suhrbier | ~~~ |
| 71 | 6 | Lutz Suhrbier | More detailed information about the possible values can be retrieved reading _/usr/share/doc/libpam-mysql/README.gz_ |
| 72 | 3 | Lutz Suhrbier | |
| 73 | 6 | Lutz Suhrbier | ~~~ |
| 74 | # zless /usr/share/doc/libpam-mysql/README.gz |
||
| 75 | ~~~ |
||
| 76 | |||
| 77 | 3 | Lutz Suhrbier | Finally, restart apache2 and see if it works. |
| 78 | 2 | Lutz Suhrbier | |
| 79 | 1 | Lutz Suhrbier | |
| 80 | |||
| 81 | |||
| 82 | 6 | Lutz Suhrbier | ## Compiling and Installing Apache's _auth-myaql_ module |
| 83 | 1 | Lutz Suhrbier | |
| 84 | 7 | Lutz Suhrbier | Regarding this objective, we mainly rely on the following documentation http://forum.nuxwin.com/index.php/topic,736.msg3590.html#msg3590 (in french). |
| 85 | 1 | Lutz Suhrbier | |
| 86 | 7 | Lutz Suhrbier | |
| 87 | We need to install the following packages in order to compile and install the module: |
||
| 88 | |||
| 89 | 1 | Lutz Suhrbier | ~~~ |
| 90 | 7 | Lutz Suhrbier | apt-get install apache2-prefork-dev libmysqlclient15-dev gcc patch |
| 91 | 1 | Lutz Suhrbier | ~~~ |
| 92 | 7 | Lutz Suhrbier | |
| 93 | Create the directory _/usr/src/auth_mysql_ and change to it: |
||
| 94 | |||
| 95 | ~~~ |
||
| 96 | # mkdir /usr/src/auth_mysql |
||
| 97 | # cd /usr/src/auth_mysql |
||
| 98 | ~~~ |
||
| 99 | |||
| 100 | Download the module's source files and the relating patch for Apache 2.2 |
||
| 101 | |||
| 102 | ~~~ |
||
| 103 | # wget http://download.nuxwin.com/apache2.2-modules/auth_mysql/mod_auth_mysql-3.0.0.tar.gz |
||
| 104 | # wget http://download.nuxwin.com/apache2.2-modules/auth_mysql/patch/apache2.2.diff |
||
| 105 | ~~~ |
||
| 106 | |||
| 107 | Unpack the sources and apply the patch file to the sources: |
||
| 108 | |||
| 109 | ~~~ |
||
| 110 | tar xzf mod_auth_mysql-3.0.0.tar.gz |
||
| 111 | # cp apache2.2.diff mod_auth_mysql-3.0.0/ |
||
| 112 | # cd mod_auth_mysql-3.0.0 |
||
| 113 | # patch -p0 < apache2.2.diff mod_auth_mysql.c |
||
| 114 | ~~~ |
||
| 115 | |||
| 116 | Compiling the module and check the output produced: |
||
| 117 | |||
| 118 | ~~~ |
||
| 119 | # apxs2 -c -L/usr/lib/mysql -I/usr/include/mysql -lmysqlclient -lm -lz mod_auth_mysql.c |
||
| 120 | |||
| 121 | /usr/share/apr-1.0/build/libtool --silent --mode=compile --tag=disable-static i486-linux-gnu-gcc -prefer-pic -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -DLINUX=2 -D_REENTRANT -I/usr/include/apr-1.0 -I/usr/include/openssl -I/usr/include/postgresql -I/usr/include/xmltok -pthread -I/usr/include/apache2 -I/usr/include/apr-1.0 -I/usr/include/apr-1.0 -I/usr/include/postgresql -I/usr/include/mysql -c -o mod_auth_mysql.lo mod_auth_mysql.c && touch mod_auth_mysql.slo |
||
| 122 | /usr/share/apr-1.0/build/libtool --silent --mode=link --tag=disable-static i486-linux-gnu-gcc -o mod_auth_mysql.la -L/usr/lib/mysql -lmysqlclient -lm -lz -rpath /usr/lib/apache2/modules -module -avoid-version mod_auth_mysql.lo |
||
| 123 | ~~~ |
||
| 124 | |||
| 125 | Install the module and check the output produced: |
||
| 126 | |||
| 127 | @-LLIBDIR' |
||
| 128 | |||
| 129 | flag during linking and do at least one of the following: |
||
| 130 | |||
| 131 | - add LIBDIR to the @ |
||
| 132 | |||
| 133 | |||
| 134 | Create the module's load configuration file: |
||
| 135 | |||
| 136 | ~~~ |
||
| 137 | # echo "LoadModule mysql_auth_module /usr/lib/apache2/modules/mod_auth_mysql.so" > /etc/apache2/mods-available/auth_mysql.load |
||
| 138 | ~~~ |
||
| 139 | |||
| 140 | Enable the module and restart apache2: |
||
| 141 | |||
| 142 | ~~~ |
||
| 143 | # a2enmod auth_mysql |
||
| 144 | # /etc/init.d/apache2 force-reload |
||
| 145 | ~~~ |
||
| 146 | |||
| 147 | You can check your configuration observing the following log-files |
||
| 148 | |||
| 149 | * /var/log/apache2/access.log |
||
| 150 | |||
| 151 | * /var/log/apache2/error.log |
||
| 152 | |||
| 153 | * /var/log/auth.log |