Tom Donovan wrote:
Phil Endecott wrote:Dear Experts,I'm setting up mod_authn_dbd for the first time (having previously used the 3rd-party mod_auth_pgsql with apache2.0) and I'm unsure how the passwords should be encoded in the database. The docs at http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html just say:"The query must take a single string (typically SQL varchar) argument (username), and return a single value (encrypted password)."Do I have a choice of encryption formats? How do I tell it which format I have used? (Is there some more documentation somewhere that I have missed?)There are four formats that Apache recognizes for passwords. Note that not all four work on every platform: 1. PLAIN TEXT (i.e. unencrypted) passwords: Windows, BEOS, & Netware only. 2. CRYPT passwords: Unix only. Calls the Unix crypt(3) function with a randomly-generated 32-bit salt and the password 3. SHA1 passwords: "{SHA}" + Base64-encoded SHA-1 digest of the password 4. MD5 passwords: "$apr1$" + the result of an Apache-specific algorithm using an iterated (1,000 times) MD5 digest of various combinations of a randomly-generated 32-bit salt and the password. See source file apr-util/crypto/apr_md5.c for the details of the algorithm.
Thanks Tom. I now have it working, something like this:
# You need the pgcrypto contrib package to get SHA1:
apt-get install postgresql-contrib
su postgres psql -f /usr/share/postgresql/8.2/contrib/pgcrypto.sql
# Configure DBD in the virtualhost:
DBDriver pgsql
DBDParams "dbname=secret user=secret"
<whinge>
The Apache docs could list the available tokens for the parameter
string, or at least link to
http://www.postgresql.org/docs/8.2/static/libpq-connect.html. I had
mis-remembered it and wrote "db=secret", which caused the following
utterly useless error message:
[Sat Aug 18 19:17:17 2007] [error] [client 8.6.8.19] Error looking up
foo in database
Does libpq really not return any more useful error information that
could be included here? What does PQerrorMessage return?
</whinge>
# Set up the query to return the SHA1 of the password:
AuthDBDUserPWQuery "select
'{SHA}'||encode(digest(decode(password_b64,'base64'),','sha1'),'base64')
from users where username=$1"
<another whinge>
I could query why I'm not allowed to use plain text or base64
passwords. Like very many low-security sites I store passwords in a
form that allows me to implement a "forgotten your password? click
here and we'll email it to you" feature. But I suspect that it's the
sort of question that would trigger some strong opinions, and I don't
want to annoy anyone because I think I'll have some more questions for
you all soon...
</another whinge>
# The rest of the configuration:
AuthName "secret"
AuthType basic
AuthBasicProvider dbd
require valid-user
..and now it seems to work.
Joshua wrote:
How about making a page on wiki.apache.org/httpd/ for that?
The information that Tom supplied really ought to be in the main docs. Is there a migration route from the wiki to the main documentation? Laurent wrote:
My only advice is to not use it as it doesn't work :-(
Well it seems to be working for me, so far. In your bug report you wrote:
According to PostgreSQL log, it seems the connection hasn't a "working" status (expired ?)
Have you set up postgres to time out connections? If you have, try disabling that. Regards, Phil. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|