Apache Module mod_auth_pg

This module provides user authentication and logging for Apache via PostgreSQL database. It was rewritten from mod_auth_pgsql (Thanks to Giuseppe Tanzilli, I do not know Apache enough to write module from scratch fast, and has no time to learn Apache). Apart from mod_auth_pgsql module mod_auth_pg is reduced in size and complexity and provides far more functionality.

mod_auth_pg collects context (if exists), login and password as provided by user, caller's IP, URI, QUERY_STRING, protocol and call for configured PostgreSQL function to get some value. User is not authorised if thise value is NULL, and inserts this value in CREDENTIALS environment variable for use in CGI or SSI.

Down side of this authorisation module is passwords transmission to database, so channel beetween Apache and PostgreSQL must be as secure, as Apache itself.

All logic is coded in PostgreSQL - this can be creating user "on the fly", user tracking, credentials dependant on IP, logging and much more.

This page documents version 0.10 (2002-12-29) of mod_auth_pg

Directives


Auth_PG_host

Syntax: Auth_PG_host hostname
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the host on which the postmaster is running. The effective uid of the server should be allowed access.

Auth_PG_port

Syntax: Auth_PG_port port number
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the TCP/IP port number at which the postmaster can be found.

Auth_PG_options

Syntax: Auth_PG_options option string
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies an option string to be passed to the postgreSQL backend process. Refer to the PostgreSQL user manual for a description of the available options.

Auth_PG_database

Syntax: Auth_PG_database database name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the name of the database that stores the authentication information.

Auth_PG_user

Syntax: Auth_PG_user username
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the database username who access the PostgreSQL, should have execute access on Auth_PG_function. Needed if the user who make the query is differrent from the user runnig apache, or if the posmater is on a different server and not use identd

Auth_PG_pwd

Syntax: Auth_PG_pwd password
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the user password for the user who access the PostgreSQL if needed.

Auth_PG_function

Syntax: Auth_PG_function function name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Gives the name of the function which calculate credentials and returns NULL if access forbidden. This function can log accesses if need.

Auth_PG_context

Syntax: Auth_PG_context context name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Gives the name of the context. For service of independent authentification entries.

Auth_PG_finish

Syntax: Auth_PG_finish uri
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

If configured, do not drop connection until configured URI. Usualy URI of footer triggers drop of connect to PostgreSQL.

Auth_PG_authoritative

Syntax: Auth_PG_authoritative on or off
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

This option is on by default. Turning it off will cause low level errors such a user not being found or a simple configuration error to fall through to other authentication directives which may be defined for this area. For example, if a parent directory has another authorization scheme and a user name is not found for the PostgreSQL scheme, the parent directory scheme will be given the chance to try and authenticate the user. Exercise caution when turning this option off. It can be a security risk. Can be used to use two authentication schemes for the same dir.

Example

Here is an example .htaccess file you might use to enable PostgreSQL authentication:
          PostgreSQL trusted user:

          AuthName "My PostgreSQL Authenticator"
          AuthType basic

          Auth_PG_function valid_users
          Auth_PG_context staff

          <LIMIT GET POST>
              require valid-user
          </LIMIT>
        
You can add
          Auth_PG_host localhost
          Auth_PG_port 5432
          Auth_PG_user postgres
          Auth_PG_database www
        
if defaults are not successful.

Example of SQL function to autentificate:
          CREATE TABLE log_table
               ( context            name
               , login              name
               , IP_addr            inet
               , URI                text
               , query_string       text
               , protococol         name
               )
         ;
          CREATE TABLE pass_table
               ( context            name
               , login              name
               , password           text
               , IP_addr            inet
               , write_permission_1 bool
               , some_permission_2  bool
               )
         ;
          CREATE FUNCTION valid_users(name, name, text, inet, text, text, name) RETURNS oid
           AS 'INSERT INTO log_table VALUES($1, $2, $4, $5, $6, $7)
              ;
               SELECT oid FROM pass_table
                WHERE $4 <<= IP_addr
                  AND ($1, $2) = (context, login)
                  AND password = crypt($3, password)
              '
           LANGUAGE 'sql' WITH(iscachable, isstrict)
          ;
        
There is no need to keep login unique.

Download 

Changelog

2001-10-26
First public release of patchset to mod_auth_pgsql
2002-05-12
patchset is stable.
2002-12-29
sources rearranged without change in functionality, documentation reviewed. First separate relise - 0.10
2003-01-01
Makefile twiked to be more compatible with FreeBSD ports system. Release 0.11