Apache Module mod_auth_pg
This module provides user authentication and logging
for Apache via
PostgreSQL database.
It was rewritten from mod_auth_pgsql
(Thanks to Giuseppe Tanzilli, I do not know Apache enough
to write module from scratch fast, and has no time to learn Apache).
Apart from mod_auth_pgsql
module mod_auth_pg is reduced in size and complexity and provides
far more functionality.
mod_auth_pg collects context (if exists), login
and password as provided by user, caller's IP, URI, QUERY_STRING, protocol
and call for configured PostgreSQL function to get some value.
User is not authorised if thise value is NULL, and inserts this value
in CREDENTIALS environment variable for use in CGI or SSI.
Down side of this authorisation module is passwords transmission
to database, so channel beetween Apache and PostgreSQL
must be as secure, as Apache itself.
All logic is coded in PostgreSQL - this can be creating user "on the fly",
user tracking, credentials dependant on IP, logging and much more.
This page documents version 0.10 (2002-12-29) of mod_auth_pg
Directives
Auth_PG_host
Syntax: Auth_PG_host hostname
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Specifies the host on which the postmaster is running. The effective
uid of the server should be allowed access.
Auth_PG_port
Syntax: Auth_PG_port port number
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Specifies the TCP/IP port number at which the postmaster can be found.
Auth_PG_options
Syntax: Auth_PG_options option string
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Specifies an option string to be passed to the postgreSQL backend process.
Refer to the PostgreSQL user manual for a description of the available options.
Auth_PG_database
Syntax: Auth_PG_database database name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Specifies the name of the database that stores the authentication information.
Auth_PG_user
Syntax: Auth_PG_user username
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Specifies the database username who access the PostgreSQL,
should have execute access on Auth_PG_function.
Needed if the user who make the query is differrent
from the user runnig apache, or if the posmater is on a different
server and not use identd
Auth_PG_pwd
Syntax: Auth_PG_pwd password
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Specifies the user password for the user who access the PostgreSQL if needed.
Auth_PG_function
Syntax: Auth_PG_function function name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Gives the name of the function which calculate credentials and returns
NULL if access forbidden. This function can log accesses if need.
Auth_PG_context
Syntax: Auth_PG_context context name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Gives the name of the context. For service of independent
authentification entries.
Auth_PG_finish
Syntax: Auth_PG_finish uri
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
If configured, do not drop connection until configured URI.
Usualy URI of footer triggers drop of connect to PostgreSQL.
Auth_PG_authoritative
Syntax: Auth_PG_authoritative on or off
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
This option is on by default.
Turning it off will cause low level errors such a user not being found
or a simple configuration error to fall through
to other authentication directives which may be defined for this area.
For example, if a parent directory has another authorization scheme and
a user name is not found for the PostgreSQL scheme,
the parent directory scheme will be given the chance to try
and authenticate the user.
Exercise caution when turning this option off.
It can be a security risk.
Can be used to use two authentication schemes for the same dir.
Example
Here is an example .htaccess file you might use to enable PostgreSQL authentication:
PostgreSQL trusted user:
AuthName "My PostgreSQL Authenticator"
AuthType basic
Auth_PG_function valid_users
Auth_PG_context staff
<LIMIT GET POST>
require valid-user
</LIMIT>
|
You can add
Auth_PG_host localhost
Auth_PG_port 5432
Auth_PG_user postgres
Auth_PG_database www
|
if defaults are not successful.
Example of SQL function to autentificate:
CREATE TABLE log_table
( context name
, login name
, IP_addr inet
, URI text
, query_string text
, protococol name
)
;
CREATE TABLE pass_table
( context name
, login name
, password text
, IP_addr inet
, write_permission_1 bool
, some_permission_2 bool
)
;
CREATE FUNCTION valid_users(name, name, text, inet, text, text, name) RETURNS oid
AS 'INSERT INTO log_table VALUES($1, $2, $4, $5, $6, $7)
;
SELECT oid FROM pass_table
WHERE $4 <<= IP_addr
AND ($1, $2) = (context, login)
AND password = crypt($3, password)
'
LANGUAGE 'sql' WITH(iscachable, isstrict)
;
|
There is no need to keep login unique.
Download
Changelog
- 2001-10-26
- First public release of patchset to mod_auth_pgsql
- 2002-05-12
- patchset is stable.
- 2002-12-29
- sources rearranged without change in functionality,
documentation reviewed. First separate relise - 0.10
- 2003-01-01
- Makefile twiked to be more compatible with FreeBSD ports system.
Release 0.11