Apache Module mod_auth_pg2
This module provides user authentication and logging
for Apache via
PostgreSQL database.
It was rewritten from
mod_auth_pgsql2
(Thanks to Giuseppe Tanzilli, I do not know Apache enough
to write module from scratch fast, and has no time to learn Apache).
Apart from mod_auth_pgsql
module mod_auth_pg2 is reduced in size and complexity and provides
far more functionality.
mod_auth_pg2 collects context (if exists), login
and password as provided by user, caller's IP, URI, QUERY_STRING, protocol
and call for configured PostgreSQL function to get some value.
User is not authorised if thise value is NULL, and inserts this value
in CREDENTIALS environment variable for use in CGI or SSI.
Down side of this authorisation module is passwords transmission
to database, so channel beetween Apache and PostgreSQL
must be as secure, as Apache itself.
All logic is coded in PostgreSQL - this can be creating user "on the fly",
user tracking, credentials dependant on IP, logging and much more.
This page documents version 0.01 (2009-07-15) of mod_auth_pg2
Directives
Auth_PG2_options
Syntax: Auth_PG2_options connect string
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Specifies an string to be passed to the PQconnectdb().
Refer to the PostgreSQL user manual for a description.
Auth_PG2_function
Syntax: Auth_PG2_function function name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Gives the name of the function which calculate credentials and returns
NULL if access forbidden. This function can log accesses if need.
Auth_PG2_context
Syntax: Auth_PG2_context context name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
Gives the name of the context. For service of independent
authentification entries.
Auth_PG2_authoritative
Syntax: Auth_PG_authoritative on or off
Context: directory, .htaccess
Override: AuthConfig
Status: Extension
This option is on by default.
Turning it off will cause low level errors such a user not being found
or a simple configuration error to fall through
to other authentication directives which may be defined for this area.
For example, if a parent directory has another authorization scheme and
a user name is not found for the PostgreSQL scheme,
the parent directory scheme will be given the chance to try
and authenticate the user.
Exercise caution when turning this option off.
It can be a security risk.
Can be used to use two authentication schemes for the same dir.
Example
Here is an example .htaccess file you might use to enable PostgreSQL authentication:
PostgreSQL trusted user:
AuthName "My PostgreSQL Authenticator"
AuthType basic
Auth_PG2_function valid_users
Auth_PG2_context staff
<LIMIT GET POST>
require valid-user
</LIMIT>
|
You can add
Auth_PG2_options "host=localhost port=5432 user=postgres database=www"
|
if defaults are not successful.
Example of SQL function to autentificate:
CREATE TABLE log_table
( context name
, login name
, IP_addr inet
, URI text
, query_string text
, protococol name
)
;
CREATE TABLE pass_table
( context name
, login name
, password text
, IP_addr inet
, write_permission_1 bool
, some_permission_2 bool
)
;
CREATE FUNCTION valid_users(name, name, text, inet, text, text, name) RETURNS oid
AS 'INSERT INTO log_table VALUES($1, $2, $4, $5, $6, $7)
;
SELECT oid FROM pass_table
WHERE $4 <<= IP_addr
AND ($1, $2) = (context, login)
AND password = crypt($3, password)
'
LANGUAGE 'sql' WITH(iscachable, isstrict)
;
|
There is no need to keep login unique.
Download
Changelog
- 2009-07-15
- First public release - 0.01