NAME
Apache::AuthzDBI - Authorization via Perl's DBI
SYNOPSIS
# Configuration in httpd.conf or srm.conf:
PerlModule Apache::AuthzDBI
# Authorization in .htaccess:
AuthName DBI
AuthType Basic
#authorize via DBI
PerlAuthzHandler Apache::AuthzDBI
PerlSetVar Auth_DBI_data_source dbi:driver:dsn
PerlSetVar Auth_DBI_username db_username
PerlSetVar Auth_DBI_password db_password
#DBI->connect($data_source, $username, $password)
PerlSetVar Auth_DBI_grp_table users
PerlSetVar Auth_DBI_uid_field username
PerlSetVar Auth_DBI_grp_field groupname
#SELECT grp_field FROM grp_table WHERE uid_field=$user AND grp_field=$group
<Limit GET>
require user user_1 user_2 ...
require group group_1 group_2 ...
</Limit>
The AuthType is limited to Basic. You may use one or more valid require lines. For a single require line with the tokens valid-user or with distinct user names it is sufficient to use only the AuthenDBI module.
DESCRIPTION
This module allows authorization against a database using Perl's DBI. For supported DBI drivers see:
http://www.hermetica.com/technologia/DBI/
When the authorization handler is called, the authentication has already been done. This means, that the given username/password has been validated.
The handler analyzes and processes the requirements line by line. The request is accepted only if all requirement lines are accepted.
In case of one or more user-names, they are compared with the given user-name until the first match. If there is no match and the authoritative directive is set to 'on' the request is rejected.
In case of one or more group-names, for every group the given user is looked up in the database with the constraint, that the user must be a member of this group. If there is no match and the authoritative directive is set to 'on' the request is rejected.
In case of 'valid-user' the request is accepted.
In case the authorization succeeds, the environment variable REMOTE_GROUP is set to the group name, so scripts that are protected by AuthzDBI don't need to bang on the database server again to get the group name.
The SQL-select used for retrieving the group is as follows (depending upon the existence of a grp_whereclause):
SELECT grp_field FROM grp_table WHERE uid_field = user AND grp_field = group
SELECT grp_table.grp_field FROM pwd_table, grp_table WHERE pwd_table.uid_field = user AND grp_table.grp_field = group AND grp_whereclause
LIST OF TOKENS
Auth_DBI_data_source
The data_source value should begin with 'dbi:driver_name:'. This value (with the 'dbi:...:' prefix removed) is passed to the database driver for processing during connect.
Auth_DBI_username
The username argument is passed to the database driver for processing during connect.
Auth_DBI_password
The password argument is passed to the database driver for processing during connect.
Auth_DBI_grp_table
Contains at least the fields with the username and the groupname.
Auth_DBI_uid_field
Field-name containing the username in the Auth_DBI_grp_table.
Auth_DBI_grp_field
Field-name containing the groupname in the Auth_DBI_grp_table.
Auth_DBI_grp_whereclause
Use this option for using more attributes in the group table.
Auth_DBI_authoritative < on / off>
Default is 'on'. When set 'on', there is no fall-through to other authorization methods if the authorization check fails. When this directive is set to 'off', control is passed on to any other authorization modules. Be sure you know what you are doing when you decide to switch it off.
Auth_DBI_casesensitive < on / off >
Default is 'on'. When set 'off', the entered userid and password is converted to lower case.
CONFIGURATION
The module should be loaded upon startup of the Apache daemon. It needs the AuthenDBI module for the authentication part. Add the following lines to your httpd.conf or srm.conf:
PerlModule Apache::AuthenDBI
PerlModule Apache::AuthzDBI
PREREQUISITES
For AuthzDBI you need to enable the appropriate call-back hooks when making mod_perl:
perl Makefile.PL PERL_AUTHEN=1 PERL_AUTHZ=1.
SEE ALSO
AUTHORS
mod_perl by Doug MacEachern <dougm@osf.org>
DBI by Tim Bunce <Tim.Bunce@ig.co.uk>
Apache::AuthzDBI by Edmund Mergl <E.Mergl@bawue.de>
COPYRIGHT
The Apache::AuthzDBI module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
4 POD Errors
The following errors were encountered while parsing the POD:
- Around line 293:
'=item' outside of any '=over'
- Around line 347:
You forgot a '=back' before '=head1'
- Around line 372:
'=item' outside of any '=over'
- Around line 382:
You forgot a '=back' before '=head1'