NAME
Apache::AuthzDBI - Authorization via Perl's DBI
SYNOPSIS
# Configuration in httpd.conf or srm.conf:
PerlModule Apache::AuthzDBI
# Authorization in .htaccess:
AuthName DBI
AuthType Basic
#authorize via DBI
PerlAuthzHandler Apache::AuthzDBI
PerlSetVar Auth_DBI_data_source dbi:driver:dsn
PerlSetVar Auth_DBI_username db_username
PerlSetVar Auth_DBI_password db_password
#DBI->connect($data_source, $username, $password)
PerlSetVar Auth_DBI_pwd_table users
PerlSetVar Auth_DBI_uid_field username
PerlSetVar Auth_DBI_grp_field groupname
#SELECT grp_field FROM pwd_table WHERE uid_field=$user
require user user_1 user_2 ...
require group group_1 group_2 ...
The AuthType is limited to Basic. You may use one or more valid require lines. For a single require line with the tokens valid-user or with distinct user names it is sufficient to use only the AuthenDBI module. This module needs Apache::AuthenDBI, it can not be used stand-alone !
DESCRIPTION
This module allows authorization against a database using Perl's DBI. For supported DBI drivers see:
http://www.symbolstone.org/technology/perl/DBI/
When the authorization handler is called, the authentication has already been done. This means, that the given username/password has been validated.
The handler analyzes and processes the requirements line by line. The request is accepted if the first requirement is fulfilled.
In case of 'valid-user' the request is accepted.
In case of one or more user-names, they are compared with the given user-name until the first match.
In case of one or more group-names, all groups of the given user-name are looked up in the cache. If the user is not found in the cache, the groups are requested from the database. A $; separated list of all these groups is put into the environment variable REMOTE_GROUPS. Then these groups are compared with the required groups until the first match.
If there is no match and the authoritative directive is set to 'on' the request is rejected.
In case the authorization succeeds, the environment variable REMOTE_GROUP is set to the group name, so scripts that are protected by AuthzDBI don't need to bang on the database server again to get the group name.
The SQL-select used for retrieving the groups is as follows (depending upon the existence of a grp_table):
SELECT grp_field FROM pwd_table WHERE uid_field = user
SELECT grp_field FROM grp_table WHERE uid_field = user
This way you can have the group-information either in the main users table, or you can use an extra table, if you have an m:n relationship between users and groups. From all selected groups a comma-separated list is build, which is compared with the required groups. If you don't like normalized group records you can put such a comma-separated list of groups (no spaces) into the grp_field instead of single groups.
If a grp_whereclause exists, it is appended to the SQL-select.
At the end a CleanupHandler is initialized, which skips through the groups cache and deletes all outdated entries. This is done after sending the response, hence without slowing down response time to the client. The default cache_time is set to 0, which disables the cache, because any user will be deleted immediately from the cache.
LIST OF TOKENS
Auth_DBI_data_source
The data_source value should begin with 'dbi:driver_name:'. This value (with the 'dbi:...:' prefix removed) is passed to the database driver for processing during connect.
Auth_DBI_username
The username argument is passed to the database driver for processing during connect.
Auth_DBI_password
The password argument is passed to the database driver for processing during connect.
Auth_DBI_grp_table
Contains at least the fields with the username and the groupname.
Auth_DBI_uid_field
Field-name containing the username in the Auth_DBI_grp_table.
Auth_DBI_grp_field
Field-name containing the groupname in the Auth_DBI_grp_table.
Auth_DBI_grp_whereclause
Use this option for specifying more constraints to the SQL-select.
Auth_DBI_authoritative < on / off>
Default is 'on'. When set 'on', there is no fall-through to other authorization methods if the authorization check fails. When this directive is set to 'off', control is passed on to any other authorization modules. Be sure you know what you are doing when you decide to switch it off.
Auth_DBI_uidcasesensitive < on / off >
Default is 'on'. When set 'off', the entered userid is converted to lower case. Also the userid in the password select-statement is converted to lower case.
Auth_DBI_cache_time
Default is 0 = off. When set to any value n > 0, the groups of all users will be cached for n seconds. After finishing the request, a special handler skips through the cache and deletes all outdated entries (entries, which are older than the cache_time).
Auth_DBI_expeditive
Default is 'off'. When set to 'on', the result of an authorization failure is an 'Access Forbidden' code instead of 'Authentication Required'. This is less convenient in a few cases because it doesn't allow users to 'switch identities' w/o closing the browser, but is formally more correct and allows support persons to easily diagnose whether the problem is in authentication (wrong password) or in authorization (wrong permissions).
Auth_DBI_placeholder < on / off > Default is 'off'. When set 'on', the select statement is prepared using a placeholder for the username. This may result in improved performance for databases supporting this method.
CONFIGURATION
The module should be loaded upon startup of the Apache daemon. It needs the AuthenDBI module for the authentication part. Note that this needs mod_perl-1.08 or higher, apache_1.3.0 or higher and that mod_perl needs to be configured with
PERL_AUTHEN=1 PERL_AUTHZ=1 PERL_CLEANUP=1 PERL_STACKED_HANDLERS=1.
Add the following lines to your httpd.conf or srm.conf:
PerlModule Apache::AuthenDBI
PerlModule Apache::AuthzDBI
PREREQUISITES
For Apache::AuthzDBI you need to enable the appropriate call-back hooks when making mod_perl:
perl Makefile.PL PERL_AUTHEN=1 PERL_AUTHZ=1 PERL_CLEANUP=1 PERL_STACKED_HANDLERS=1.
SEE ALSO
AUTHORS
mod_perl by Doug MacEachern <modperl@apache.org>
<dbiDBI by Tim Bunce <dbi-users@isc.org>
Apache::AuthzDBI by Edmund Mergl <E.Mergl@bawue.de>
COPYRIGHT
The Apache::AuthzDBI module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.
4 POD Errors
The following errors were encountered while parsing the POD:
- Around line 373:
'=item' outside of any '=over'
- Around line 451:
You forgot a '=back' before '=head1'
- Around line 481:
'=item' outside of any '=over'
- Around line 491:
You forgot a '=back' before '=head1'