Module mod_auth_pg95

Postgres95 Authentication

This module allows user authentication against information stored in a Postgres95 database. Postgres95 is a public domain SQL database.

One database, and one (or two) tables. One table holds the username and the encrypted password. The other table holds the username and the names of the group to which the user belongs. It is possible to have username, groupname and password in the same table.

This page documents version 0.4 (June 1996) of mod_auth_pg95.c

Example | Technical Notes | Compilation Notes | Utility Program

Auth_PGhost

Syntax: Auth_PGhost hostname
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the host on which the postmaster is running.

Auth_PGport

Syntax: Auth_PGport port number
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the TCP/IP port number at which the postmaster can be found.

Auth_PGoptions

Syntax: Auth_PGoptions option string
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies an option string to be passed to the postgres95 backend process. Refer to the Postgres95 user manual for a description of the available options.

Auth_PGdatabase

Syntax: Auth_PGdatabase database name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the name of the database that stores the authentication information.

Auth_PGpwd_table

Syntax: Auth_PGpwd_table relation name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Gives the name of the relation which contains the username and password information.

Auth_PGgrp_table

Syntax: Auth_PGgrp_table relation name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Gives the name of the relation which contains the username and group information. This can be the same table specified with Auth_PGpwd_table. This directive is only necessary if you want to authenticate by user groups.

Auth_PGuid_field

Syntax: Auth_PGuid_field attribute name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the attribute name of the field containing the user name in the Auth_PGpwd_table relation.

Auth_PGpwd_field

Syntax: Auth_PGpwd_field attribute name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the attribute name of the field containing the encrypted password in the Auth_PGpwd_table relation.

Auth_PGgid_field

Syntax: Auth_PGgid_field attribute name
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Specifies the attribute name of the field containing the group name in the Auth_PGgrp_table relation. This directive is only necessary if you want to authenticate by user groups.

Auth_PG_nopasswd

Syntax: Auth_PG_nopasswd on or off
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

This option is off by default. Turning it on will cause a user to be validated when their password field is empty. The password entered will be ignored. Exercise caution when turning this on.

Auth_PG_authorative

Syntax: Auth_PG_authorative on or off
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

This option is on by default. Turning it off will cause low level errors such a user not being found or a simple configuration error to fall through to other authentication directives which may be defined for this area. For example, if a parent directory has another authorization scheme and a user name is not found for the Postgres95 scheme, the parent directory scheme will be given the chance to try and authenticate the user. Exercise caution when turning this option off. It can be a security risk.

Auth_PG_encrypted

Syntax: Auth_PG_encrypted on or off
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

Defaults to on. Controls weather this module expects passwords in the database to be encrypted or not. When turned off, you can use unencrypted passwords in your database. Exercise caution when deciding to turn this off!

Auth_PGpwd_whereclause

Syntax: Auth_PGpwd_whereclause SQL fragment
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

This option allows you to exercise greater control over the SQL code used to retrieve the user name and password from the database. You can use this to search for the username using more attributes in the table than the pwd_field.

The basic SQL statement used to retrieve a user's password for checking looks like this:

<pwd_field>

<pwd_table>

<uid_field>

<remote_user>

The pwd_whereclause will be added to the end of this statement and must fit logically.

Auth_PGgrp_whereclause

Syntax: Auth_PGgrp_whereclause SQL fragment
Context: directory, .htaccess
Override: AuthConfig
Status: Extension

This option allows you to exercise greater control over the SQL code used to retrieve the group name and corresponding user from the database. You can use this to search for the group name using more attributes in the table than the gid_field.

The basic SQL statement used to retrieve a group name and user name for checking looks like this:

<uid_field>

<grp_table>

<gid_field>

<required group>

The gid_whereclause will be added to the end of this statement and must fit logically.

Example

Here is an example .htaccess file you might use to enable Postgres95 authentication:

Auth_PGhost localhost
Auth_PGport 5432
Auth_PGdatabase www
Auth_PGpwd_table valid_users
Auth_PGuid_field user
Auth_PGpwd_field password
AuthName My Postgres95 Authenticator
AuthType basic

<LIMIT GET POST>
require valid-user
</LIMIT>

Technical Notes

If the SQL statement used to retrieve the user or group name returns more than one tuple, it is considered an error. If this is likely to happen, use Auth_PGpwd_whereclause and Auth_PGgrp_whereclause to create a query that will only return one tuple.

Compilation Notes

In order to compile this module into your server, you will require am installed Postgres95 library. This is typically located in /usr/local/postgres95. You will need to add the following things to your Configuration file:

To CFLAGS add -I/usr/local/postgres95/include
To LFLAFS add -L/usr/local/postgres95/lib
To EXTRA_LIBS add -lpq
Add this line to the modules list:

Utility program

Supplied with the Postgres95 authentication module is a command line utility Perl script written by David H. Bennett (dave@bensoft.com). It allows you to add users and modify passwords in your authentication database. It requires the pg95perl library which is available at the Postgres95 home page.

There are a few variables to set at the top of the script according to your needs.