A fork of Apache's mod_authn_dbd that allows execution of arbitrary SQL for user / password matching.
With most of Apache's auth modules, you must return a password from your external (or internal) source which is then matched internally by Apache using its own encoding methods. Apache's encodings are fairly limited and won't support alternative encoding methods that you may be using elsewhere.
This module aims to support alternative authentication mechanisms by offloading the password matching to your database via specially crafted SQL.
Apache's mod_dbd supports a range of database drivers, including generic ODBC, MSSQL, SyBase, MySQL, Oracle, PostgreSQL and SQLite, so this module will work on top of any dbd driver you can configure.
Download mod_authn_dbd.c and compile & install with apxs:
$ sudo apxs2 -iac mod_authn_dbd.c
(it may be simply apxs
on your system and sudo
may or may not be required).
The arguments -iac
will install and activate the compiled output of mod_authn_dbd.c.
Note that you will also need to have mod_dbd installed and activated in Apache as this is a dependency.
Configuration is the same as for the standard mod_authn_dbd except you now have an added directive, AuthDBDFullAuthQuery:
# mod_dbd configuration
DBDriver mysql
DBDParams "dbname=apacheauth user=apache password=xxxxxx"
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
<Directory /usr/www/myhost/private>
# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType Basic
AuthName "My Server"
AuthBasicProvider dbd
# core authorization configuration
Require valid-user
# mod_authn_dbd_as SQL query to authenticate a user and password
AuthDBDFullAuthQuery \
"SELECT username from user where user = %s and password = sha2(concat(%s, '::mysalt'), 256)))"
</Directory>
In this example, we have our passwords concatenated with "::mysalt"
and stored as SHA-256, which MySQL can encode.
An AuthDBDFullAuthQuery query MUST return one or more results for a correct username / password combination and return zero results for an incorrect username / password combination. It doesn't matter what the results are, non-zero indicates a successful login.
Your query has two "%s"
values to use. The first one is always the username the client has entered and the second one is always the password. You will need to order your query such that username comes first and password second.
The standard AuthDBDUserPWQuery directive from the original mod_authn_dbd will also work.
A full diff to the original mod_authn_dbd.c version 2.2.22 (my base) can be found here.
mod_authn_dbd is licensed under the Apache License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0