Chris Darroch wrote:
KaiGai Kohei wrote:
But, I would like to set up the query as follows:
AuthDBDUserRealmQuery \
"SELECT md5(uname || ':' || %s || ':' || upass) FROM uaccount
WHERE uname = %s"
^^... to be realm to
be user ... ^^
It seems to me we have no way to put the replacement of the given
realm prior to username. Am I missing anything?
I don't think so ... unless there's some way to rewrite the query
so the username is the first parameter, I don't see any option with
the existing code.
Hmm...
In this case, the realm is only used in md5(), not appeared in WHERE
clause, so it is hard to reorder them.
If we have no reasonable workaround, I would like to suggest a new
directive: AuthDBDRealmUserQuery which specifies a query for digest
authentication with realm and user parameters in this order?
What's your opinion?
# This is an aside. I would like to include a few additional conditions
# in the query, such as remote address and so on.
# For example, we can consider a web-user who can access via a certain
# network address (like, 192.168.1.0/24), described as:
#
# SELECT md5(password) FROM uaccount \
# WHERE uname = %s AND unetwork >>= %s::inet;
I wonder if we could keep the existing config directives but
allow them to access an optional additional parameter (or set of
parameters). You could then write:
AuthDBDUserRealmQuery \
"SELECT %s FROM uaccount WHERE uname = %s AND foo = %s" \
R,u,a
where R,u,a meant realm, user, and remote IP address parameters
were to be passed in that order. (We'd likely want to follow
http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats
as much as possible for the available parameters.) Just an idea
at the moment ... alas, no matching implementation. Sigh. :-/
I think a new directive with formats support is preferable to
keep compatibility with existing directives.
For example:
AuthDBDUserRealmQueryFmt \
"SELECT md5(uname || ':' || %R || ':' || upass) FROM uaccount \
WHERE uname = %u AND uaddr >>= %a::inet"
When the directive is given, mod_authn_dbd can register the type and
order of the charater to be replaced. Then it can set up as a paramter
list on query execution phase.
Should I submit a patch to support the feature?
Thanks,
--
KaiGai Kohei <kai...@kaigai.gr.jp>
