Tom Donovan wrote:
Phil Endecott wrote:
Dear Experts,
I'm setting up mod_authn_dbd for the first time (having previously used
the 3rd-party mod_auth_pgsql with apache2.0) and I'm unsure how the
passwords should be encoded in the database. The docs at
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html just say:
"The query must take a single string (typically SQL varchar) argument
(username),
and return a single value (encrypted password)."
Do I have a choice of encryption formats? How do I tell it which format
I have used? (Is there some more documentation somewhere that I have
missed?)
There are four formats that Apache recognizes for passwords.
Note that not all four work on every platform:
1. PLAIN TEXT (i.e. unencrypted) passwords:
Windows, BEOS, & Netware only.
2. CRYPT passwords:
Unix only.
Calls the Unix crypt(3) function with a
randomly-generated 32-bit salt and the password
3. SHA1 passwords:
"{SHA}" + Base64-encoded SHA-1 digest of the password
4. MD5 passwords:
"$apr1$" + the result of an Apache-specific algorithm
using an iterated (1,000 times) MD5 digest of various
combinations of a randomly-generated 32-bit salt
and the password. See source file apr-util/crypto/apr_md5.c
for the details of the algorithm.
Thanks Tom. I now have it working, something like this:
# You need the pgcrypto contrib package to get SHA1:
apt-get install postgresql-contrib
su postgres psql -f /usr/share/postgresql/8.2/contrib/pgcrypto.sql
# Configure DBD in the virtualhost:
DBDriver pgsql
DBDParams "dbname=secret user=secret"
<whinge>
The Apache docs could list the available tokens for the parameter
string, or at least link to
http://www.postgresql.org/docs/8.2/static/libpq-connect.html. I had
mis-remembered it and wrote "db=secret", which caused the following
utterly useless error message:
[Sat Aug 18 19:17:17 2007] [error] [client 8.6.8.19] Error looking up
foo in database
Does libpq really not return any more useful error information that
could be included here? What does PQerrorMessage return?
</whinge>
# Set up the query to return the SHA1 of the password:
AuthDBDUserPWQuery "select
'{SHA}'||encode(digest(decode(password_b64,'base64'),','sha1'),'base64')
from users where username=$1"
<another whinge>
I could query why I'm not allowed to use plain text or base64
passwords. Like very many low-security sites I store passwords in a
form that allows me to implement a "forgotten your password? click
here and we'll email it to you" feature. But I suspect that it's the
sort of question that would trigger some strong opinions, and I don't
want to annoy anyone because I think I'll have some more questions for
you all soon...
</another whinge>
# The rest of the configuration:
AuthName "secret"
AuthType basic
AuthBasicProvider dbd
require valid-user
..and now it seems to work.
Joshua wrote:
How about making a page on wiki.apache.org/httpd/ for that?
The information that Tom supplied really ought to be in the main docs.
Is there a migration route from the wiki to the main documentation?
Laurent wrote:
My only advice is to not use it as it doesn't work :-(
Well it seems to be working for me, so far. In your bug report you wrote:
According to PostgreSQL log, it seems the connection hasn't a "working" status
(expired ?)
Have you set up postgres to time out connections? If you have, try
disabling that.
Regards,
Phil.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]