Benchmarks Online

Skip Navigation Links


Page One

Campus Computing News

Matlab Comes to Campus

Summer Hours

Today's Cartoon

RSS Matters

The Network Connection

Link of the Month

WWW@UNT.EDU

Short Courses

IRC News

Staff Activities

Subscribe to Benchmarks Online
    

WWW@UNT.EDU

Apache 2.1 Failings:
 mod_authnz_ldap and mod_authn_file
 Part II

By Shannon Eric Peevey, UNT Central Web Support

Introduction

In last month's article, I showed you how to download and configure Apache 2.1 from Subversion. In this month's article, we are going to discuss the changes to our authentication configuration options, and how they are used to cause Apache to use mod_authn_file, (the new name for the authentication phase portion of mod_auth), for authenticating users.

mod_authn_file

I think it would be easier to look at the full code example and then discuss the differences between Apache 2.0 configuration, and that of Apache 2.1.

Alias /publish /usr/local/apache21/htdocs

<Location /publish>

AuthType Basic

AuthName "Stinky monkey!!"

AuthBasicProvider file

 

### begin of mod_authn_file ####

AuthUserFile /usr/local/apache21/access/password

AuthGroupFile /usr/local/apache21/access/htgroup

### end of mod_authn_file ####


require group admin


Dav On

Options None

ForceType text/plain

</Location>

In this example, you see that we have aliased the webroot to /publish. This would allow web developers to connect to a specific URL, and by appending /publish to the end, bypass any dynamic content engine, (which is useful for webDAV publishing). We need to do this, because we are using dynamic content for our site, and if we don't set the option "ForceType text/plain", the web server will return all files requested by a GET to the web developer as rendered HTML. (This is caused by the fact that webDAV uses HTTP calls to grab files from the remote web server. At the present time, there is only one GET call in the HTTP protocol, which is used by both web browsers and webDAV clients, and the server interprets calls from both clients as a call for the rendered web page. Without ForceType text/plain, the web server receives the GET, sends the file through the correct interpreter, (ie PHP), and sends out the rendered HTML. With ForceType text/plain, the web server receives the GET, bypasses the call to the programming language interpreter, and sends out the source code for the file). By the way, this usage of <Location> directive is not recommended for controlling access to directories, (we are using it for example purposes only). For more information as to why this is not recommended, see:

 http://httpd.apache.org/docs-2.0/mod/core.html#location

Now, let's split out the mod_authn_file specific elements from the <Location> container. This is exactly like the configuration for mod_auth in Apache 2.0, except for the addition of the directive AuthBasicProvider.

AuthType Basic

AuthName "Stinky monkey!!"

AuthBasicProvider file


### begin of mod_authn_file ####

AuthUserFile /usr/local/apache21/access/password

AuthGroupFile /usr/local/apache21/access/htgroup

### end of mod_authn_file ####


require group admin

AuthBasicProvider is the directive that tells Apache which type of authentication backend to use. Though the docs at:

 http://httpd.apache.org/docs-2.1/mod/mod_auth_basic.html#authbasicprovider

supposedly contains links to lists of accepted providers, the links given do not actually give any list of providers. In next months article, I will give you the provider for ldap, and for this month, it is enough to know that authentication with the oft-used htpasswd and htgroup files is designated as provider "file". The list of providers for AuthBasicProvider is a space delimited list, so multiple provider would look like this:

AuthBasicProvider provider1 provider2 provider3

After you have set AuthBasicProvider to file, your AuthUserFile/AuthGroupFile directives to the correct htpasswd and htgroup files, and your AuthType/AuthName, save your changes and restart Apache. (See: http://httpd.apache.org/docs-2.1/howto/auth.html for more information on how to setup your AuthUserFile and AuthGroupFiles). Point your favourite browser to: http://localhost/publish and you should be prompted for your username and password. If you have troubles getting into the protected directory, check your error_log files for more specific information as to what is causing the problem.

Conclusion

In this month's article, we have discussed how to configure "basic authentication" for Apache 2.1. In next month's article, we are going to configure Apache 2.1 to use LDAP for authentication, and then the month after that, we will discuss how to DECLINE from mod_authn_file/mod_authz_groupfile to mod_authnz_ldap. Enjoy!!

Provider List

After concluding this article, I made a list of available providers for stable authentication modules, they are:

  • Anonymous authentication (much like FTP) = mod_authn_anon = "anon"

  • DBM file authentication = mod_authn_dbm = "dbm"

  • htpasswd/htgroup authentication = mod_authn_file = "file"

  • LDAP authentication = mod_authnz_ldap = "ldap"

 

Return to top