Apache Web Login Authentication:
Adding password protection to a web site using Apache web server
authentication.
Tutorial Table of Contents:
#
Apache password file authentication
#
Apache configuration file
#
Password protection by a single login
#
Password protection by group access permissions
#
Restrict access based on domain or IP address
#
Authentication directives placed in httpd.conf exclusively without using .htaccess
#
Using Perl CGI script to manage .htaccess
#
Apache authentication using digest file
#
Apache authentication using LDAP
#
Apache authentication using NIS
#
Apache authentication using MySQL database
#
Login URL trick
#
Other Links
search
|
Home Page
|
Linux Tutorials
|
Terms
|
Privacy Policy
|
Advertising
|
Contact
|
Related YoLinux
Tutorials:
°
Web Site Configuration
°
Apache Authentication
°
NIS configuration
°
LDAP server configuration
°
Linux LDAP authentication
°
Apache Redirect
°
Internet Security
°
Disc Quotas
°
YoLinux Tutorials Index
Apache authentication and autorization Intro:
Apache authentication can be configured to require web site visitors to login with a user id and
password. This is different than adding a login form on a web page and creating your own
authentication. This tutorial describes the various methods available for authentication with Apache
and its' configuration. Login protection is applied to the web pages stored in a directory. The login
dialog box which requests the user id and password is provided by the web browser at the request
of Apache. Apache allows the configuration to be entered in its' configuration files (i.e. main
configuration file
/etc/httpd/conf/httpd.conf
, supplementary configuration files
/etc/httpd
/conf.d/component.conf
or in a file which resides within the directory to be password protected. Five
forms of authentication are detailed here: Apache password file authentication, digest file
authentication, LDAP, NIS and MySQL.
Apache authentication methods using local files to store passwords, have no association with
system user accounts. If using LDAP or NIS for system login authentication, its use can be extended
to support Apache web site logins.
Terms:
Authentication: Prove it is you. Authenticate the login by requiring a password only the user
would know.
Authorization: Only certain users or members of a privaleged group are allowed.
Typically Authentication or Authentication and Authorization are required for access.
Apache configuration files: (refered to generically in this tutorial as
httpd.conf
or reside as the file
.htpasswd, in the directory being protected.)
Red Hat / Fedora Core / CentOS:
/etc/httpd/conf/httpd.conf
or
/etc/httpd/conf.d
/application.conf
Novell SuSE:
/etc/apache2/httpd.conf
or
/etc/apache2/conf.d/application.conf
Ubuntu (dapper 6.06) / Debian:
/etc/apache2/apache2.conf
or
/etc/apache2/conf.d
/application.conf
Apache password file authentication:
Directory protection using .htaccess and .htpasswd
This tutorial applies to Apache based web servers. It requires:
Editing the server configuration file (httpd.conf) to enable/allow a directory structure on the
server to be password protected. Basically the default <Directory> access permission
statement need modification.
1.
The creation and addition of two files specifying the actual logins and passwords. (
.htaccess
and
.htpasswd
)
2.
Use this sparingly because Apache will have to check all directories and subdirectories specified in
the configuration file for the existence of the
.htaccess
file adding to a servers latency.
When trying to access a file in a protected directory, the user will be presented with a window
6
Advertisements
ads
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
1 z 12
2014-01-22 11:16
Free Information
Technology
Magazines and
Document Downloads
(dialog box) requesting a username and password. This protection applies to all sub-directories.
Other
.htaccess
files in sub directories may respecify access rules.
Apache authentication uses the modules
mod_auth
and
mod_access
.
Apache configuration file:
File: /etc/httpd/conf/httpd.conf (older systems used access.conf)
Default: This disables the processing of
.htaccess
files for the system.
<Directory />
AllowOverride None
</Directory>
or for a specified directory:
<Directory /home/domain/public_html>
AllowOverride None
</Directory>
Change to and/or specify directory to protect:
<Directory /home/domain/public_html/membersonly>
AllowOverride All
</Directory>
OR
<Directory /home/domain/public_html/membersonly>
AllowOverride AuthConfig
</Directory>
AllowOverride parameters: AuthConfig FileInfo Indexes Limits Options
The name of the "distributed" and user controlled configuration file
.htaccess
is defined with the
directive: (default shown)
AccessFileName .htaccess
Password protection by a single login:
Password files:
Create the directory you want to password protect (example: membersonly)
1.
Create a file
/home/domain/public_html/membersonly/.htaccess
in that director that looks
something like this:
AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
require user name-of-user
In this case the "name-of-user" is the login name you wish to use for accessing the web site.
[Pitfall]
The literature is full of examples of the next method but I never got it to work.
One can use Apache directives to specify access and restriction:
AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /dev/null
<Limit GET POST>
require user name-of-user
</Limit>
Also see:
List of Apache directives
. If an incorrect directive is used in the
.htaccess
file it will
result in a server error. Check your log files:
/var/log/httpd/error_log
.
The name of the access file
.htaccess
is specified by the httpd.conf directive
AccessFileName
.
2.
Create (or clobber if it already exists) the password file /home/domain/public_html
/membersonly/.htpasswd using the program
htpasswd
:
3.
Logitech 720p
Webcam C905
Logitech
New $88.99
SIIG CB-896111-S2
FireWire 800 9-6
A...
SIIG
New $1.70
D-Link Hi-Speed
USB 2.0 4-Port
Power...
DLite Press
New $21.35
StarTech Parallel
Port PCMCIA Card
STARTECH.COM
New $46.24
SteelSeries Zboard
Gaming Keyboard
SteelSeries
New $24.99
HP 57 Tri-Color
Inkjet Print Cartrid...
hp
New $24.95
Privacy Information
Jobs
Software QA Analyst
New York, NY
Adecco
Senior Security Analyst
Norcross, GA
AGILE
Sr. Software
Development Engineer...
Beijing, Guangdong,
China
Microsoft
Senior Java Developer
contract -...
Letterkenny, Donegal,
Ireland
E-Frontiers
Java Software Engineer
Chicago, IL
Request Technology
Software Engineer
Bangalore, Karnataka,
India
Intel
Senior Tech
Programmer needed
for...
Netherlands
Interactive Selection
SharePoint systems
administrator
New York, NY
C++ and .Net developer
boston, MA
Iconsoft
Software Development
Engineer (SDE) 2
Hyderabad, Andhra
Pradesh, India
Microsoft
POST A JOB >
POWERED BY JOBTHREAD
►
Apache 2.0 SSL
►
Apache
►
Authentication
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
2 z 12
2014-01-22 11:16
htpasswd -c .htpasswd name-of-user
Add a new user to the existing password file:
htpasswd .htpasswd name-of-user
Man page:
htpasswd
Example file:
.htpasswd
user1:KgvCSeExtS4kM
USER1:KgvCSeExtS4kM
User1:KgvCSeExtS4kM
Password file protection, ownership and SELinux attributes:
File privileges:
chmod ug+rw .htpasswd
File ownership:
chown apache.apache .htpasswd
SELinux file attributes:
chcon -R -h -u system_u -r object_r -t httpd_config_t .htpasswd
This is required so that the Apache web server can access the password file.
Flexible password protection by group access permissions:
This example differs from the previous example in that it allows for greater control and flexibility by
using groups.
Password files:
Create a file
.htgroup
in that directory that contains the groupname and list of users:
member-users: user1 user2 user3 ... etc
Where member-users is the name of the group.
1.
Modify
.htaccess
in the membersonly directory so it looks something like:
AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
AuthGroupFile /home/domain/public_html/membersonly/.htgroup
require group member-users
2.
Create the password file
.htpasswd
using the program
htpasswd
for each user as above. You
don't need the -c option if you are using the same
.htpasswd
file. (-c is only to create a new
file)
htpasswd -c /home/domain/public_html/membersonly/.htpasswd user1
htpasswd /home/domain/public_html/membersonly/.htpasswd user2
3.
Restrict access based on domain or IP address:
Allow specified domain to access site:
Order deny, allow
Deny from all
Allow from allowable-domain.com
Allow from XXX.XXX.XXX
Deny from evil-domain.com
Specify first three (or one, or two, ...) octets of IP address defining allowable domain.
Placing Authentication directives in httpd.conf exclusively instead of using
.htaccess:
The purpose of using the "distributed configuration file"
.htaccess
is so that users may control
authentication. It can also be set in the Apache configuration file
httpd.conf
WITHOUT using the
.htaccess
file. This can improve server performance as the server will not have to look for the
.htaccess
file in each subdirectory.
File:
httpd.conf
(portion)
..
...
<Directory /home/domain/public_html/membersonly>
AllowOverride AuthConfig
AuthName "Add your login message here."
AuthType Basic
AuthUserFile /home/domain/public_html/membersonly/.htpasswd
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
3 z 12
2014-01-22 11:16
AuthGroupFile /dev/null
require user name-of-user
</Directory>
...
..
Perl CGI Script to Modify User Passwords:
This allows users to manage / change their own passwords.
Use the Perl CGI script
htpasswd.pl
[
cache
]
Edit location of Perl .i.e.:
/usr/bin/perl
Not
/usr/local/bin/perl
Edit the script to specify location of the password file i.e.
/var/www/PasswordDir/.htpasswd
SELinux users must add the correct attribute i.e.
chcon -R -h -t httpd_sys_content_t
/var/www/PasswordDir
The password file must be located in a directory where CGI is allowed to modify files.
File:
httpd.conf
(portion)
..
...
<Directory "/var/www/PasswordDir">
Options -Indexes
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
...
..
Using Digest File for Apache Authentication:
This method authenticates a user login using Apache 2.0 on Linux. The logins have no connection
to user accounts.
<Location /home/domain/public_html/membersonly>
AuthType Digest
AuthNAme "Members Only Area"
AuthDigestDomain /home/domain/public_html/membersonly
AuthDigestFile /etc/httpd/conf/digestpw
require valid-user
</Location>
For more on digest authentication see:
Apache.org: Module mod_auth_digest
RFC 2617: HTTP Authentication: Basic and Digest Access Authentication
Man page:
htdigest
Using LDAP for Apache Authentication:
This method authenticates using Apache 2.0/2.2 and the LDAP authentication modules on Linux
(supplied by default with most Linux distros) and an LDAP server. LDAP can be used to authenticate
user accounts on Linux and other computer systems as well as web site logins.
Also see
YoLinux TUTORIAL: LDAP system authentication
.
Try this out with your Apache server authenticating to our open LDAP server using our Three
Stooges example.
Apache LDAP modules:
Note that the following configurations work if the LDAP modules are enabled:
Apache 2.0 (Red Hat Enterprise 4/CentOS4):
mod_ldap
,
mod_auth_ldap
Apache 2.2 (Red Hat Enterprise 5/CentOS 5):
mod_ldap
,
mod_authnz_ldap
These are turned on by default. See
/etc/httpd/conf/httpd.conf
Apache 2.0:
LoadModule ldap_module modules/mod_ldap.so
LoadModule auth_ldap_module modules/mod_auth_ldap.so
Apache 2.2:
LoadModule ldap_module modules/mod_ldap.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
4 z 12
2014-01-22 11:16
Apache Authentication Configuration:
Apache 2.0:
Authenticate to an Open LDAP server. (No bind name/password required to access LDAP server)
File:
httpd.conf
(portion)
..
...
<Directory /var/www/html>
AuthType Basic
AuthName "Stooges Web Site: Login with email address"
AuthLDAPURL ldap://ldap.yolinux.com:389/o=stooges?mail
require valid-user
</Directory>
...
..
or create the file
/var/www/html/.htaccess
AuthName "Stooges Web Site: Login with email address"
AuthType Basic
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?mail
require valid-user
Point your browser to
http://localhost/
Login with the user id "LFine@isp.com" and password "larrysecret".
You will be asked to use a user id (email address) and password to enter the site.
Bind with a bind DN: (password protected LDAP repository)
File:
httpd.conf
(portion)
..
...
<Directory /var/www/html>
AuthType Basic
AuthName "Stooges Web Site: Login with email address"
AuthLDAPEnabled on
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?mail
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword secret1
require valid-user
</Directory>
...
..
Examples:
require valid-user
: Allow all users if authentication (password) is correct.
require user greg phil bob
: Allow only greg phil bob to login.
require group accounting
: Allow only users in group "accounting" to authenticate.
For this LDAP authentication example to work, configure your LDAP server with our
YoLinux
Three Stooges example
and set the password in the
/etc/openldap.slapd.conf
file.
This example specified the use of the email address as a login id. If using user id's specify:
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid
Apache 2.2:
Authenticate using Apache httpd 2.2 AuthzLDAP:
User Authentication:
File:
httpd.conf
(portion)
..
...
<Directory /var/www/html>
AuthType Basic
AuthName "Stooges Web Site: Login with user id"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid?sub
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword secret1
require ldap-user lary curley moe joe bob mary
</Directory>
...
..
There are two configurations for the directive
AuthzLDAPAuthoritative
:
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
5 z 12
2014-01-22 11:16
AuthzLDAPAuthoritative on
(default)
AuthzLDAPAuthoritative on
...
require ldap-user lary curley moe joe bob mary
AuthzLDAPAuthoritative off
AuthzLDAPAuthoritative off
...
require valid-user
This configuration allows a waterfall of other authentication methods to be employed along
side LDAP.
Group Authentication:
LDAP LDIF file: (part of our
stooges example
)
dn: cn=users,ou=group,o=stooges
cn: users
objectClass: top
objectClass: posixGroup
gidNumber: 100
memberUid: larry
memberUid: moe
Apache Configuration:
...
<Directory /var/www/html>
Order deny,allow
Deny from All
AuthType Basic
AuthName "Stooges Web Site: Login with user id"
AuthBasicProvider ldap
AuthzLDAPAuthoritative on
AuthLDAPURL ldap://ldap.your-domain.com:389/o=stooges?uid?sub
AuthLDAPBindDN "cn=StoogeAdmin,o=stooges"
AuthLDAPBindPassword secret1
AuthLDAPGroupAttribute memberUid
AuthLDAPGroupAttributeIsDN off
Require ldap-group cn=users,ou=group,o=stooges
Require ldap-attribute gidNumber=100
Satisfy any
</Directory>
...
Note:
Allow users (LDAP attribute:
memberUid
) in group
gidNumber: 100
of
objectClass:
posixGroup
which match to the login
uid
, authentication approval.
The directive
AuthLDAPGroupAttribute
identifies the attribute to match with the login
uid
.
AuthLDAPGroupAttributeIsDN:
on (default): Use DN (Distinguished name)
cn=Moe
Howard,ou=MemberGroupA,o=stooges
off: Use username
moe
Multiple
Require ldap-group ...
statements may be included to allow multiple groups.
Multiple
Require ldap-attribute ...
statements may be included to allow multiple
groups.
The directive
Satisfy any
is required if testing multiple conditions. Only one positive in
any of the conditions is required to authenticate. Thus you can combine the following
authorization schemes as well:
Require ldap-user
Require ldap-dn
Require ldap-attribute
Require ldap-filter
Concurrent File and LDAP authentication:
Apache can use both File and LDAP authentication concurently. This is sometimes required to run
cron jobs with a login where you do not want to use a system login or login managed by a directory
server in another department.
<Directory /ABC>
Order deny,allow
Deny from All
AuthType Basic
AuthBasicProvider file ldap
AuthName "Directory services login"
AuthBasicAuthoritative off
AuthUserFile /srv/htpasswd
AuthGroupFile /dev/null
AuthzLDAPAuthoritative off
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
6 z 12
2014-01-22 11:16
AuthLDAPURL "ldap://ldap.megacorp.com:389/ou=person,o=megacorp.com,c=us?uid?sub"
# This user created for local cron jobs. It is not a system user and allows
# the cron job to perform its task.
# This user is not in the LDAP directory but in the password file /srv/htpasswd
Require user cronuserjobx
Require ldap-user usera userb
</Directory>
Note:
AuthBasicProvider file ldap
- Check password "file" authentication then LDAP
AuthBasicAuthoritative off
- Allows fall back to another auth scheme, in this case
LDAP
AuthzLDAPAuthoritative off
- Allows fall back to other auth scheme besides LDAP, in
this case file
Debugging Apache Authentication:
Set
LogLevel debug
when debugging authentication. This will log all the LDAP connection events
and the LDAP attributes requested.
Authenticating with Microsoft Active directory using Microsoft's "Unix services for Windows":
AuthLDAPURL ldap://ldap.your-domain.com:389
/ou=Employees,ou=Accounts,dc=sos,dc=com?sAMAccountName?sub
Also note that encrypted connections will use the URL prefix "
ldaps://
" and the added directives:
LDAPTrustedCA directory-path/filename
LDAPTrustedCAType type
Where the "type" is one of:
DER_FILE: file in binary DER format
BASE64_FILE: file in Base64 format
CERT7_DB_PATH: Netscape certificate database file
Restart Apache after editing the configuration file:
service httpd restart
for configuration changes
to take effect.
See
/var/log/httpd/error_log
for configuration errors.
Links:
YoLinux Tutorial: Configuration of an LDAP server
- includes a quick start example using the
Three Stooges.
YoLinux Tutorial: Apache web server configuration
Apache documentation:
Apache 2.0:
mod_ldap
mod_auth_ldap
Apache 2.2:
mod_ldap
mod_authnz_ldap
Other LDAP modules:
Apache LDAP module auth_ldap
- (Apache 1.3)
Apache LDAP module mod_ldap_userdir
(Apache 2.x)
Apache mod_auth_ldap
web server module for authentication with Netscape or OpenLDAP
servers (HowTo)
Using NIS for Apache Authentication:
This method authenticates using Apache on Linux and an NIS server. The advantage of using NIS,
is the comonality of computer system accounts and web site logins. This configuration requires that
the system the Apache web server is running on, must be using NIS authentication for system
logins.
This requires a NIS server. See the
YoLinux.com NIS configuration tutorial
.
Requires the Linux RPM package
mod_perl
and the following Perl modules:
ExtUtils-AutoInstall
Net-NIS
Apache2-AuthenNIS or Apache-AuthenNIS
The version of Apache determines which Perl modules to use:
Apache 2.2 (RHEL5, CentOS5, FC6): Use the Perl module Apache2-AuthenNIS.
Apache 2.0 (RHEL4, CentOS4, FC3): Use the Perl module Apache-AuthenNIS.
Download / Install Perl modules:
Download "ExtUtils-AutoInstall" as an RPM from
RepoForge
RPMs:
perl-ExtUtils-AutoInstall-
0.63-1.2.el4.rf.noarch.rpm
Install:
rpm -ivh perl-ExtUtils-AutoInstall-0.63-1.2.el4.rf.noarch.rpm
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
7 z 12
2014-01-22 11:16
Net-NIS
: (
CPAN
)
tar xzf Net-NIS-0.34.tar.gz
cd Net-NIS-0.34/
perl Makefile.PL
make
make install
Apache(2)-AuthenNIS:
Apache 2.2
Apache 2.0
Apache2-AuthenNIS
: (
CPAN
)
tar xzf Apache2-AuthenNIS-0.15.tar.gz
cd Apache2-AuthenNIS-0.15
perl Makefile.PL
make
make install
Apache-AuthenNIS
: (
CPAN
)
tar xzf Apache-AuthenNIS-0.13.tar.gz
cd Apache-AuthenNIS-0.13
perl Makefile.PL
make
make install
Or install from CPAN via the internet:
perl -MCPAN -e shell
(Answer no)
install ExtUtils::AutoInstall
install Net::NIS
install Apache2::AuthenNIS (or Apache::AuthenNIS)
quit
Test Perl module:
File:
testApache2AuthenNIS.pl
#!/usr/bin/perl
BEGIN{push @INC, "/usr/lib/perl5/site_perl/5.8.8/Apache2";}
eval "use Apache2::AuthenNIS"; $hasApacheAuth = $@ ? 0 : 1;
printf "Apache2::AuthenNIS". ($hasApacheAuth ? "" : " not") . " installed";
printf "\n";
Test:
[root]# ./testApache2AuthenNIS.pl
Good:
Apache2::AuthenNIS installed
Not good:
Apache2::AuthenNIS not installed
OR
File:
testApacheAuthenNIS.pl
#!/usr/bin/perl
BEGIN{push @INC, "/usr/lib/perl5/site_perl/5.8.5/Apache";}
eval "use Apache::AuthenNIS"; $hasApacheAuth = $@ ? 0 : 1;
printf "Apache::AuthenNIS". ($hasApacheAuth ? "" : " not") . " installed";
printf "\n";
Test:
[root]# ./testAuthenNIS.pl
Good:
Apache::AuthenNIS installed
Not good:
Apache::AuthenNIS not installed
Apache NIS authentication Examples:
require valid-user
: Allow all users if authentication (password) is correct.
1.
require user greg phil bob
: Allow only greg phil bob to login.
2.
require group accounting
: Allow only users in group "accounting" to authenticate.
3.
1) Restric access to NIS authenticated users:
Apache Configuration File:
httpd.conf
(portion)
..
...
<Directory /home/domain/public_html/membersonly>
AuthType Basic
AuthName "Add your login message here."
PerlAuthenHandler Apache2::AuthenNIS - or Apache::AuthenNIS
PerlSetVar AllowAlternateAuth no
require valid-user
</Directory>
...
..
2) Restrict to listed users greg, phil and bob, but still authenticate to NIS:
Apache Configuration File:
httpd.conf
(portion)
..
...
<Directory /home/domain/public_html/membersonly>
AuthType Basic
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
8 z 12
2014-01-22 11:16
AuthName "Add your login message here."
PerlAuthenHandler Apache2::AuthenNIS - or Apache::AuthenNIS
PerlSetVar AllowAlternateAuth no
require user greg phil bob
</Directory>
...
..
3) Restrict access to NIS members of a specific NIS group:
Apache Configuration File:
httpd.conf
(portion)
..
...
<Directory /home/domain/public_html/membersonly>
AuthType Basic
AuthName "Add your login message here."
PerlAuthenHandler Apache2::AuthenNIS - or Apache::AuthenNIS
PerlAuthzHandler Apache2::AuthzNIS - or Apache::AuthzNIS
PerlSetVar AllowAlternateAuth no
require group accounting
</Directory>
...
..
Note Apache2::AuthzNIS only checks for group membership by group name (not GID).
Apache2::AuthenNIS still required to authenticate the user (check password).
Example showing password protection for user web directories:
Apache Configuration File:
httpd.conf
(portion)
..
...
<IfModule mod_userdir.c>
UserDir public_html
</IfModule>
<Directory /home/*/public_html>
AuthType Basic
AuthName "Add your login message here."
PerlAuthenHandler Apache2::AuthenNIS - or Apache::AuthenNIS
PerlSetVar AllowAlternateAuth no
require user valid-user
AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec
<Limit GET POST OPTIONS>
Order allow,deny
Allow from all
</Limit>
<LimitExcept GET POST OPTIONS>
Order deny,allow
Deny from all
</LimitExcept>
</Directory>
...
..
Also see
YoLinux SysAdmin: Perl Admin
Links:
NIS+ (More secure than NIS):
Apache::AuthenNISPlus
Group NIS authentication:
Apache2::AuthzNIS
Apache::AuthzNIS
Note:
Apache allows further restriction by client IP network address or subnet.
Passwords can also be sent over an encrypted https connection by use of the Apache
directive
SSLRequireSSL
. See
Apache SSL/TLS encryption
[Potential Pitfall]:
This method of authentication will fail if using "adjunct password maps". This Perl
module requires the use of the library call
yp_match()
which must have access to the encrypted
passwords. If "adjunct password maps" are used, then this is not accessible to processes other than
root thus the web server daemon process
apache
will not be able to access the data required. Test
your system using the command
ypcat passwd | head
. If the second field is prefixed with "##", then
this perl module will not work. If the second field is an encrypted password, then this perl module
can work.
CGI to allow users to modify their NIS Passwords:
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
9 z 12
2014-01-22 11:16
For those users who get a shell of
/sbin/nologin
, the "cgipaf" web interface is ideal for user
management of NIS passwords. Cgipaf uses PHP, cgi (written in C) and your system PAM
authentication (or
/etc/passwd, /etc/shadow
files). Cgipaf also can manage mail accounts using
procmail.
Download from
http://www.wagemakers.be/english/programs/cgipaf
Installation/configuration:
tar xf cgipaf-1.3.1.tar.gz
cd cgipaf-1.3.1/
./configure --bindir=/var/www/cgi-bin --datadir=/srv/cgipaf --sysconfigdir=/etc
/cgipaf --prefix=/opt
Note: nothing ends up in
/opt
make
make install
cd /srv/cgipaf
ln -s cgipasswd.php index.php
File:
/etc/httpd/conf.d/cgipaf.conf
(Red Hat style systems)
Alias /NIS/ "/srv/cgipaf/"
<Directory "/srv/cgipaf">
SSLRequireSSL
Options Indexes FollowSymLinks
AllowOverride None
Order allow, deny
Allow from all
</Directory>
Note the Apache 2 directive "
SSLRequireSSL
" will only allow https encrypted access. This is
important when managing passwords over the web.
The PHP pages reside in
/srv/cgipaf/
. The compiled C cgi will reside in
/var/www/cgi-bin
. The
configuration file will be
/etc/cgipaf/cgipaf.conf
.
See the web page at
http://localhost/NIS/
Using a MySQL database for Apache Authentication:
Two Apache modules are available for database authentication:
MySQL: mod_auth_mysql (This tutorial)
Red Hat RPM package:
mod_auth_mysql
SuSE RPM package:
apache2-mod_auth_mysql
DBM database file: mod_auth_dbm
(Fast even for 1000's of users.)
Apache Configuration:
Red Hat:
/etc/httpd/conf/httpd.conf
or
/etc/httpd/conf.d/application.conf
SuSE:
/etc/apache2/httpd.conf
or
/etc/apache2/conf.d/application.conf
..
...
<Directory /home/domain/public_html/membersonly>
AuthType Basic
AuthName "Add your login message here."
AuthMySQLHost localhost
AuthMySQLUser db_user
AuthMySQLPassword db_password
AuthMySQLDB database_name_used_for_authentication
AuthMysqlUserTable http_auth
AuthMySQLPwEncryption none
AuthMySQLEnable on
require valid-user
</Directory>
...
..
Examples:
require valid-user
: Allow all users if authentication (password) is correct.
require user greg phil bob
: Allow only greg phil bob to login.
require group accounting
: Allow only users in group "accounting" to authenticate.
Directives:
Directive
Description
AuthMySQLEnable On
If 'Off', MySQL authentication will pass on the
authentication job to the other authentication modules i.e
password files.
AuthMySQLHost host_name
Name of MySQL Database hosr. i.e. 'localhost'
AuthMySQLPort
TCP_Port_number
Port number of MySQL Database. Default: 3306
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
10 z 12
2014-01-22 11:16
AuthMySQLDB database_name
Name of MySQL Database.
AuthMySQLUser user_id
MySQL Database login id.
AuthMySQLPassword
user_password
MySQL Database login password. Plain text.
AuthMySQLUserTable
user_table_name
Name of MySQL Databse table in the database which holds
the user name and passwords.
AuthMySQLGroupTable
group_table_name
Databse table holding group info.
AuthMySQLNameField
user_field_name
If not using default field name 'user_name', then specify.
Not case sensitive id CHAR or VARCHAR.
AuthMySQLPasswordField
password_field_name
If not using default field name 'user_passwd', then specify.
Passwords are case sensitive.
AuthMySQLGroupField
group_field_name
If not using default field name 'groups', then specify.
AuthMySQLNoPasswd Off
Off: Passwords can be null ('').
On: password must be specified.
AuthMySQLPwEncryption none
Options: none, crypt, scrambled (MySQL password
encryption), md5, aes, sha. If you are going to use
plain-text passwords for mysql authentication, you must
include this directive with the argument "none".
AuthMySQLSaltField salt_string
mysql_column_name
Salt field to be used for crypt and aes.
AuthMySQLAuthoritative on
Authenticate using other authentication modules after the
user is successfully authenticated by the MySQL auth
module. Default on: request is not passed on.
AuthMySQLKeepAlive Off
Off: Close the MySQL link after each authentication
request.
MySQL Admin:
mysqladmin -h localhost -u root -ppassword create http_auth
mysql -h localhost -u root -ppassword
mysql> use http_auth
mysql> create table mysql_auth ( user_name char(30) NOT NULL,user_passwd char(60)
NOT NULL,user_group char(25),primary key (user_name) );
mysql> insert into mysql_auth values('Fred','supersecret','worker');
Links:
Home page for mod_auth_mysql
Home page for mod_auth_dbm [
Apache 1.3
] - [
Apache 2.0
]
YoLinux MySQL tutorial
Login URL Tricks:
Here is a trick to incorporate a login and password into a URL. Typicall one would attempt to enter
the password protected area of the web site and the user would be confronted with a login dialog
box into which one would enter the user id and password. Another option is to enter a URL with the
login and password embedded.
http://login-id:password@UrlOfDomain.com/protectedPath/WebPage.html
Links:
Apache:
Users authentication with .dbmpasswd password file
Apache::AuthenSmb
,
Apache2::AuthenSmb
- Microsoft Active Directory authentication
Apache::AuthenMSAD
,
Apache2::AuthenMSAD
- Samba NT PDC authentication
Apache::AuthenNTLM
,
Apache2::AuthenNTLM
- Microsoft NTLM LAN protocol suported by
MS/Internet Explorer. Login/password credentials passed on the web server by IE browser.
Other forms of web authentication:
Facebook Platform authentication
- Using OAuth protocol, the Facebook API allows developers
to use Javascript, PHP, Python, etc.
IETF OAuth 2.0 Protocol draft
OpenID
- decentralized URL based auth
Authentication Server Providers:
Yahoo OpenID
Google OpenID
OpenID for Google Apps API
Launchpad
Verisign OpenID
- two factor auth
API:
mod_auth_openid
- Apache 2
OpenId4Java
List of OpenID Libraries
- developer interfaces
SAML: Security Assertion Markup Language
- XML based authentication
Authentication Server Providers:
Google SAML
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
11 z 12
2014-01-22 11:16
Books:
"Apache Server Bible 2"
by Mohammed J. Kabir
ISBN # 0764548212, Hungry Minds
This book is very complete covering all aspects in detail. It
is not your basic reprint of the apache.org documents like
so many others.
"LDAP System Administration",
Gerald Carter
ISBN 1565924916, O'Reilly & Associates
This book covers the use of OpenLDAP and the integration
of services.
"Managing NFS and NIS",
by Hal Stern, Mike Eisler, Ricardo Labiaga
ISBN 1565925106, O'Reilly & Associates
YoLinux.com Home Page
YoLinux Tutorial Index
|
Terms
Privacy Policy
|
Advertise with us
|
Feedback Form
|
Unauthorized copying or redistribution
prohibited.
StumbleUpon
4
6
Copyright © 2000 - 2012 by Greg Ippolito
Linux Tutorial - Apache Web Login Authentication:
http://www.yolinux.com/TUTORIALS/LinuxTutorialApacheAddingLog...
12 z 12
2014-01-22 11:16