NAME

Apache::AuthzDBI - Authorization via Perl's DBI

SYNOPSIS

# Configuration in httpd.conf or srm.conf:

PerlModule Apache::AuthzDBI

# Authorization in .htaccess:

AuthName DBI
AuthType Basic

#authorize via DBI
PerlAuthzHandler Apache::AuthzDBI

PerlSetVar Auth_DBI_data_source   dbi:driver:dsn
PerlSetVar Auth_DBI_username      db_username
PerlSetVar Auth_DBI_password      db_password
#DBI->connect($data_source, $username, $password)

PerlSetVar Auth_DBI_grp_table     users
PerlSetVar Auth_DBI_uid_field     username
PerlSetVar Auth_DBI_grp_field     groupname
#SELECT grp_field FROM grp_table WHERE uid_field=$user AND grp_field=$group

<Limit GET>
require user   user_1  user_2 ...
require group group_1 group_2 ...
</Limit>

The AuthType is limited to Basic. You may use one or more valid require lines. For a single require line with the tokens valid-user or with distinct user names it is sufficient to use only the AuthenDBI module.

DESCRIPTION

This module allows authorization against a database using Perl's DBI. For supported DBI drivers see:

http://www.hermetica.com/technologia/DBI/

When the authorization handler is called, the authentication has already been done. This means, that the given username/password has been validated.

The handler analyzes and processes the requirements line by line. The request is accepted only if all requirement lines are accepted.

In case of one or more user-names, they are compared with the given user-name until the first match. If there is no match and the authoritative directive is set to 'on' the request is rejected.

In case of one or more group-names, for every group the given user is looked up in the database with the constraint, that the user must be a member of this group. If there is no match and the authoritative directive is set to 'on' the request is rejected.

In case of 'valid-user' the request is accepted.

In case the authorization succeeds, the environment variable REMOTE_GROUP is set to the group name, so scripts that are protected by AuthzDBI don't need to bang on the database server again to get the group name.

LIST OF TOKENS

  • Auth_DBI_data_source

    The data_source value should begin with 'dbi:driver_name:'. This value (with the 'dbi:...:' prefix removed) is passed to the database driver for processing during connect.

  • Auth_DBI_username

    The username argument is passed to the database driver for processing during connect.

  • Auth_DBI_password

    The password argument is passed to the database driver for processing during connect.

  • Auth_DBI_grp_table

    Contains at least the fields with the username and the groupname.

  • Auth_DBI_uid_field

    Field-name containing the username in the Auth_DBI_grp_table.

  • Auth_DBI_grp_field

    Field-name containing the groupname in the Auth_DBI_grp_table.

  • Auth_DBI_authoritative < on / off>

    Default is 'on'. When set 'on', there is no fall-through to other authorization methods if the authorization check fails. When this directive is set to 'off', control is passed on to any other authorization modules. Be sure you know what you are doing when you decide to switch it off.

  • Auth_DBI_casesensitive < on / off >

    Default is 'on'. When set 'off', the entered userid and password is converted to lower case.

CONFIGURATION

The module should be loaded upon startup of the Apache daemon. It needs the AuthenDBI module for the authentication part. Add the following lines to your httpd.conf or srm.conf:

PerlModule Apache::AuthenDBI
PerlModule Apache::AuthzDBI

PREREQUISITES

For AuthzDBI you need to enable the appropriate call-back hooks when making mod_perl:

perl Makefile.PL PERL_AUTHEN=1 PERL_AUTHZ=1. 

SEE ALSO

Apache, mod_perl, DBI

AUTHORS

  • mod_perl by Doug MacEachern <dougm@osf.org>

  • DBI by Tim Bunce <Tim.Bunce@ig.co.uk>

  • Apache::AuthzDBI by Edmund Mergl <E.Mergl@bawue.de>

COPYRIGHT

The Apache::AuthzDBI module is free software; you can redistribute it and/or modify it under the same terms as Perl itself.

4 POD Errors

The following errors were encountered while parsing the POD:

Around line 278:

'=item' outside of any '=over'

Around line 327:

You forgot a '=back' before '=head1'

Around line 352:

'=item' outside of any '=over'

Around line 362:

You forgot a '=back' before '=head1'