authentication or authorization method. In fact any number of the
providers can be mixed and matched to provide you with exactly the
scheme that meets your needs. In the following example, both the
- file and ldap based authentication providers are being used.</p>
+ file and LDAP based authentication providers are being used.</p>
<div class="example"><p><code>
<Directory /www/docs/private><br />
</code></p></div>
<p>In this example the file provider will attempt to authenticate
- the user first. If it is unable to authenticate the user, the ldap
+ the user first. If it is unable to authenticate the user, the LDAP
provider will be called. This allows the scope of authentication
to be broadened if your organization implements more than
one type of authentication store. Other authentication and authorization
scenarios may include mixing one type of authentication with a
different type of authorization. For example, authenticating against
- a password file yet authorizing against and ldap directory.</p>
+ a password file yet authorizing against an LDAP directory.</p>
<p>Just as multiple authentication providers can be implemented, multiple
authorization methods can also be used. In this example both file group
- authorization as well as ldap group authorization is being used.</p>
+ authorization as well as LDAP group authorization is being used.</p>
<div class="example"><p><code>
<Directory /www/docs/private><br />
<div class="example"><p><code>
# if ((user == "John") ||<br />
- # ((Group == "admin")<br />
+ # ((Group == "admins")<br />
# && (ldap-group <ldap-object> contains auth'ed_user)<br />
# && ((ldap-attribute dept == "sales")<br />
# || (file-group contains auth'ed_user))))<br />
</code></p></div>
<p>By default all <code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code>
- directives are handled through and OR operation. In other words, if
+ directives are handled through an OR operation. In other words, if
any of the specified authorization methods succeed, then authorization
is granted. By enclosing a set of
<code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code> directives within
<p>This module provides authorization capabilities so that
authenticated users can be allowed or denied access to portions
- of the web site by group membership. It also provides
- database/backend login/logout in conjunction with
- <code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code>.</p>
+ of the web site by group membership. Similar functionality is
+ provided by <code class="module"><a href="../mod/mod_authz_groupfile.html">mod_authz_groupfile</a></code> and
+ <code class="module"><a href="../mod/mod_authz_dbm.html">mod_authz_dbm</a></code>, with the exception that
+ this module queries a SQL database to determine whether a
+ user is a member of a group.</p>
+ <p>This module can also provide database-backed user login/logout
+ capabilities. These are likely to be of most value when used
+ in conjunction with <code class="module"><a href="../mod/mod_authn_dbd.html">mod_authn_dbd</a></code>.</p>
+ <p>This module relies on <code class="module"><a href="../mod/mod_dbd.html">mod_dbd</a></code> to specify
+ the backend database driver and connection parameters, and
+ manage the database connections.</p>
</div>
<div id="quickview"><h3 class="directives">Directives</h3>
<ul id="toc">
</ul><h3>See also</h3>
<ul class="seealso">
<li><code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code></li>
+<li>
+ <code class="directive"><a href="../mod/mod_authz_core.html#authzmergerules">AuthzMergeRules</a></code>
+</li>
+<li>
+ <code class="directive"><a href="../mod/mod_authn_dbd.html#authdbduserpwquery">AuthDBDUserPWQuery</a></code>
+</li>
<li><code class="directive"><a href="../mod/mod_dbd.html#dbdriver">DBDriver</a></code></li>
<li><code class="directive"><a href="../mod/mod_dbd.html#dbdparams">DBDParams</a></code></li>
</ul></div>
<div class="section">
<h2><a name="login" id="login">Database Login</a></h2>
-<p>In addition to the standard authz function of checking group
-membership, this module provides database Login/Logout capability.
-Specifically, we can maintain a logged in/logged out status in
-the database, and control the status via designated URLs (subject
-of course to users supplying the necessary credentials).</p>
+<p>
+In addition to the standard authorization function of checking group
+membership, this module can also provide server-side user session
+management via database-backed login/logout capabilities.
+Specifically, it can update a user's session status in the database
+whenever the user visits designated URLs (subject of course to users
+supplying the necessary credentials).</p>
<p>This works by defining two special
<code class="directive"><a href="../mod/mod_authz_core.html#require">Require</a></code> types:
<code>Require dbd-login</code> and <code>Require dbd-logout</code>.
<div class="section">
<h2><a name="client" id="client">Client Login</a></h2>
-<p>In conjunction with server login/logout, we may wish to implement
-clientside login/out, for example by setting and unsetting a cookie
-or other such token. Although this is not the business of an authz
-module, client session management software should be able to tie its
-operation in to database login/logout. To support this,
-<code class="module"><a href="../mod/mod_authz_dbd.html">mod_authz_dbd</a></code> exports an optional hook that will
-be run whenever a user successfully logs into or out of the database.
-Session management modules can use the hook to implement functions
-to start and end a client session.</p>
+<p>Some administrators may wish to implement client-side session
+management that works in concert with the server-side login/logout
+capabilities offered by this module, for example, by setting or unsetting
+an HTTP cookie or other such token when a user logs in or out.
+To support such integration, <code class="module"><a href="../mod/mod_authz_dbd.html">mod_authz_dbd</a></code> exports an
+optional hook that will be run whenever a user's status is updated in
+the database. Other session management modules can then use the hook
+to implement functions that start and end client-side sessions.</p>
</div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div>
<div class="section">
<h2><a name="example" id="example">Configuration Example</a></h2>
# mod_authn_dbd SQL query to authenticate a logged-in user
AuthDBDUserPWQuery \
- "SELECT password FROM authn WHERE user = %s AND login = true"
+ "SELECT password FROM authn WHERE user = %s AND login = 'true'"
# mod_authz_core configuration for mod_authz_dbd
+ AuthzMergeRules Off
Require dbd-group team
# mod_authz_dbd configuration
AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"
# when a user fails to be authenticated or authorized,
- # invite them to login
- ErrorDocument 401 /team-private/login-form.html
+ # invite them to login; this page should provide a link
+ # to /team-private/login.html
+ ErrorDocument 401 /login-info.html
<Files login.html>
# don't require user to already be logged in!
"SELECT password FROM authn WHERE user = %s"
# dbd-login action executes a statement to log user in
+ AuthzMergeRules Off
Require dbd-login
AuthzDBDQuery \
- "UPDATE authn SET login = true WHERE user = %s"
+ "UPDATE authn SET login = 'true' WHERE user = %s"
# return user to referring page (if any) after
# successful login
<Files logout.html>
# dbd-logout action executes a statement to log user out
+ AuthzMergeRules Off
Require dbd-logout
AuthzDBDQuery \
- "UPDATE authn SET login = false WHERE user = %s"
+ "UPDATE authn SET login = 'false' WHERE user = %s"
</Files>
</Directory>
</pre></div>
<div class="example"><h3>Example</h3><pre>
Require dbd-login
AuthzDBDQuery \
- "UPDATE authn SET login = true WHERE user = %s"
+ "UPDATE authn SET login = 'true' WHERE user = %s"
</pre></div>
</li>
</ul>
projects / apache / commitdiff