Apache + PostgreSQL based HTTP digest authentication

Basic information:

Situation: We need to perform HTTP digest authentication with the Apache Web Sever using Postgre SQL database tables,
which means we need to configure Apache to access the database to get the username/password information.

Apache versions (due to a bug in version 2.2.3 which is not in version 2.2.2 I used the version 2.2.2 as well):

httpd-2.2.2
httpd-2.2.3

I tried the following Apache modules/solution approaches for database based authentication:

mod_dbd + mod_authn_dbd + an included version of APR (Apache Portable Runtime),
mod_auth_pgsql-2.0.3

Operating system: Linux 2.6.11-1.1369_FC4smp Fedora Core 4
Database: postgresql-8.0.3-1
The database server runs on the same machine as Apache, the username + password information is correct (the account is valid).

I) Problems with mod_dbd + mod_authn_dbd + APR:

Apache compilation directives:

./configure \
--prefix=/opt/snip/devel/httpd-2.2.2-mod_dbd \
--enable-auth-digest \
--enable-dbd \
--enable-authn-dbd \
--with-included-apr \
--with-pgsql=/usr/lib/pgsql

Configuration: The relevant part of httpd.conf (actually an external file included into htpd.conf with authentication configuration):

#Use the PostgreSQL driver
DBDriver pgsql
DBDParams "dbhost=localhost dbname=snip user=iradio password=iradio"

#Connection Pool Management
DBDMin 1
DBDKeep 2
DBDMax 10
DBDExptime 60

# for SNIP relevant URLs only ~ /snipweb/*.do
<LocationMatch "/secret*">

AuthType Digest
AuthName "gigaset.net"
AuthBasicProvider dbd

BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
Require valid-user

#SQL query to verify a user
#(note: DBD drivers recognise both stdio-like %s and native syntax)
AuthDBDUserPWQuery "SELECT password FROM public.subscriber WHERE username=%s"

</LocationMatch>

Apache's error_log:

After server restart:
[Tue Sep 05 12:42:48 2006] [notice] Digest: generating secret for digest authentication ...
[Tue Sep 05 12:42:48 2006] [notice] Digest: done
[Tue Sep 05 12:42:48 2006] [crit] (20014)Internal error: DBD: Can't connect to pgsql
[Tue Sep 05 12:42:48 2006] [crit] (20014)Internal error: DBD: failed to initialise
[Tue Sep 05 12:42:48 2006] [crit] (20014)Internal error: DBD: Can't connect to pgsql
[Tue Sep 05 12:42:48 2006] [crit] (20014)Internal error: DBD: failed to initialise
[Tue Sep 05 12:42:48 2006] [crit] (20014)Internal error: DBD: Can't connect to pgsql
[Tue Sep 05 12:42:48 2006] [crit] (20014)Internal error: DBD: failed to initialise
[Tue Sep 05 12:42:48 2006] [crit] (20014)Internal error: DBD: Can't connect to pgsql
[Tue Sep 05 12:42:48 2006] [crit] (20014)Internal error: DBD: failed to initialise
[Tue Sep 05 12:42:48 2006] [crit] (20014)Internal error: DBD: Can't connect to pgsql
[Tue Sep 05 12:42:48 2006] [crit] (20014)Internal error: DBD: failed to initialise
[Tue Sep 05 12:42:48 2006] [notice] Apache/2.2.2 (Unix) configured -- resuming normal operations


A request to .../secret/ requires authentication and returns Internal Server Error + error_log:
After request:
[Tue Sep 05 12:43:20 2006] [crit] (20014)Internal error: DBD: Can't connect to pgsql
[Tue Sep 05 12:43:20 2006] [crit] (20014)Internal error: DBD: failed to initialise
[Tue Sep 05 12:43:35 2006] [error] Internal error: pcfg_openfile() called with NULL filename
[Tue Sep 05 12:43:35 2006] [error] [client 163.242.69.18] (9)Bad file descriptor: Could not open password file: (null)

The PostgreSQL's log shows that there was no connection received from Apache.

Questions:

The driver for pgsql is found, why is it not possible for the module dbd to initialize?
Should there be any runtime settings, e.g. LD_LIBRARY_PATH regarding PostgreSQL?
It the DBS connection string wrong?
What exactly happens to the driver and how to configure/compile it properly?


II) Problems with mod_auth_pgsql-2.0.3:

Apache compilation directives:

./configure \
--prefix=/opt/snip/devel/httpd-2.2.2-mod_auth \
--enable-auth-digest

Module installation (using apxs):

/opt/snip/devel/httpd-2.2.2-mod_auth/bin/apxs -i -a -c -I /usr/include/pgsql -L /usr/lib/pgsql -lpq mod_auth_pgsql.c

Output:
/opt/snip/devel/httpd-2.2.2-mod_auth/build/libtool --silent --mode=compile gcc -prefer-pic -DLINUX=2 -D_REENTRANT -D_GNU_SOURCE -D_LARGEFILE64_SOURCE -g -O2 -pthread -I/opt/snip/devel/httpd-2.2.2-mod_auth/include -I/opt/snip/devel/httpd-2.2.2-mod_auth/include -I/opt/snip/devel/httpd-2.2.2-mod_auth/include -I/usr/include/pgsql -c -o mod_auth_pgsql.lo mod_auth_pgsql.c && touch mod_auth_pgsql.slo
/opt/snip/devel/httpd-2.2.2-mod_auth/build/libtool --silent --mode=link gcc -o mod_auth_pgsql.la -L/usr/lib/pgsql -lpq -rpath /opt/snip/devel/httpd-2.2.2-mod_auth/modules -module -avoid-version mod_auth_pgsql.lo
/opt/snip/devel/httpd-2.2.2-mod_auth/build/instdso.sh SH_LIBTOOL='/opt/snip/devel/httpd-2.2.2-mod_auth/build/libtool' mod_auth_pgsql.la /opt/snip/devel/httpd-2.2.2-mod_auth/modules
/opt/snip/devel/httpd-2.2.2-mod_auth/build/libtool --mode=install cp mod_auth_pgsql.la /opt/snip/devel/httpd-2.2.2-mod_auth/modules/
cp .libs/mod_auth_pgsql.so /opt/snip/devel/httpd-2.2.2-mod_auth/modules/mod_auth_pgsql.so
cp .libs/mod_auth_pgsql.lai /opt/snip/devel/httpd-2.2.2-mod_auth/modules/mod_auth_pgsql.la
cp .libs/mod_auth_pgsql.a /opt/snip/devel/httpd-2.2.2-mod_auth/modules/mod_auth_pgsql.a
ranlib /opt/snip/devel/httpd-2.2.2-mod_auth/modules/mod_auth_pgsql.a
chmod 644 /opt/snip/devel/httpd-2.2.2-mod_auth/modules/mod_auth_pgsql.a
PATH="$PATH:/sbin" ldconfig -n /opt/snip/devel/httpd-2.2.2-mod_auth/modules
----------------------------------------------------------------------
Libraries have been installed in:
/opt/snip/devel/httpd-2.2.2-mod_auth/modules

If you ever happen to want to link against installed libraries
in a given directory, LIBDIR, you must either use libtool, and
specify the full pathname of the library, or use the `-LLIBDIR'
flag during linking and do at least one of the following:
- add LIBDIR to the `LD_LIBRARY_PATH' environment variable
during execution
- add LIBDIR to the `LD_RUN_PATH' environment variable
during linking
- use the `-Wl,--rpath -Wl,LIBDIR' linker flag
- have your system administrator add LIBDIR to `/etc/ld.so.conf'

See any operating system documentation about shared libraries for
more information, such as the ld(1) and ld.so(8) manual pages.
----------------------------------------------------------------------
chmod 755 /opt/snip/devel/httpd-2.2.2-mod_auth/modules/mod_auth_pgsql.so
[activating module `auth_pgsql' in /opt/snip/devel/httpd-2.2.2-mod_auth/conf/httpd.conf]


Configuration: The relevant part of httpd.conf (actually an external file included into htpd.conf with authentication configuration):

<LocationMatch "/secret*">

AuthName "gigaset.net"
AuthType Digest
BrowserMatch "MSIE" AuthDigestEnableQueryStringHack=On
Require valid-user

# authentication module configuration
Auth_PG_host localhost
Auth_PG_port 5432
Auth_PG_database snip
Auth_PG_user iradio
Auth_PG_pwd XXXXX
Auth_PG_pwd_table public.subscriber
Auth_PG_encrypted off
Auth_PG_uid_field username
Auth_PG_pwd_field password

<LIMIT GET POST>
require valid-user
</LIMIT>

</LocationMatch>

Situation:

When a request to .../secret is made, the server requests authentication and then goes to an Internal Server Error page just like before.

The error_log:

[Tue Sep 05 13:52:19 2006] [notice] Digest: generating secret for digest authentication ...
[Tue Sep 05 13:52:19 2006] [notice] Digest: done
[Tue Sep 05 13:52:19 2006] [notice] Apache/2.2.2 (Unix) mod_auth_pgsql/2.0.3 configured -- resuming normal operations
[Tue Sep 05 13:53:33 2006] [error] Internal error: pcfg_openfile() called with NULL filename
[Tue Sep 05 13:53:33 2006] [error] [client 163.242.69.18] (9)Bad file descriptor: Could not open password file: (null)
[Tue Sep 05 13:53:33 2006] [error] [client 163.242.69.18] File does not exist: /opt/snip/devel/httpd-2.2.2-mod_auth/htdocs/favicon.ico

Questions:

What is wrong with this driver/configuration?? (no file authentication is used anywhere whatsoever)
Is this driver secure?
Where is the problem here?

General questions:

Are there any other reasonable ways to configure Apache to use database managed authentication?
What are the modules which can be used with PostgreSQL?

Thank you for any hints and help,

David

 

Hi all,

I've been battling with this problem for weeks now and not managed to find out anything to help.. I have a website in the document root folder, and also in that folder is a .htaccess file, with the lines:

Options +Indexes
Options +FollowSymlinks
RewriteEngine on
RewriteBase /
RewriteRule ^([^/\.]+)/?$ index.php?menu=$1 [L]

However, whenever i try to access /new (which should take me to index.php?menu=news) it just spews up a 404.. - any ideas?

I have Apache 2.2.3 and PHP 5.1.6.
In the httpd.conf file i have uncommented the only obviously relavent line:

LoadModule rewrite_module modules/mod_rewrite.so

but in the phpinfo(); there is no mention of the mod_rewrite...


Any ideas would be appreciated!


Thanks

 

Andydriven & Xhlavac1,

I noticed that you appear to be using AuthPG based on your configuration.

I have recently been trying to to get Apache PostgreSQL authentication going and ended trying three different modules, I only managed to get the mod_authn_dbd and mod_db approach working with both Basic and Digest Authentication.

In surfing web it appears that many people have lots of trouble with both AuthPG and mod_auth_pgsql. My recommendation is to use mod_authn_dbd and mod_dbd. I have documented my findings here: "http://www.graphica.com.au/postgres-and-apache.html" , including the required configuration, I hope this is helpful.

Sorry I cannot include a direct link to this...

Cheers,

Zebity.