I administer about 20 different web applications, each of which uses Apache authentication to control access. In the past, I’ve just used simple htpasswd authentication because it works and is readily available. However when adding or removing employee’s access, it required pretty manual editing of all of the htpasswd files every time that we added or removed and employee
I just starting using mod_auth_mysql which provides a way to centralize the authentication. It is available as a package on any distro that I’ve used, and is pretty simple to configure. Just create a database with the following tables:
CREATE TABLE users ( user_name CHAR(30) NOT NULL, user_passwd CHAR(20) NOT NULL, PRIMARY KEY (user_name) ); CREATE TABLE groups ( user_name CHAR(30) NOT NULL, user_group CHAR(20) NOT NULL, PRIMARY KEY (user_name, user_group) );
Populate the users table with username/passwords taken straight from the .htpasswd file. Optionally, you can make users a member of a group via the groups table. Create a database user with permission to SELECT from those two tables.
Then configure the following in the Apache config or .htaccess file for each your web applications:
AuthName "Some Webapp" AuthType Basic AuthMySQLEnable on AuthMySQLHost myauthserver.someplace.com AuthMySQLUser YourDatabaseName AuthMySQLPassword YourDatabaseUserPassword AuthMySQLDB YourDatabaseName AuthMySQLUserTable users AuthMySQLNameField user_name AuthMySQLPasswordField user_passwd AuthMySQLGroupTable groups AuthMySQLGroupField user_group require valid-user #require group ThisApp
Now you can centrally manage your Apache authentication. Uncomment the ‘require group’ line and add an appropriate entry in the groups table for any users you want to allow specifically to this app.
3 thoughts on “mod_auth_mysql makes managing Apache authentication simple”
Very cool. This is a great solution to a common problem when you have multiple servers/applications. Glad you posted your find, I’m sure I will use it in the future.
FYI, I released a program for managing these users via a web-based program at http://www.brandonchecketts.com/webpasswd/