To implemented shared-account authentication in Apache, start by creating a user account and assigning a password to that account. You can do that with the htpasswd tool, like this:
htpasswd -c subscribers subscriber
This command prompts for a password and when you supply one, it
creates a file called subscribers
containing a
single record for a user named subscriber, along
with an encrypted version of the password you type in.
To control access to all the files in a directory, you need to
associate the user account with a web subtree. In Apache, you do that in
the server’s configuration file (either
access.conf
or the master file
httpd.conf
) like this:
<Directory /web/Docbase/ProductAnalysis/docs> AuthType Basic AuthName subscribers AuthUserFile /secure/subscribers require user valid-user </Directory>
You can define a group of subscribers by listing names in a file, like this:
subscribers: ed joe sharon
If that group definition is stored in the file
/secure/groups
, you can use the following configuration directives to permit only
group members:
<Directory /web/Docbase/ProductAnalysis/docs> AuthType Basic AuthName subscribers AuthUserFile /secure/subscribers AuthGroupFile /secure/groups require group subscribers </Directory>
In this case, you have to define the group in
/secure/groups
and also list all the individual
subscribers and their passwords in
/secure/subscribers
.
If there are hundreds or thousand of users, you can speed things up dramatically by storing the names and passwords in a DBM database, which is a disk-based hashtable of name/value pairs. Apache comes with a Perl script, dbmmanage, that you can use to add names and cleartext passwords to a DBM file of names and encrypted passwords. You configure Apache to use that database as shown in the following code.
<Directory /web/Docbase/ProductAnalysis/docs> AuthType Basic AuthDBMUserFile /secure/subscribers require user valid-user </Directory>
In this case, the subscriber database lives in a pair of files called
subscribers.dir
(the DBM index) and
subscribers.pag
(the DBM data). The
AuthDBMUserFile
directive requires a supporting
Apache module, mod_auth_dbm
, which isn’t
compiled and linked in to a default build of Apache. To add the
module, edit the Configuration
file in
Apache’s src
directory, uncomment the line
that refers to mod_auth_dbm
, and then rebuild
Apache like this:
$ ./Configure $ make
If you want to use an SQL database instead of a DBM file and
you’ve configured Apache to use mod_ perl
,
you can use the Perl module
Apache::AuthenDBI
(available on CPAN). This approach
won’t make lookups any faster than the DBM method, but
it’s more flexible. DBM libraries don’t support record
locking, so if you want to handle updates cleanly, you’ll want
to use an SQL engine. There are quite a few Apache modules that deal
with authentication and authorization; in addition to CPAN, see
http://www.apache.org/ for Apache modules and
http://perl.apache.org/ for
Apache/Perl modules.