Questions[mod-auth-mysql](server)

I'm trying to set up an authentication system based on basic apache2 auth. For this I configured mod_authn_dbd to use a mysqli database set up like this: https://www.howtoforge.de/anleitung/passwort-geschutzte-verzeichnisse-auf-apache2-mit-mod_auth_mysql-debian-squeeze/.

Next, I set up my site.conf like this:

<VirtualHost *:80>
    # The ServerName directive sets the request scheme, hostname and port that
    # the server uses to identify itself. This is used when creating
    # redirection URLs. In the context of virtual hosts, the ServerName
    # specifies what hostname must appear in the request's Host: header to
    # match this virtual host. For the default virtual host (this file) this
    # value is not decisive as it is used as a last resort host regardless.
    # However, you must set it for any further virtual host explicitly.
    #ServerName www.example.com

    ServerAdmin [email protected]
    DocumentRoot /var/www/html
    ServerName exmpl.de

    # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
    # error, crit, alert, emerg.
    # It is also possible to configure the loglevel for particular
    # modules, e.g.
    #LogLevel info ssl:warn

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # For most configuration files from conf-available/, which are
    # enabled or disabled at a global level, it is possible to
    # include a line for only one particular virtual host. For example the
    # following line enables the CGI configuration for this host only
    # after it has been globally disabled with "a2disconf".
    #Include conf-available/serve-cgi-bin.conf
DBDriver mysql 
 DBDParams "dbname=db user=usr pass=pass"
 
 DBDMin 4 
 DBDKeep 8 
 DBDMax 20 
 DBDExptime 300
 
 <Directory "/var/www/html"> 
 # mod_authn_core and mod_auth_basic configuration 
 # for mod_authn_dbd 
 AuthType Basic 
 AuthName "Users only"
 
 # To cache credentials, put socache ahead of dbd here 
 AuthBasicProvider socache dbd
 
 # Also required for caching: tell the cache to cache dbd lookups! 
 AuthnCacheProvideFor dbd 
 AuthnCacheContext my-server
 
 # mod_authz_core configuration 
 Require valid-user
 
 # mod_authn_dbd SQL query to authenticate a user 
 AuthDBDUserPWQuery "SELECT passwd FROM mysql_auth WHERE username = %s" 
</Directory>
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

which works like a charm with my database:

create table mysql_auth (
username varchar(255) not null,
passwd varchar(255),
groups varchar(255),
primary key (username)
);

Now I wanted to add the possibility to make specific folders and its content only available for users of a specific group, so I added:

<Directory "/var/www/html/folder1/folder2">
  # mod_authn_core and mod_auth_basic configuration
  # for mod_authn_dbd
  AuthType Basic
  AuthName group specific area
  AuthBasicProvider dbd

  # mod_authn_dbd SQL query to authenticate a logged-in user
  AuthDBDUserPWQuery \
    "SELECT password FROM mysql_auth WHERE username = %s"

  # mod_authz_core configuration for mod_authz_dbd
  Require dbd-group groupname

  # mod_authz_dbd configuration
  AuthzDBDQuery "SELECT groups FROM mysql_auth WHERE user = %s"

</Directory>

(https://httpd.apache.org/docs/current/mod/mod_authz_dbd.html)with the result that I get this message after reenabling the site.conf and trying to restart apache2:

Mar 23 23:31:12 v*** apachectl[1665]: AH00526: Syntax error on line 70 of /etc/apache2/sites-enabled/site.conf:
Mar 23 23:31:12 v*** apachectl[1665]: Unknown Authz provider: dbd-group

Even "Require group groupname" doesn't work. I really don't know what I'mm doing wrong. Any ideas?

Thanks in advance.

I am currently in the process of migrating an old webserver.

The old server uses basic auth with users stored in a mysql table and mod_auth_mysql enabled.

The password ist stored with apaches build in sha1 function SELECT sha1('secret') which works for mod_auth_mysql

Unfortunately mod_auth_mysql is not supported anymore. That's why I found mod_authn_dbd as an alternative.

https://documentation.help/httpd-2.4-es/mod_authn_dbd.html

I alreay managed to get everything up and running until the point that I can login with basic auth and a fixed password

<Location />
        AuthType Basic
        AuthName "Test"
        AuthBasicProvider dbd
        Require valid-user
        AuthDBDUserPWQuery "SELECT '{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=' FROM users WHERE user = %s"
</Location>

I only store the sha1 hash in the user table. While the old mod_auth_mysql accepted hashes generated by mysql (SELECT sha1('test')=a94a8fe5ccb19ba61c4c0873d391e987982fbbd3) mod_authn_dbd doesn't.

According to https://documentation.help/httpd-2.4-es/password_encryptions.html

SHA1 "{SHA}" + Base64-encoded SHA-1 digest of the password.

Passwords generated by htpasswd are accepted.

htpasswd -bns user test
user:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=

Now I need to convert this value a94a8fe5ccb19ba61c4c0873d391e987982fbbd3 (stored in my db for password test) to qUqP5cyxm6YcTAhz05Hph5gvu9M= (accepted value for password test) inside mysql

I already tried

SELECT to_base64(sha1('test')), to_base64(ucase(sha1('test'))), to_base64(lcase(sha1('test')));`

but none produces the expected results.

I either need a way to convert my existing password hashes to the expected format or convince mod_authn_dbd to accept my existing sha1 hash.

Any help would be appreciated

I'm building a replica of a production server for migrating it to a Virtual environmnet. I do not want to just copy it as it is a 32 bit CentOS 5, and I upgraded it to CentOS 6 64bit.

I managed to replicate mysql and maintain it as a slave of the production one. The mailserver is managed through ISPConfig2, which I also copied.

The problem now is authentication with pop server. I installed auth-mysql library, and configure it (comparing the configuration files in the production server). I managed to get it loaded on startup, but it seems to be another configuration overriding it:

Sep  5 09:27:10 localhost authdaemond: modules="authmysql", daemons=5
Sep  5 09:27:10 localhost authdaemond: Installing libauthmysql
Sep  5 09:27:11 localhost authdaemond: Installation complete: authmysql
Sep  5 09:27:18 localhost postfix/postfix-script[1502]: starting the Postfix mail system
Sep  5 09:27:18 localhost postfix/master[1503]: daemon started -- version 2.6.6, configuration /etc/postfix
Sep  5 09:27:27 localhost authdaemond: modules="authuserdb authldap authcustom authpipe", daemons=5

Could it be postfix overriding it? It first loads "authmysql", and after that, starts loading "authuserdb authldap authcustom authpipe". I've been trying all the weekend, I even removed auth-ldap configuration files, but I'm now stuck.

When I login via Telnet, it even doesn't try to connect MySQL:

Sep  5 09:41:00 localhost pop3d: Connection, ip=[::1]
Sep  5 09:41:09 localhost authdaemond: ldap_simple_bind_s failed: Can't contact LDAP server
Sep  5 09:41:09 localhost authdaemond: ldap_simple_bind_s failed: Can't contact LDAP server
Sep  5 09:41:09 localhost pop3d: LOGIN FAILED, [email protected], ip=[::1]
Sep  5 09:41:09 localhost pop3d: authentication error: Input/output error

Any idea on what to try or which configuration file could be doing this would be appreciated.

On an Ubuntu 10.04 server w/ Apache2, I have auth_mysql turned on, and I am getting [debug] messages showing up. How can I turn these off? I'm guessing there is a way to turn this off for the module, as well as for all 'debug' messages. I am curious how to do both.

Update:
Originally I posted about auth-mysql only; however, I also want to control WSGI's output (currently showing [info] messages in error.log).

I installed bugzilla and subversion on my server. I'd like them to share accounts. So I googled and found this post here. I installed mod_auth_mysql, applying patch for apache 2.2.3 but it doesn't work. When look into error logs of my apache, I find that password mismatch :/ Let's assume I have an user like this in bugzilla:

[email protected], password: test1234

When I try to enter my SVN repo, the login forms pops up, but I cant login. In server error log I find:

[Sat Dec 18 15:25:10 2010] [error] [client 83.4.164.217] user [email protected]: password mismatch: /svn

I also debug the mysql queries which are sent to server, and I found this:

101218 15:25:10      85 Connect     bugs@localhost on
                     85 Init DB     bugs
                     85 Query       SELECT cryptpassword, length(cryptpassword) FROM profiles WHERE login_name='[email protected]' AND disabledtext = ''

When I run the same query by hand I got following result:

mysql> SELECT cryptpassword, length(cryptpassword) FROM profiles WHERE login_name='[email protected]' AND disabledtext = '';
+--------------------------------------------------------------+-----------------------+
| cryptpassword                                                | length(cryptpassword) |
+--------------------------------------------------------------+-----------------------+
| Jnm2qVBMbifU7PEZyl+exbYEAsO8SZh1x2ratGhqfikMg1bxYFg{SHA-256} |                    60 |
+--------------------------------------------------------------+-----------------------+
1 row in set (0.00 sec)

And my in my apache conf:

<Location /svn >
        DAV svn
        SVNPath /etc/subversion

        AuthzSVNAccessFile /home/yuri/.svncontrol

        AuthType Basic
        AuthMySQLSaltField <>
        AuthName "Mwuahahaha this is protected!"
        AuthMySQLPwEncryption crypt
        AuthMySQLUser bugs
        AuthMySQLPassword <some_pass>
        AuthMySQLDB bugs
        AuthMySQLUserTable profiles
        AuthMySQLNameField login_name
        AuthMySQLPasswordField cryptpassword
        AuthMySQLUserCondition "disabledtext = ''"
        Require valid-user

</Location>

The same config but without AuthMySQLPwEncryption crypt and AuthMySQLSaltField <> lines gives the same problem