Setting Up Group Access

The previous example will let only one user in, paul. In most cases this is not very practical, as most sites will need to allow more than one person in. This can be accomplished in two different manners:

■ Instead of the Require user paul directive that will allow only the user paul access to the directory, Require valid-user will allow anyone in the password file access to the directory after correctly entering their password.

■ Another option is to create a group file that associates a group name with a list of users listed in a file. The format of this file is straightforward and can be accomplished with one's favorite editor:

GroupName: paul justin roger

■ The directory container will need to know where the password file and the group file are located. Because more than one group can be listed within the group file, which group may gain access will also need to be specified:

<Directory /srv/www/htdocs/private> AuthType Basic AuthName "By Invite Only" AuthUserFile /etc/http-passwd AuthGroupFile /etc/http-groups Require group GroupName </Directory>

■ Anyone that has been properly authenticated and is listed in the group GroupName will be let in to the "By Invite Only" realm.

An issue with the Basic authentication is that the username and password must be verified every time a request is made for a resource from the server, be it an HTML page, an image, or any other resource from the protected directory. This can slow things down a little in terms of the responsiveness of the web server. In fact, the amount that the web server slows down is proportional to the size of the password file. Remember the Apache web server has to open up that file and go down the list in order of users until it gets to the user in question, every time a page is loaded.

A consequence of this is that there is a practical limit to how many users can be listed in one password file. While the limit will vary depending on the configuration of a particular server, chances are after a few hundred entries the performance of the web server will suffer and a different authentication method option may be needed.

Such a method can be found in the mod_auth_dbm module. mod_auth_dbm provides the AuthDBMUserFile directive allowing the use of files used with the dbmmanage program. Another possible option is mod_auth_mysql. The mod_auth_mysql module allows the Apache web server to connect to a backend MySQL database where username and passwords can be stored and accessed with greater efficiency.

| f - - r More detailed information about authentication on your Apache web server is beyond the scope of this book. However, if you are interested in delving deep into the topic of security and Apache, you can check out a book such as Maximum Apache Security (Sams, 2002) for more information.

Was this article helpful?

0 0

Post a comment