httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 44578] New: mod_authn_dbd option to let database validate password
Date Tue, 11 Mar 2008 15:13:56 GMT

           Summary: mod_authn_dbd option to let database validate password
           Product: Apache httpd-2
           Version: 2.2-HEAD
          Platform: All
        OS/Version: All
            Status: NEW
          Keywords: PatchAvailable
          Severity: enhancement
          Priority: P2
         Component: Other Modules

Created an attachment (id=21651)
 --> (
httpd trunk (r628393) patch - also applies to 2.2.8 cleanly

It is a frequent problem that mod_authn_dbd cannot be used with existing SQL
databases because passwords are not stored in one of the Apache formats:
{$apr1$}, {SHA}, crypt (Unix), or plaintext (Windows/Netware).

This proposal is for an optional 2nd 'VALIDATE' argument to the
AuthDBDUserPWQuery directive which lets the database determine whether the
password is valid without relying on the APR password hashing functions.

The VALIDATE argument indicates that the plaintext password is passed as the
first query parameter and the username is passed as the second parameter.

When the first column of the first returned row is a non-zero number or "T" or
"TRUE" (case insensitive), the password is accepted - otherwise the password is

Note that when no rows are returned, mod_authn_dbd already reports

A common example is when passwords are stored using the database provider's MD5
function which is incompatible with Apache encrypted password formats:

MySQL or PostgreSQL:
  AuthDBDUserPWQuery \
  "SELECT (password = MD5(%s)) FROM users WHERE username = %s"  \

  AuthDBDUserPWQuery \
  "SELECT CASE password WHEN HashBytes('MD5', %s) THEN 1 ELSE 0 END \
  FROM users WHERE username = %s" \

Oracle 10g:
  AuthDBDUserPWQuery \
  FROM users WHERE username = %s"  \

The password is passed as the 1st parameter and the username as the 2nd
parameter because this order makes constructing the SQL statement considerably
easier, since the username is almost always used in a SQL predicate clause.

All SQL databases which support boolean values cast them to strings as "0" or
"1"; "t" or "f"; or "TRUE" or "FALSE".

This option is not useful for digest authentication because Apache does not
have the plaintext password when digest authentication is used.

It may be good to note in the documentation that the security of the database
connection and database SQL logging should be considered when a plaintext
password is passed to the database using the VALIDATE option.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message