httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Welche <>
Subject mod_authn_dbd and apr_password_validate
Date Sat, 06 Jan 2007 18:48:48 GMT
I was just trying 4 Jan 20:33 -head httpd, with apr/apr-util of 28 Dec,
to try out mod_authn_dbd with the following configuration:

DBDriver pgsql
DBDParams "dbname=passtest user=prlw1"
<IfModule mod_authn_dbd.c>
<Directory "/usr/local/share/httpd/htdocs/webfolder">
AuthType Basic
AuthName "What's this?"
AuthBasicProvider dbd
Require valid-user
AuthDBDUserPWQuery "select prefname from person where userid=%s"

Now, try as I might, my password is never accepted. I assumed database
problems etc., but all checked OK. Then I tried:

Index: mod_authn_dbd.c
--- mod_authn_dbd.c     (revision 492725)
+++ mod_authn_dbd.c     (working copy)
@@ -161,6 +161,8 @@
     if (!dbd_password) {
         return AUTH_USER_NOT_FOUND;
+    ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
+              "Comparing \"%s\" with \"%s\"", password, dbd_password);
     rv = apr_password_validate(password, dbd_password);

and saw in the logs:

[Sat Jan 06 00:55:35 2007] [error] [client ::1] (-1)Unknown error: 4294967295: Comparing "Patrick"
with "Patrick"
[Sat Jan 06 00:55:35 2007] [error] [client ::1] user prlw1: authentication failure for "/webfolder":
Password Mismatch

So, it seems that mod_authn_dbd managed to get the password from the web
browser, and from the database.

Now, in apr-util/crypto/apr_md5.c, I see:

 * Validate a plaintext password against a smashed one.  Uses either
 * crypt() (if available) or apr_md5_encode() or apr_sha1_base64(), depending
 * upon the format of the smashed input password.  Returns APR_SUCCESS if
 * they match, or APR_EMISMATCH if they don't.  If the platform doesn't
 * support crypt, then the default check is against a clear text string.
APU_DECLARE(apr_status_t) apr_password_validate(const char *passwd,
                                                const char *hash)

but here, it looks as though we have to validate a plaintext password against
a plaintext password.

What am I missing?



View raw message