httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Darroch <>
Subject Re: User/Realm order in AuthDBDUserRealmQuery (mod_authn_dbd)
Date Fri, 15 May 2009 18:20:10 GMT
KaiGai Kohei wrote:

> But, I would like to set up the query as follows:
>   AuthDBDUserRealmQuery \
>       "SELECT md5(uname || ':' || %s || ':' || upass) FROM uaccount WHERE uname = %s"
>                                   ^^... to be realm                to be user ... ^^
> It seems to me we have no way to put the replacement of the given
> realm prior to username. Am I missing anything?

   I don't think so ... unless there's some way to rewrite the query
so the username is the first parameter, I don't see any option with
the existing code.

> If we have no reasonable workaround, I would like to suggest a new
> directive: AuthDBDRealmUserQuery which specifies a query for digest
> authentication with realm and user parameters in this order?
> What's your opinion?
> # This is an aside. I would like to include a few additional conditions
> # in the query, such as remote address and so on.
> # For example, we can consider a web-user who can access via a certain
> # network address (like,, described as:
> #
> # SELECT md5(password) FROM uaccount \
> #     WHERE uname = %s AND unetwork >>= %s::inet;

   I wonder if we could keep the existing config directives but
allow them to access an optional additional parameter (or set of
parameters).  You could then write:

AuthDBDUserRealmQuery \
    "SELECT %s FROM uaccount WHERE uname = %s AND foo = %s" \

where R,u,a meant realm, user, and remote IP address parameters
were to be passed in that order.  (We'd likely want to follow
as much as possible for the available parameters.)  Just an idea
at the moment ... alas, no matching implementation.  Sigh.  :-/


GPG Key ID: 366A375B
GPG Key Fingerprint: 485E 5041 17E1 E2BB C263  E4DE C8E3 FA36 366A 375B

View raw message