httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <kai...@ak.jp.nec.com>
Subject Re: User/Realm order in AuthDBDUserRealmQuery (mod_authn_dbd)
Date Tue, 02 Jun 2009 00:29:36 GMT
KaiGai Kohei wrote:
> I'm now trying to set up mod_authn_dbb for authentication purpose.
> However, I faced to a concern for AuthDBDUserRealmQuery directive.
> 
> The example shows the query:
>   AuthDBDUserRealmQuery \
>       "SELECT password FROM authn WHERE user = %s AND realm = %s"
> 
> But, I would like to set up the query as follows:
>   AuthDBDUserRealmQuery \
>       "SELECT md5(uname || ':' || %s || ':' || upass) FROM uaccount WHERE uname = %s"
>                                   ^^... to be realm                to be user ... ^^
> 
> It seems to me we have no way to put the replacement of the given
> realm prior to username. Am I missing anything?

Here, I could find a short hack.

  AuthDBDUserRealmQuery \
      "SELECT md5(uname || ':' || $2 || ':' || upass), udomain, %s=%s AS dummy \
           FROM uaccount WHERE uname = $1"

The first %s is replaced to '$1' as username, and the second %s is replaced
to '$2' as a realm, but $n is not touched by mod_dbd.
The dummy field is just put to consume the parameters in correct order, and
it refers meaningful parameters with $n.

However, I don't think it is a straightforward approach. :-(

Chris Darroch suggested me to add an optional second argument to suggest
the order of parameters, like:

  AuthDBDUserRealmQuery \
    "SELECT md5(uname || ':' || %s || ':' || upass) FROM uaccount \
         WHERE uname = %s" "realm,username"

However, my preference is still an inline replacement approach, like:

  AuthDBDUserRealmQueryFmt \
    "SELECT md5(uname || ':' || $(realm) || ':' || upass) FROM uaccount \
         WHERE uname = $(username) and unetwork >>= $(remote_host)::inet"

Needless to say, the current behavior of AuthDBDUserRealmQuery should be
kept as is. The new directive only suggest an another way to set up the
query.

Chris also mentioned we should use the custome log format as much as possible.
  http://httpd.apache.org/docs/2.2/mod/mod_log_config.html#formats

However, Tom Donovan mentioned that the upcoming mod_session_dbd module also
applies hardwired parameters, and it requires to replace session keys and
so on. But we could not find these parameters in the formats.

Therefore, it seems to me these identical marks should be defined independent
from the custom log format.

Examples:
 -- mod_auth_dbd --
 $(username) ... replaced by %s as the given authenticated username
 $(password) ... replaced by %s as the given authenticated password
 $(realm)    ... replaced by %s as the realm string
 $(remote_addr) ... replaced by %s as the remote address
 -- mod_session_dbd --
 $(key)      ... replaced by %s as the session key
 $(value)    ... replaced by %s as the session value
 $(expiry)   ... replaced by %lld as the session expity

Thanks,
-- 
OSS Platform Development Division, NEC
KaiGai Kohei <kaigai@ak.jp.nec.com>

Mime
View raw message