Apache/AuthDBMGroupFile

Bizen | Apache | Recent Changes | Preferences

HOWTO

authz_dbm is amazingly braindead when it comes to the group file.

To create the AuthDBMGroupFile : 

 htdbm -cbt $htdbmfilename $username NULL "$group1,$group2,$group3:Fake password is NULL"

To add additional users: 

 htdbm -bt $htdbmfilename $username NULL "$group1,$group2,$group3:Fake password is NULL"

To dump the contents: 

 htdbm -l $htdbmfilename

Note that the database will actually reside in two files, $htdbmfilename.dir and $htdbmfilename.pag, but that in the .htaccess file you reference $htdbmfilename: 

 AuthDBMGroupFile $htdbmfilename

Note that real passwords could be used and the AuthDBMGroupFile and AuthDBMUserFile could point to the same file, as documented (poorly) in the Apache docs.

Interesting posting related to this

 On Wed, 30 Mar 2005 14:32:25 -0500, Eric Covener <covener@gmail.com> wrote:
 > On Wed, 30 Mar 2005 12:15:54 +0200, André Malo <nd@perlig.de> wrote:
 > > -0 since htdbm lacks the group features (afaics).
 > 
 > Probably in need of a syntax and/or doc change but the following seems
 > to work with authz_dbm:
 > 
 > htdbm  -t mydb myuser "group1,group2,group3:my comment"
 > 
 > (-t is "last parameter used for comments field")
 .
 Ouch.  So when people have been adding comments currently with no
 preceding colon, mod_authz_dbm would interpret that as a group? 
 Likely the group wouldn't match, but still...
 .
 Sounds like the comments parameter shouldn't allow embedded colon (to
 avoid misinterpretation), and there should also be a group parameter
 (-g group1[,group2]...), and the comment handling should put the
 comment in the right place? (i.e., leave group field properly set to
 empty or a list of groups)

htdbm --help output

 htdbm -- program for manipulating DBM password databases.
 .
 Usage: htdbm    [-cmdpstvx] [-TDBTYPE] database username
                -b[cmdptsv]  [-TDBTYPE] database username password
                -n[mdpst]                        username
                -nb[mdpst]                       username password
                -v[mdps]     [-TDBTYPE] database username
                -vb[mdps]    [-TDBTYPE] database username password
                -x[mdps]     [-TDBTYPE] database username
                -l           [-TDBTYPE] database
 Options:
   -b   Use the password from the command line rather than prompting for it.
   -c   Create a new database.
   -n   Don't update database; display results on stdout.
   -m   Force MD5 encryption of the password (default).
   -d   Force CRYPT encryption of the password (now deprecated).
   -p   Do not encrypt the password (plaintext).
   -s   Force SHA encryption of the password.
   -T   DBM Type (SDBM|GDBM|DB|default).
   -l   Display usernames from database on stdout.
   -t   The last param is username comment.
   -v   Verify the username/password.
   -x   Remove the username record from database.

Script to convert htgroups file to htdbmgroups file

#!/usr/bin/tclsh

set htgroupfile [ lindex $argv 0 ]
set dbmfile     [ lindex $argv 1 ]

if { ! [ string length $dbmfile ] } {
   puts "\n  Usage: htgroup-to-dbm.tcl htgroupfile dbmfile\n"
   exit
}

puts "Converting '$htgroupfile' to '$dbmfile'"

set fid [ open $htgroupfile r ]
set data [ read $fid [ file size $htgroupfile ] ]
close $fid

set N 0

foreach line [ split $data "\n" ] {
   if { [ regexp {^(\S+):\s+(.+)} $line -> group users ] } {
      foreach user $users {
         lappend ::A([ string trim $user ]) [ string trim $group ]
      }
      incr N
   }
}

puts "Adding $N users to the new database."
puts "This will take about [ expr $N/125 ] seconds."

set tempfile /tmp/[ file tail $dbmfile ]

if { [ catch {
   foreach user [ array names ::A ] {
      set groups [ join [ lsort -unique $::A($user) ] , ]
      if { [ file exists ${tempfile}.pag ] } {
         eval exec "htdbm -bt $tempfile $user NULL \"$groups:Fake password is NULL\""   
      } else {
         eval exec "htdbm -cbt $tempfile $user NULL \"$groups:Fake password is NULL\""
      }
   }
} err ] } {
   return -code error "Failed to create new database '$dbmfile': $err"
}

set targetdir [ file dirname $dbmfile ]
file mkdir $targetdir
if { [ file exists ${dbmfile}.dir ] } {
   file rename -force ${dbmfile}.dir ${dbmfile}.dir.bak
}
if { [ file exists ${dbmfile}.pag ] } {
   file rename -force ${dbmfile}.pag ${dbmfile}.pag.bak
}
file rename -force ${tempfile}.dir ${dbmfile}.dir
file rename -force ${tempfile}.pag ${dbmfile}.pag

Another thing

#!/bin/ksh
#
# Name:
#
#  htaccesslist.sh
#
# Returns the lists of users in each group
# declared in the .htaccess file via the:
#
#   require group foo bar baz
#
# directive.
#
# Phil Ehrens <pehrens@ligo.caltech.edu>
#

htaccessfile=/var/www/html/pac/.htaccess
htdbmfile=/etc/httpd/conf/htdbmgroups

#
# Will return, for example:
#
#  LSC,MOU_Reviewers,LSC_Authors,LVC_Authors,marco.cavaglia
#
dbusers=`htdbm -l $htdbmfile 2>&1 |grep -Po ' [A-Z][^:]+' |grep -Pv '(Fake|NULL)'`

#
# Will return, for example:
#
#  PAC PAC_Guest Lab_Directorate Lab_Management
#
grouplist=`grep -Pi 'require group' $htaccessfile |cut -d ' ' -f3-`

#
# Returns group names and user lists exactly as you would
# declare them in a AuthGroupFile
#
for group in $grouplist
 do
   names=
   for user in $dbusers
    do
     if [[ "$user" =~ "$group" ]] ; then
      oIFS="$IFS"
      IFS=','
      set -A str $user
      IFS="$oIFS"
      name=${str[${#str[@]}-1]}
      names="$names $name@LIGO.ORG"
     fi
    done
      echo "$group:$names"
 done
Bizen | Apache | Recent Changes | Preferences

Last edited March 2, 2011 5:37 pm by Pokute
Search Bizen: