You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by "J.Lance Wilkinson" <jl...@psu.edu> on 2011/09/15 23:01:17 UTC
[users@httpd] mod_dbd, mod_authn_dbd examples
Apologies in advance if this isn't formatted or researched as you'd like. I've
been using Apache HTTPD for many, many years, but have never needed to set this
aspect of configuration up.
In the wake of last week's "Single Value Authentication Module" query, and the
decision to follow the sage advice from that thread, my colleagues and I have
decided to use a database lookup to authenticate the user. This way we can
hopefully use mostly off-the-shelf components, and have the specialized
business logic involved in denying access to the resource when the user's
authorization has expired simply be part of the database query (query would
only return passwords for users whose access is not expired).
So, I've read the documentation for mod_dbd and mod_authn_dbd for Apache 2.2.x
and those modules are compiled and ready for loading.
The database involved will be an ORACLE database.
I set up a configuration to test this, pretty much following the example in the
mod_authn_dbd documentation:
DBDriver pgsql
DBDMin 4
DBDKeep 8
DBDMax 20
DBDExptime 300
<Location ~ "^/(.*)/restrictedArea(.html|/(.*)?)$">
DBDParams "dbname=george user=yogi password=fred"
AuthType Basic
AuthName "Restricted Access: Supply appropriate credentials"
AuthBasicProvider dbd
Require valid-user
AuthDBDUserPWQuery \
"SELECT password FROM authn WHERE user = %s AND expired = no"
</Location>
Syntax scan is fine EXCEPT for DBDriver line. It reports:
DBD: No driver for pgsql
Now, I am NOT a Database person. I used what was in the mod_authn_dbd
documentation just to get started. The mod_dbd docs says this selects an
apr_dbd driver name. It's not clear to me if I even HAVE any apr_dbd drivers
installed on this machine (yet). Presuming somebody locally will be taking
care of setting up the Oracle connection(s) needed, what apr_dbd stuff do I
need, where do I find it, what do I do with it?
I've looked for cookbooks on this (including my dog-eared copy of Ken and
Rich's _Cookbook_ ;-P) and haven't found anything yet.
Somebody take pity?
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_dbd, mod_authn_dbd examples
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
Mark H. Wood wrote:
> Indeed, the configuration manpage doesn't tell us much at all about
> DBD support.
>
....
> I'm sorry to be a bit vague myself, but I usually just use the Gentoo
> Linux packaging system to install/upgrade HTTPD and it sorts all this
> out, so I'm not writing from fresh experience of actually making it
> work.
>
No, Mark. Your information here has been the single most helpful (not to
say the other's haven't been of some help, but they did leave me with more
questions than answers).
Add to the complications my personal history of first using Apache HTTPD on
a non-windows/non-Unix environment (OpenVMS) so much of the inherent
folklore and collective "culture" assumed so often by folks writing the
code & documentation is non-existant in my sensorium.
Everyone's help here is valued greatly. But thanks, Mark, for your
knowledgeable experimentation on my behalf like this.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_dbd, mod_authn_dbd examples
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
Indeed, the configuration manpage doesn't tell us much at all about
DBD support.
I just got a copy of the 2.2.21 source kit and tried out a few
'configure's.
If you have shared APR and APU installed, then by default it just uses
those. In that case, you would need APU (apr-utils) to have ODBC
support built in. Or you can specify --with-included-apr --with-included-apu
to build HTTPD with its own copies of APR and APU.
If you don't have shared APR and APU then building HTTPD also builds
private APR and APU.
In either case, it appears that the APU configuration script will
search for various DBMS support libraries and use them if it can. In
my case it found odbc_config and set up to build with ODBC support.
This was the --with-included-apr --with-included-apu case. So, it
looks to me as though, if ODBC is installed and findable in the build
environment, then HTTPD (or shared APU) will be built to use it.
If your ODBC library is in a "nonstandard" location then you can point
to it using --with-odbc=DIR .
I'm sorry to be a bit vague myself, but I usually just use the Gentoo
Linux packaging system to install/upgrade HTTPD and it sorts all this
out, so I'm not writing from fresh experience of actually making it
work.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
Re: [users@httpd] mod_dbd, mod_authn_dbd examples
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
Mark H. Wood wrote:
> Some clues at:
>
> http://old.nabble.com/help-with-mod_authn_dbd-and-oracle-td20562832.html
>
> The actual DBMS drivers are built into apr-util, or supplied
> separately since they can be dynamically loaded. In your environment,
> if it's supplied separately then just be sure you got it; otherwise,
> if you're using a shared apr-util, it needs to be built for Oracle
> support; otherwise (HTTPD using its own inbuilt apr-util) HTTPD will
> need to be built for Oracle support.
Wasn't built with any DBD support libraries. Makes sense, when the
original package was built this whole idea of doing database queries
from within an Apache module just wasn't part of the considerations.
I've just verified the Solaris development zone where this was last
constructed is still available, and the person responsible for it
is re-familiarizing himself with it in preparation for rebuilding
with database support.
>
> For a quick test, you could try just changing 'pgsql' to 'oracle' and
> see what happens. I agree with others that 'DBDriver pgsql' asks for
> the PostgreSQL driver.
Same results for "DBDriver oracle" so clearly my package needs
to be rebuilt for support of these additional concerns. Even
though the customer wants to use an Oracle DB, I think we'll
build this just for ODBC, since there are apparently unwelcome
licensing requirements for the supporting Oracle libraries that
are not even going to be considered for the multiple hosts running
Apache that will need this authentication. They'll use ODBC
to talk to the odbc listener on the licensed Oracle system instead.
So, we need to add --with-SOMETHING and/or --enable-SOMETHING to get
the odbc driver built, right? Reading the configuration docs at
http://httpd.apache.org/docs/2.2/programs/configure.html
and trying to find something referring to database drivers or
something like that, the only thing I see is the --with-apr=DIR
or FILE configuration option. It's clear as mud to me, sorry.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_dbd, mod_authn_dbd examples
Posted by "Mark H. Wood" <mw...@IUPUI.Edu>.
Some clues at:
http://old.nabble.com/help-with-mod_authn_dbd-and-oracle-td20562832.html
The actual DBMS drivers are built into apr-util, or supplied
separately since they can be dynamically loaded. In your environment,
if it's supplied separately then just be sure you got it; otherwise,
if you're using a shared apr-util, it needs to be built for Oracle
support; otherwise (HTTPD using its own inbuilt apr-util) HTTPD will
need to be built for Oracle support.
For a quick test, you could try just changing 'pgsql' to 'oracle' and
see what happens. I agree with others that 'DBDriver pgsql' asks for
the PostgreSQL driver.
--
Mark H. Wood, Lead System Programmer mwood@IUPUI.Edu
Asking whether markets are efficient is like asking whether people are smart.
Re: [users@httpd] mod_dbd, mod_authn_dbd examples
Posted by "J.Lance Wilkinson" <jl...@psu.edu>.
Nick Kew wrote:
> On Thu, 15 Sep 2011 17:01:17 -0400
> "J.Lance Wilkinson" <jl...@psu.edu> wrote:
>
>> Now, I am NOT a Database person. I used what was in the mod_authn_dbd
>> documentation just to get started. The mod_dbd docs says this selects an
>> apr_dbd driver name. It's not clear to me if I even HAVE any apr_dbd drivers
>> installed on this machine (yet). Presuming somebody locally will be taking
>> care of setting up the Oracle connection(s) needed, what apr_dbd stuff do I
>> need, where do I find it, what do I do with it?
>
> Look in the APR libs directory for a file called apr_dbd_pgsql.so,
> apr_dbd_oracle.so, and similarly-named files. Those are driver files.
Do I need to load these as modules, too? Or do they get dynamically
associated from the library when the DBDriver directive calls for them?
Or do they get statically linked into mod_dbd.so when included in the
package build?
>
> If you build the server yourself, you (may) have to use
> "--with-foo" configuration options. If you installed from
> packages, check your packager's docs.
They're not present in my lib directory or any other subordinate
to the server root. Platform that I'm concerned about is Solaris 10,
so there's no packager involved (a colleague built the entire package
several years ago). Guess I have to rebuild the package w/
--with-SOMETHING for the oracle or perhaps odbc drivers.
--------------------------------------------------------------------------------
Igor Cicimov wrote:
> Hmmm not sure really but that driver name sounds like is for PostgreSQL
> database :)
Your guess is as good as mine on that. It was simply copied verbatim
from the configuration example at
http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html
as a starting point for developing a configuration.
--
J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
Systems Design Specialist - Lead Phone: (814) 865-4870
Digital Library Technologies FAX: (814) 863-3560
E3 Paterno Library
Penn State University
University Park, PA 16802
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_dbd, mod_authn_dbd examples
Posted by Nick Kew <ni...@webthing.com>.
On Thu, 15 Sep 2011 17:01:17 -0400
"J.Lance Wilkinson" <jl...@psu.edu> wrote:
> Now, I am NOT a Database person. I used what was in the mod_authn_dbd
> documentation just to get started. The mod_dbd docs says this selects an
> apr_dbd driver name. It's not clear to me if I even HAVE any apr_dbd drivers
> installed on this machine (yet). Presuming somebody locally will be taking
> care of setting up the Oracle connection(s) needed, what apr_dbd stuff do I
> need, where do I find it, what do I do with it?
Look in the APR libs directory for a file called apr_dbd_pgsql.so,
apr_dbd_oracle.so, and similarly-named files. Those are driver files.
If you build the server yourself, you (may) have to use
"--with-foo" configuration options. If you installed from
packages, check your packager's docs.
--
Nick Kew
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] mod_dbd, mod_authn_dbd examples
Posted by Igor Cicimov <ic...@gmail.com>.
Hmmm not sure really but that driver name sounds like is for PostgreSQL
database :)
On Sep 16, 2011 7:01 AM, "J.Lance Wilkinson" <jl...@psu.edu> wrote:
> Apologies in advance if this isn't formatted or researched as you'd like.
I've
> been using Apache HTTPD for many, many years, but have never needed to set
this
> aspect of configuration up.
>
> In the wake of last week's "Single Value Authentication Module" query, and
the
> decision to follow the sage advice from that thread, my colleagues and I
have
> decided to use a database lookup to authenticate the user. This way we can
> hopefully use mostly off-the-shelf components, and have the specialized
> business logic involved in denying access to the resource when the user's
> authorization has expired simply be part of the database query (query
would
> only return passwords for users whose access is not expired).
>
> So, I've read the documentation for mod_dbd and mod_authn_dbd for Apache
2.2.x
> and those modules are compiled and ready for loading.
>
> The database involved will be an ORACLE database.
>
> I set up a configuration to test this, pretty much following the example
in the
> mod_authn_dbd documentation:
>
> DBDriver pgsql
> DBDMin 4
> DBDKeep 8
> DBDMax 20
> DBDExptime 300
>
> <Location ~ "^/(.*)/restrictedArea(.html|/(.*)?)$">
>
> DBDParams "dbname=george user=yogi password=fred"
> AuthType Basic
> AuthName "Restricted Access: Supply appropriate credentials"
> AuthBasicProvider dbd
> Require valid-user
> AuthDBDUserPWQuery \
> "SELECT password FROM authn WHERE user = %s AND expired = no"
> </Location>
>
> Syntax scan is fine EXCEPT for DBDriver line. It reports:
>
> DBD: No driver for pgsql
>
> Now, I am NOT a Database person. I used what was in the mod_authn_dbd
> documentation just to get started. The mod_dbd docs says this selects an
> apr_dbd driver name. It's not clear to me if I even HAVE any apr_dbd
drivers
> installed on this machine (yet). Presuming somebody locally will be taking
> care of setting up the Oracle connection(s) needed, what apr_dbd stuff do
I
> need, where do I find it, what do I do with it?
>
> I've looked for cookbooks on this (including my dog-eared copy of Ken and
> Rich's _Cookbook_ ;-P) and haven't found anything yet.
>
> Somebody take pity?
>
> --
> J.Lance Wilkinson ("Lance") InterNet: Lance.Wilkinson@psu.edu
> Systems Design Specialist - Lead Phone: (814) 865-4870
> Digital Library Technologies FAX: (814) 863-3560
> E3 Paterno Library
> Penn State University
> University Park, PA 16802
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>