Difference between revisions of "NATS4 mod authn dbd"

From TMM Wiki
Jump to navigationJump to search
Line 55: Line 55:
 
=== Authenticating members using their encrypted password  ===
 
=== Authenticating members using their encrypted password  ===
  
When a member record is created in NATS, we use the crypt function with a random salt to create the cryptpass value. When authenticating members using custom php code, you need to call the php crypt() function using the current cryptpass value as the salt. And if the final result matches the existing cryptpass value, you can conclude the user entered password is correct. Here is some pseudo code for this.
+
When a member record is created in NATS, we use the crypt function with a random salt to create the cryptpass value. When authenticating members using custom php code, you need to call the php crypt() function using the current cryptpass value as the salt. And if the final result matches the existing cryptpass value, you can conclude the user entered password is correct. Here is an example of how this would be written in pseudo code.
 
<pre>
 
<pre>
  
Line 68: Line 68:
 
else <password is not correct>
 
else <password is not correct>
 
</pre>
 
</pre>
 
  
 
== See Also ==
 
== See Also ==

Revision as of 17:24, 20 April 2018

NATS 4
Members Admin
The Members Admin
View Member Details
Add Member
MySQL Auth
Mod Authn DB
Multisite Access
Member Logging
Member Password Retrieval
OpenID Connect
Mod Auth OpenIDC
ID Numbers


Apache Module mod_authn_dbd allows you to authenticate members against the NATS database.
This has been tested with Apache 2.4

Setting up mod_authn_dbd

Have your host install the apache module mod_authn_dbd on your server if not installed already.

Adjusting dbd_mysql.conf

To authenticate using mod_authn_dbd and the NATS database, you or your host would need to adjust the mod_authn_dbd configuraction file(dbd_mysql.conf). The following code consists of specific configuration settings for this module:

DBDriver mysql
DBDParams "host=127.0.0.1 port=3306 user=xxUSERxx pass=xxPASSxx dbname=xxDBNAMExx"
DBDMin  2
DBDKeep 4
DBDMax  10
DBDExptime 300

Replace "xxUSERxx", "xxPASSxx", and "xxDBNAMExx" with your NATS database username, password, and database name.
Note: For additional security, we suggest creating a separate db user with only the SELECT privilege to the member_auth table.


Turning on mod_authn_dbd

Have your host run the following commands which will activate this module:

a2enmod dbd
a2enmod authn_dbd
a2enconf dbd_mysql

Adjust Apache Site Configuration file

Once installed and configured, the next step would be to adjust the Apache Site configuration for the site in question. The following code consists of an example providing specific configuration settings for this module for a site:

<Directory /path/to/the/members/section>
	AuthName "You Must Login"
	AuthType Basic
	AuthBasicProvider dbd
	AuthDBDUserPWQuery "SELECT cryptpass FROM member_auth WHERE username = %s AND siteid = xxSiteidxx"
	Require valid-user
</Directory>

Replace X in "siteid=xxSiteidxx" with the ID number of the site you would like to affect. If you would like to use a single member's area for all of your sites, simply remove "AND siteid=xxSiteidxx" from the line. For more options and information, please see our Multisite Access article.

Authenticating members using their encrypted password

When a member record is created in NATS, we use the crypt function with a random salt to create the cryptpass value. When authenticating members using custom php code, you need to call the php crypt() function using the current cryptpass value as the salt. And if the final result matches the existing cryptpass value, you can conclude the user entered password is correct. Here is an example of how this would be written in pseudo code.


<?php

$cryptPass = <encrypted password, get from the db row for the matching username>;
$userPass = <unencrypted password, get from the submitted login form>;

$newCrypt = crypt($userPass, $cryptPass);

if ($cryptPass = $newCrypt) <user is authenticated>
else <password is not correct>

See Also