Difference between revisions of "NATS4 MySQL Auth"

From TMM Wiki
Jump to navigationJump to search
m
 
(added warning to ensure member usernames are unique across all sites)
 
(12 intermediate revisions by 6 users not shown)
Line 2: Line 2:
 
| show_members_admin_section = true
 
| show_members_admin_section = true
 
}}
 
}}
 +
 +
<pre style="color: red;font-weight: bold;">Please note: As of Apache 2.4 mod_auth_mysql is discontinued and no longer supported</pre>
 +
<pre style="color: red;font-weight: bold;">Please note: Usernames MUST be unique across all sites if using this method to authenticate members.
 +
Check the Surfer section of your Configuration Admin to ensure the 'UNIQUE_MEMBER_NAMES' setting is set to 'For all sites'.</pre>
 +
'''Read through our [[NATS4_mod_authn_dbd]] article for an alternative authentication method'''
 +
 +
MySQL Auth is a feature supported by [[NATS]] that allows you to authenticate [[Ct#Member|members]] against an external MySQL database. This is useful for clients who use an external member database to store information.
  
 
== Setting up MySQL Auth ==
 
== Setting up MySQL Auth ==
Line 7: Line 14:
 
''This article applies to mod_auth_mysql 3.0''
 
''This article applies to mod_auth_mysql 3.0''
 
=== Biller Member Management ===
 
=== Biller Member Management ===
Tell the biller to turn off user management on their end.
+
 
 +
In order to use the MySQL Auth feature, you must first tell the [[Ct#Biller|biller]] to turn off user management on their end.
  
 
=== .htaccess ===
 
=== .htaccess ===
For NATS password management you'll have to use a mysql auth method, like Apache's mod_auth_mysql. Below are specific configuration settings for mod_auth_mysql:
+
For [[NATS]] password management, you will have to use a MySQL auth method, such as Apache's ''mod_auth_mysql''. The following code consists of specific configuration settings for ''mod_auth_mysql'':
  
 
<pre>
 
<pre>
Line 21: Line 29:
 
AuthMySQLUser <user for the nats database>
 
AuthMySQLUser <user for the nats database>
 
AuthMySQLPassword <password for the user for the nats database>
 
AuthMySQLPassword <password for the user for the nats database>
AuthMySQLUserTable member
+
AuthMySQLUserTable member_auth
 
AuthMySQLNameField username
 
AuthMySQLNameField username
 
AuthMySQLPasswordField password
 
AuthMySQLPasswordField password
 
AuthMySQLPwEncryption none
 
AuthMySQLPwEncryption none
AuthMySQLUserCondition "status=1 AND siteid=X AND username != '' AND password != ''"
+
AuthMySQLUserCondition "siteid=X AND username != '' AND password != ''"
 
require valid-user
 
require valid-user
 
</pre>
 
</pre>
  
Replace X in "siteid=X" to the ID number of one of your sites. To use a
+
Replace X in "siteid=X" with the [[ID Numbers|ID number]] of the [[Ct#Site|site]] you would like to affect. If you would like to use a single [[Ct#Member|member]]'s area for all of your sites, simply remove "AND siteid=X" from the line. For more options and information, please see our [[NATS4 Multisite Access|Multisite Access]] article. The ''NOT'' condition will prevent anyone from logging in without a username or password.
single member's area for all of your sites, remove "AND siteid=X" from
 
the line. See the [[NATS4 Multisite Access|Multisite Access]] article for more options.
 
The ''NOT'' condition prevents anyone from logging in without a username or password.
 
  
To use your old password files in combination with mod_auth_mysql,
+
<b>Note: For additional security, we suggest creating a separate db user with only the SELECT privilege to the member_auth table.</b>
add the following line to the configuration file on top of the auth
+
 
mod_auth_mysql lines:
+
If you would like to use your old password files in combination with the ''mod_auth_mysql'' feature, simply add the following line to your configuration file on top of the auth ''mod_auth_mysql'' lines:
  
 
<pre>
 
<pre>
Line 51: Line 56:
 
AuthMySQLAuthoritative Off
 
AuthMySQLAuthoritative Off
 
</pre>
 
</pre>
 +
 +
If you use member encryption change the password field to cryptpass and change
 +
AuthMySQLPwEncryption to crypt
  
 
=== Alternate Server Member Management ===
 
=== Alternate Server Member Management ===
If your NATS database is not on the same server as your member's
+
If your [[NATS]] database is on a different server from your site [[Ct#Member|member]]'s area, use the following instructions to use MySQL Auth:
area, use the following instructions.
+
 
 +
Use the GRANT command to give appropriate permissions to the [[NATS]] database username at the IP address of each member's area server. When this is done, change the value of the AuthMySQLHost directive to the IP address of the [[NATS]] server.
 +
 
 +
If you do not know how to do this, please request that your Host or Server admin allows the [[NATS]] database user to access the database from your member's area servers.
 +
 
 +
<b>Note: For additional security GRANT only the SELECT privilege to the member_auth table for this db user.</b>
 +
 
 +
=== Alternative MySQL member_auth view ===
  
Use the GRANT command to grant the appropriate permissions to the NATS
+
As an alternative to using the NATS member_auth table, you or your host can create a Mysql View of the member table so the active members are directly based upon the membership table rather than stored in a separate table. For details in regards to setting up a Mysql view visit [[NATS4 Create Member Auth View|create member auth view]].  
database username at the IP address of each member's area server and
 
change the value of the AuthMySQLHost directive to the IP address of
 
the NATS server. If you don't know how to do this, please request your
 
Host or Server admin to allow the NATS database user to access the
 
database from your members area servers.
 
  
 
== See Also ==
 
== See Also ==
Line 67: Line 77:
  
 
[[Category:DHUPDATE]]
 
[[Category:DHUPDATE]]
 +
[[Category:NATS4 Members Admin]]

Latest revision as of 18:09, 31 October 2018

NATS 4
Members Admin
The Members Admin
View Member Details
Add Member
MySQL Auth
Mod Authn DB
Multisite Access
Member Logging
Member Password Retrieval
OpenID Connect
Mod Auth OpenIDC
ID Numbers
Please note: As of Apache 2.4 mod_auth_mysql is discontinued and no longer supported
Please note: Usernames MUST be unique across all sites if using this method to authenticate members. 
Check the Surfer section of your Configuration Admin to ensure the 'UNIQUE_MEMBER_NAMES' setting is set to 'For all sites'.

Read through our NATS4_mod_authn_dbd article for an alternative authentication method

MySQL Auth is a feature supported by NATS that allows you to authenticate members against an external MySQL database. This is useful for clients who use an external member database to store information.

Setting up MySQL Auth

This article applies to mod_auth_mysql 3.0

Biller Member Management

In order to use the MySQL Auth feature, you must first tell the biller to turn off user management on their end.

.htaccess

For NATS password management, you will have to use a MySQL auth method, such as Apache's mod_auth_mysql. The following code consists of specific configuration settings for mod_auth_mysql:

AuthMYSQLEnable on
AuthName "Members Only"
AuthType Basic
AuthGroupFile /dev/null
AuthMySQLHost localhost
AuthMySQLDB <name of the nats datatbase>
AuthMySQLUser <user for the nats database>
AuthMySQLPassword <password for the user for the nats database>
AuthMySQLUserTable member_auth
AuthMySQLNameField username
AuthMySQLPasswordField password
AuthMySQLPwEncryption none
AuthMySQLUserCondition "siteid=X AND username != '' AND password != ''"
require valid-user

Replace X in "siteid=X" with the ID number of the site you would like to affect. If you would like to use a single member's area for all of your sites, simply remove "AND siteid=X" from the line. For more options and information, please see our Multisite Access article. The NOT condition will prevent anyone from logging in without a username or password.

Note: For additional security, we suggest creating a separate db user with only the SELECT privilege to the member_auth table.

If you would like to use your old password files in combination with the mod_auth_mysql feature, simply add the following line to your configuration file on top of the auth mod_auth_mysql lines:

AuthMySQLAuthoritative Off

Notes

If other sites on the server use htaccess for authentication, but aren't using mod_auth_mysql, add the following options to the top of their htaccess files:

AuthMySQLEnable Off
AuthMySQLAuthoritative Off

If you use member encryption change the password field to cryptpass and change AuthMySQLPwEncryption to crypt

Alternate Server Member Management

If your NATS database is on a different server from your site member's area, use the following instructions to use MySQL Auth:

Use the GRANT command to give appropriate permissions to the NATS database username at the IP address of each member's area server. When this is done, change the value of the AuthMySQLHost directive to the IP address of the NATS server.

If you do not know how to do this, please request that your Host or Server admin allows the NATS database user to access the database from your member's area servers.

Note: For additional security GRANT only the SELECT privilege to the member_auth table for this db user.

Alternative MySQL member_auth view

As an alternative to using the NATS member_auth table, you or your host can create a Mysql View of the member table so the active members are directly based upon the membership table rather than stored in a separate table. For details in regards to setting up a Mysql view visit create member auth view.

See Also