Difference between revisions of "NATS4 mod authn dbd"
Tmm vincent (talk | contribs) (added warning to ensure member usernames are unique across all sites) |
|||
(4 intermediate revisions by 2 users not shown) | |||
Line 5: | Line 5: | ||
Apache Module mod_authn_dbd allows you to authenticate [[Ct#Member|members]] against the NATS database.<br> | Apache Module mod_authn_dbd allows you to authenticate [[Ct#Member|members]] against the NATS database.<br> | ||
− | + | ||
− | |||
This has been tested with Apache 2.4 | This has been tested with Apache 2.4 | ||
Line 29: | Line 28: | ||
<b>Note: For additional security, we suggest creating a separate db user with only the SELECT privilege to the member_auth table.</b> | <b>Note: For additional security, we suggest creating a separate db user with only the SELECT privilege to the member_auth table.</b> | ||
+ | |||
+ | |||
+ | If you are having issues connecting to the db with mod_authn_dbd such as the following than you may be hitting the max connection limit in mysql | ||
+ | <pre> | ||
+ | [Fri Jun 21 14:18:04 2019] [error] (20014)Internal error (specific information not available): DBD: Can't connect to mysql | ||
+ | [Fri Jun 21 14:18:04 2019] [error] (20014)Internal error (specific information not available): DBD: failed to initialise | ||
+ | [Fri Jun 21 14:18:04 2019] [error] [client 99.192.230.138] Failed to acquire database connection to look up user 'XXXXXXXXX', referer: XXXXXXXX | ||
+ | </pre> | ||
+ | |||
+ | To resolve this, you can disable the following setting | ||
+ | <pre> | ||
+ | DBDPersist Off | ||
+ | </pre> | ||
=== Turning on mod_authn_dbd === | === Turning on mod_authn_dbd === | ||
Line 61: | Line 73: | ||
<?php | <?php | ||
− | $cryptPass = < | + | $cryptPass = <cryptpass value, get from the db row for the matching username>; |
$userPass = <unencrypted password, get from the submitted login form>; | $userPass = <unencrypted password, get from the submitted login form>; | ||
Latest revision as of 10:31, 24 June 2019
Apache Module mod_authn_dbd allows you to authenticate members against the NATS database.
This has been tested with Apache 2.4
Setting up mod_authn_dbd
Have your host install the apache module mod_authn_dbd on your server if not installed already.
Adjusting dbd_mysql.conf
To authenticate using mod_authn_dbd and the NATS database, you or your host would need to adjust the mod_authn_dbd configuraction file(dbd_mysql.conf). The following code consists of specific configuration settings for this module:
DBDriver mysql DBDParams "host=127.0.0.1 port=3306 user=xxUSERxx pass=xxPASSxx dbname=xxDBNAMExx" DBDMin 2 DBDKeep 4 DBDMax 10 DBDExptime 300
Replace "xxUSERxx", "xxPASSxx", and "xxDBNAMExx" with your NATS database username, password, and database name.
Note: For additional security, we suggest creating a separate db user with only the SELECT privilege to the member_auth table.
If you are having issues connecting to the db with mod_authn_dbd such as the following than you may be hitting the max connection limit in mysql
[Fri Jun 21 14:18:04 2019] [error] (20014)Internal error (specific information not available): DBD: Can't connect to mysql [Fri Jun 21 14:18:04 2019] [error] (20014)Internal error (specific information not available): DBD: failed to initialise [Fri Jun 21 14:18:04 2019] [error] [client 99.192.230.138] Failed to acquire database connection to look up user 'XXXXXXXXX', referer: XXXXXXXX
To resolve this, you can disable the following setting
DBDPersist Off
Turning on mod_authn_dbd
Have your host run the following commands which will activate this module:
a2enmod dbd a2enmod authn_dbd a2enconf dbd_mysql
Adjust Apache Site Configuration file
Once installed and configured, the next step would be to adjust the Apache Site configuration for the site in question. The following code consists of an example providing specific configuration settings for this module for a site:
<Directory /path/to/the/members/section> AuthName "You Must Login" AuthType Basic AuthBasicProvider dbd AuthDBDUserPWQuery "SELECT cryptpass FROM member_auth WHERE username = %s AND siteid = xxSiteidxx" Require valid-user </Directory>
Replace X in "siteid=xxSiteidxx" with the ID number of the site you would like to affect. If you would like to use a single member's area for all of your sites, simply remove "AND siteid=xxSiteidxx" from the line. For more options and information, please see our Multisite Access article.
Authenticating members using their encrypted password
When a member record is created in NATS, we use the crypt function with a random salt to create the cryptpass value. When authenticating members using custom php code, you need to call the php crypt() function using the current cryptpass value as the salt. And if the final result matches the existing cryptpass value, you can conclude the user entered password is correct. Here is an example:
<?php $cryptPass = <cryptpass value, get from the db row for the matching username>; $userPass = <unencrypted password, get from the submitted login form>; $newCrypt = crypt($userPass, $cryptPass); if ($cryptPass == $newCrypt) <user is authenticated> else <password is not correct>