Difference between revisions of "NATS4 mod authn dbd"

From TMM Wiki
Jump to navigationJump to search
(added warning to ensure member usernames are unique across all sites)
 
(4 intermediate revisions by 2 users not shown)
Line 5: Line 5:
  
 
Apache Module mod_authn_dbd allows you to authenticate [[Ct#Member|members]] against the NATS database.<br>
 
Apache Module mod_authn_dbd allows you to authenticate [[Ct#Member|members]] against the NATS database.<br>
<pre style="color: red;font-weight: bold;">Please note: Usernames MUST be unique across all sites if using this method to authenticate members.
+
 
You can confirm this by checking the Surfer section of your Configuration Admin to ensure the 'UNIQUE_MEMBER_NAMES' setting is set to 'For all sites'.</pre>
 
 
This has been tested with Apache 2.4  
 
This has been tested with Apache 2.4  
  
Line 29: Line 28:
 
<b>Note: For additional security, we suggest creating a separate db user with only the SELECT privilege to the member_auth table.</b>
 
<b>Note: For additional security, we suggest creating a separate db user with only the SELECT privilege to the member_auth table.</b>
  
 +
 +
 +
If you are having issues connecting to the db with mod_authn_dbd such as the following than you may be hitting the max connection limit in mysql
 +
<pre>
 +
[Fri Jun 21 14:18:04 2019] [error] (20014)Internal error (specific information not available): DBD: Can't connect to mysql
 +
[Fri Jun 21 14:18:04 2019] [error] (20014)Internal error (specific information not available): DBD: failed to initialise
 +
[Fri Jun 21 14:18:04 2019] [error] [client 99.192.230.138] Failed to acquire database connection to look up user 'XXXXXXXXX', referer: XXXXXXXX
 +
</pre>
 +
 +
To resolve this, you can disable  the following setting
 +
<pre>
 +
DBDPersist Off
 +
</pre>
  
 
=== Turning on mod_authn_dbd ===
 
=== Turning on mod_authn_dbd ===
Line 61: Line 73:
 
<?php
 
<?php
  
$cryptPass = <encrypted password, get from the db row for the matching username>;
+
$cryptPass = <cryptpass value, get from the db row for the matching username>;
 
$userPass = <unencrypted password, get from the submitted login form>;
 
$userPass = <unencrypted password, get from the submitted login form>;
  

Latest revision as of 10:31, 24 June 2019

NATS 4
Members Admin
The Members Admin
View Member Details
Add Member
MySQL Auth
Mod Authn DB
Multisite Access
Member Logging
Member Password Retrieval
OpenID Connect
Mod Auth OpenIDC
ID Numbers


Apache Module mod_authn_dbd allows you to authenticate members against the NATS database.

This has been tested with Apache 2.4

Setting up mod_authn_dbd

Have your host install the apache module mod_authn_dbd on your server if not installed already.

Adjusting dbd_mysql.conf

To authenticate using mod_authn_dbd and the NATS database, you or your host would need to adjust the mod_authn_dbd configuraction file(dbd_mysql.conf). The following code consists of specific configuration settings for this module:

DBDriver mysql
DBDParams "host=127.0.0.1 port=3306 user=xxUSERxx pass=xxPASSxx dbname=xxDBNAMExx"
DBDMin  2
DBDKeep 4
DBDMax  10
DBDExptime 300

Replace "xxUSERxx", "xxPASSxx", and "xxDBNAMExx" with your NATS database username, password, and database name.
Note: For additional security, we suggest creating a separate db user with only the SELECT privilege to the member_auth table.


If you are having issues connecting to the db with mod_authn_dbd such as the following than you may be hitting the max connection limit in mysql

[Fri Jun 21 14:18:04 2019] [error] (20014)Internal error (specific information not available): DBD: Can't connect to mysql
[Fri Jun 21 14:18:04 2019] [error] (20014)Internal error (specific information not available): DBD: failed to initialise
[Fri Jun 21 14:18:04 2019] [error] [client 99.192.230.138] Failed to acquire database connection to look up user 'XXXXXXXXX', referer: XXXXXXXX

To resolve this, you can disable the following setting

DBDPersist Off

Turning on mod_authn_dbd

Have your host run the following commands which will activate this module:

a2enmod dbd
a2enmod authn_dbd
a2enconf dbd_mysql

Adjust Apache Site Configuration file

Once installed and configured, the next step would be to adjust the Apache Site configuration for the site in question. The following code consists of an example providing specific configuration settings for this module for a site:

<Directory /path/to/the/members/section>
	AuthName "You Must Login"
	AuthType Basic
	AuthBasicProvider dbd
	AuthDBDUserPWQuery "SELECT cryptpass FROM member_auth WHERE username = %s AND siteid = xxSiteidxx"
	Require valid-user
</Directory>

Replace X in "siteid=xxSiteidxx" with the ID number of the site you would like to affect. If you would like to use a single member's area for all of your sites, simply remove "AND siteid=xxSiteidxx" from the line. For more options and information, please see our Multisite Access article.

Authenticating members using their encrypted password

When a member record is created in NATS, we use the crypt function with a random salt to create the cryptpass value. When authenticating members using custom php code, you need to call the php crypt() function using the current cryptpass value as the salt. And if the final result matches the existing cryptpass value, you can conclude the user entered password is correct. Here is an example:

<?php

$cryptPass = <cryptpass value, get from the db row for the matching username>;
$userPass = <unencrypted password, get from the submitted login form>;

$newCrypt = crypt($userPass, $cryptPass);

if ($cryptPass == $newCrypt) <user is authenticated>
else <password is not correct>

See Also