Usage of mod_auth_mysql

The Apache module mod_auth_mysql provides easy web authentication against a MySQL database. No password files have to be used anymore and as a bonus authentication can be shared with other web applications such as Mantis, Cacti, Bugzilla, phpGroupWare etc.

In Debian however, the package libapache2-mod-auth-mysql has been removed from etch. It is well maintained in sid, though, and compiles fine on etch and is useable as well.

When the included module mod_auth_mysql is enabled authentication via BasicAuth (and .htaccess) may refer to information stored in an MySQL database. Authentication configuration looks like:

   AuthType Basic

   AuthBasicAuthoritative Off
   AuthUserFile /dev/null

   AuthMySQL On
   AuthMySQL_Socket /var/run/mysqld/mysqld.sock
   AuthMySQL_User db_user
   AuthMySQL_Password db_pass
   AuthMySQL_DB db_name
   AuthMySQL_Password_Table db_table
   AuthMySQL_Username_Field db_username
   AuthMySQL_Password_Field db_password
   AuthMySQL_Encryption_Types PHP_MD5

   <Limit GET POST PUT HEAD>
   require valid-user
   </Limit>

The hostname (even localhost) may be specified instead of the socket. There are more encryption types supported (see the documentation). This module supports a large number of more configuration options.

However, its documentation usually lacks the note that regular BasicAuth needs to be turned off and its password file nullified. Both lines are important, otherwise authentication will not work and also result in a server error. For some reason, the basic auth routine tries to open a password file regardless of its non-use.

The error messages accompanying the lack of a AuthUserFile setting looks like:

   [Thu Nov 01 20:12:19 2007] [error] Internal error: pcfg_openfile() called with NULL filename
   [Thu Nov 01 20:12:19 2007] [error] [client 127.0.0.1] (9)Bad file descriptor: Could not open password file: (null)