Networking / Beginners

High-Performance User Authentication

If the server has more than a few users who are required to use password authentication to access the website, the performance of the standard password file will be inadequate. The standard authentication module, mod_auth, uses a flat file that must be searched sequentially to find the user's password. Searching a flat file of only a few hundred entries can be very time consuming.

An alternative is to store the passwords in an indexed database. Two modules, mod_auth_dbm and mod_auth_db, provide support for password databases. They are used in exactly the same way as the standard flat file authentication. The only differences are the directives used to define the database inside the httpd.conf file and the command used to add passwords to the password database. The AuthUserFile directive used for the flat file is replaced by AuthDBUserFile for mod_auth_db or by AuthDBMUserFile for mod_auth_dbm. Our sample Red Hat system has the mod_auth_db module installed. Listing below shows the example from Listing previous rewritten to use a database file on the sample Red Hat system.

Using mod_auth_db for User Authentication 
<Directory /home/httpd/internal/accounting>
AuthName "Accounting"
AuthType Basic
AuthDBUserFile /usr/local/etc/http.passwords
AuthDBGroupFile /usr/local/etc/http.groups
require hdqtrs rec bill pay
order deny,allow
deny from all
allow from example.org
</Directory>

The htpasswd command cannot be used to add passwords to a database file. Instead, use the command dbmmanage. The format of the dbmmanage command is:

dbmmanage file command username password

file is the filename of the database. Usernames and passwords are exactly the contents you would expect for a password database. The command is the keyword that provides directions to the dbmmanage command. The valid command values are the following:

add Adds a username and password to the database. The provided password must already be encrypted.

adduser Adds a username and password to the database. The password is provided as plain text, and is encrypted by dbmmanage.

check Checks to see if the username is in the database, and if the passwords match.

delete Removes an entry from the database.

import Copies username:password entries from stdin to the database. The passwords must already be encrypted.

update Changes the password for a user already in the database.

view Displays the contents of the database.

To add the users sara and jay to the password database, enter the commands shown in Listing below.

Adding Users with dbmmanage 
# cd /usr/local/etc
# dbmmanage http.password adduser sara
New password:
Re-type new password:
User sara added with password encrypted to 9jwUHif5Eu/M2
# dbmmanage http.password adduser jay
New password:
Re-type new password:
User jay added with password encrypted to MoiefJuxcM.OY
# dbmmanage http.password view
jay:MoiefJuxcM.OY
sara:9jwUHif5Eu/M2

Using an authentication database provides very dramatic performance improvements. Always use this feature when using user authentication for a large group of users.

[Previous] [Contents] [Next]

In this tutorial:

  1. Apache Web Server
  2. Installing Apache
  3. Running httpd
  4. Configuring the Apache Server
  5. The httpd.conf File
  6. Loading Dynamic Shared Objects
  7. Basic Server Directives
  8. Multi-Homed Server Configuration
  9. Defining Where Things Are Stored
  10. Creating a Fancy Index
  11. Defining File Types
  12. Managing Child Processes
  13. Performance Tuning Directives
  14. Caching Directives
  15. Defining Virtual Hosts
  16. Web Server Security
  17. The CGI and SSI Threat
  18. Server Options for Documents and Directories
  19. Directory-Level Configuration Controls
  20. Defining Access Controls
  21. Requiring User Authentication
  22. High-Performance User Authentication
  23. Configuring SSL
  24. Managing Your Web Server
  25. Monitoring Your Server
  26. Apache Logging
  27. Defining Log Formats
  28. Using Conditional Logging