环境:
OS:Windows XP SP2
Apache:2.2.6
Subversion:1.4.6
一般情况下,subversion的用户密码文件是以文本文件形式存放在文件系统中的。出于安全性的需要或者单点登陆等可扩展性的考虑,文本文件的管理方式都不能满足需求了。通过 Apache 的 module_auth_mysql 模块,我们可以用 MySQL 来保存用户信息。该模块的主页在 http://modauthmysql.sourceforge.net/,你也可以在 http://modules.apache.org/ 找到它的发行版本。安装方法同其它 Apache 的模块一样,拷贝至 modules 目录并在 httpd.conf 文件中添加如下语句:
相应的 Location 区域改写为:
其中,
AuthMySQLHost db.kysf.net
AuthMySQLUser svnadmin
AuthMySQLDB svn
AuthMySQLUserTable users
AuthMySQLNameField user_name
AuthMySQLPasswordField user_password
AuthMySQLGroupField user_group
这6项可以省略。如果省略系统采用默认的值,其默认值如下:
默认值:
AuthMySQLHost localhost
AuthMySQLUser ODBC
AuthMySQLDB test
AuthMySQLUserTable user_info
AuthMySQLNameField user_name
AuthMySQLPasswordField user_password
AuthMySQLGroupField user_group
然后在 mysql 中添加名为 svn 的数据库,并建立 users 数据表:
在 users 表中插入用户信息
重新启动 Apache,在访问版本库的时候 Apache 就会用 mysql 数据表中的用户信息来验证了。
====================================================================================================================================
所有的 mod_auth_mysql 模块的配置选项如下:
说明:
AuthMySQLEnable On | Off
Whether or not mod_auth_mysql should attempt to authorize the user.
Off: No authorization will be done by this module. (不由 mod_auth_mysql 模块认证,由 UserFile 认证或其它方式认证。)
On: Attempt to authorize the user. (让 mod_auth_mysql 模块管理认证。)
AuthMySQLHost localhost | host_name_or_ip_address
Identifies the MySQL host.
AuthMySQLPort tcp/ip_port_number
The tcp/ip port which should be used to access MySQL. MySQL normally uses port 3306, but this can be changed in the MySQL configuration. See the MySQL documentation for more details.
AuthMySQLSocket full_path_to_socket_file
The UNIX socket which should be used to access MySQL host "localhost" on a UNIX system. The default is /tmp/mysql.sock, but this can be changed in the MySQL configuration. See the mySQL documentation for more details.
AuthMySQLUser userid
The userid to be used to access MySQL. This user must have SELECT access to the appropriate tables. As the password must be in plain text (see AuthMySQLPassword below), it is recommended you use a userid with limited privileges (do NOT use "root"!).
AuthMySQLPassword password
The password for the userid specified in AuthMySQLUser. An, as the password must be in plain text, it is recommended you use a userid with limited
privileges (do NOT use "root"!).
AuthMySQLDB database_name
The name of the MySQL database containing the authorization information. On systems with case sensitive file systems (i.e. Unix), this field is case
sensitive.
AuthMySQLUserTable mysql_table_name
The name of the MySQL table in AuthMySQLDB which contains the userids and passwords. On systems with case sensitive file systems (i.e. Unix), this field is case sensitive.
If this field contains two or more table names, you will need to join the tables in the AuthMySQLUserCondition (below).
AuthMySQLUserCondition condition
Additional conditions to be placed in the WHERE clause when retrieving user information. Whatever is in this string is appended after an AND condition in the SQL statement.
If two or more tables have been specified in the AuthMySQLUserTable option above, this option must contain the information required to join the tables.
AuthMySQLNameField mysql_column_name
The name of the column in AuthMySQLUserTable which contains the userids to be authenticated. The column must contain unique, non-empty field values. Its length is however long you want it to be. This value is case sensitive.
Values in this field are case sensitive ONLY if you define the column as binary data (i.e. BINARY, VARBINARY, etc.). It is NOT case sensitive if the column is defined with character data (i.e. CHAR, VARCHAR). See the MySQL documentation for more information.
AuthMySQLPasswordField mysql_column_name
The name of the column in AuthMySQLUserTable which contains the passwords. This value is case sensitive. It's length may be as long as you want it to be for plaintext passwords. If the password is encrypted, the field must be long enough to contain the encrypted data. See AuthMySQLPwEncryption below.
Passwords values are case sensitive.
AuthMySQLNoPasswd Off
No password is required for this resource.
AuthMySQLPwEncryption none | crypt | scrambled | md5 | aes | sha1
The encryption type used for the passwords in AuthMySQLPasswordField:
none: not encrypted (plain text)
crypt: UNIX crypt() encryption
scrambled: MySQL PASSWORD encryption
md5: MD5 hashing
aes: Advanced Encryption Standard (AES) encryption
sha1: Secure Hash Algorihm (SHA1)
密码加密方式。数据库中可以并存多种加密的密码。如果数据库中密码是以这种方式加密的,密码被放行;非此种方式加密的密码不允许通过。此指令为必填项。
WARNING: When using aes encryption, the password field MUST be a BLOB type (i.e. TINYBLOB). MySQL will strip trailing x'20' characters (blanks), EVEN IF THE COLUMN TYPE IS BINARY!
AuthMySQLSaltField <> | <string> | mysql_column_name
Contains information on the salt field to be used for crypt and aes encryption methods. It can contain one of the following:
<>: password itself is the salt field (use with crypt() only)
<string>: "string" as the salt field mysql_column_name: the salt is take from the mysql_column_name field in the same row as the password
This field is required for aes encryption, optional for crypt encryption. It is ignored for all other encryption types.
AuthMySQLGroupTable
Contains the name of the table with the group information when authorizing by groups (Apache option require group).
As with the AuthMySQLUserTable, you can specify two or more tables in this option, in which case you will need to join the tables in the AuthMySQLGroupCondition below.
AuthMySQLGroupCondition condition
Additional conditions to be placed in the WHERE clause when retrieving group information. Whatever is in this string is appended after an AND condition in the SQL statement.
If two or more tables have been specified in the AuthMySQLGroupTable option above, this option must contain the information required to join the tables.
AuthMySQLGroupField
This option contains the name of the column containing the group information when Apache group authorization is required. Values in the Apache require group option will be matched against the retrieved rows.
AuthMySQLKeepAlive On | Off
Indicates whether to keep the connection to MySQL open or close it after each request. Keeping the connection open can improve performance at the cost of the resources necessary to maintain the connection. If this is Off, the connection will be closed after each request.
Currently, only one connection to the server can have AuthMySQLKeepAlive on.
Note: This parameter currently does not work with Apache 2.x and is ignored. We are aware of the bug.
AuthMySQLAuthoritative On | Off
Used to indicate if other modules should be called when mod_auth_mysql is not able to authorize the user. If this is On, no other modules will be called and the request will fail. If this is off, Apache will attempt to use mod_auth and/or any other active modules to authorize the user.
AuthMySQLCharacterSet
Used to override the default characterset for the connection. This parameter must specify a valid character set in MySQL. It is generally required only in MySQL 4.1 and above, where the characterset encoding for the tables being used is different that the default specified in the MySQL configuration.
Additional Information
======================
AuthMySQLUserCondition and AuthMySQLGroupCondition
The optional directives AuthMySQLUserCondition and AuthMySQLGroupCondition can be used to restrict queries made against the User and Group tables. The value for each of these should be a string that you want added to the end of the where-clause when querying each table. For example, if your user table
has an "active" field and you only want users to be able to login if that field is 1, you could use a directive like this: AuthMySQLUserCondition active=1
You can specify parameters for system options. These parameters will be replaced by the appropriate values in the query. See Formats below.
Groups
A user can be a member of multiple groups, but in this case the user id field *cannot* be PRIMARY KEY. You need to have multiple rows with the same user ID, one per group to which that ID belongs. In this case, you MUST put the GroupTable on a separate table from the user table. This is to help prevent the user table from having inconsistent passwords in it. If each user is only in one group, then the group field can be in the same table as the password field. A group-only table might look like this:
Note that you still need a user table which has the passwords in it.
There are two options to using groups. You can put the "user_group" field into the same table as the user database if each user is in only one group, or you can have a separate table that contains the fields "user_name" and "user_group" if each user is a member of multiple groups.
If the user_group field is part of the full user table, the table has three fields at least: user_name, user_group, user_passwd. The user_group field must be "PRIMARY KEY" in the user database containing a password. The htaccess file would be this:
If you have a separate database for groups, the two tables would be
user_info: user_name, user_passwd (user_name must be PRIMARY KEY)
user_group: user_name, user_group (user is not PRIMARY KEY, as we have multiple tuples for user_name,user_group to let a user be in multiple groups)
and htaccess would have this:
Assuming that the required group name is "admin".
Multiple Tables
If you have user information stored in two (or more) different tables, you can join the tables like this:
Formats
=======
You can specify the following paramaters in the AuthMySQLUserCondition and AuthMySQLGroupCondition clauses. They will be replaced by the appropriate values in the query.
These parameters can be used to further limit access. For instance, if you wish to limit users to a single ip address, you could add the following column to your user_info table:
ip_address VARCHAR (15)
You could then do something similar to this:
示例:集成用户文件(UserFile)认证和MySQL数据库认证
<Location /repos/>
DAV svn
SVNListParentPath on
#SVNPath e:/svn/repos1
SVNParentPath e:/svn
AuthzSVNAccessFile E:/usr/Apache2.2/bin/accesspolicy.conf
Satisfy Any
Require valid-user
AuthType Basic
AuthName "MySQL Auth"
AuthMySQLEnable on
AuthMySQLPwEncryption md5
AuthMySQLAuthoritative off
AuthMySQLHost localhost
AuthMySQLUser svnslt
AuthMySQLPassword list
AuthMySQLDB svn_auth
AuthMySQLUserTable users
AuthMySQLNameField user_name
AuthMySQLPasswordField user_passwd
AuthMySQLGroupTable groups
AuthMySQLGroupField user_group
AuthUserFile E:/usr/Apache2.2/bin/passwd.conf
</Location>
说明:
既可以用数据库中的用户名认证,也可以用文件中的用户名认证。如果数据库认证失败,就由用户文件认证。不过最好把用户文件和数据库中的用户名设为一致,防止单点失败。
~全文完~
印第安
2007年12月27日9:02:03
2008年3月5日14:15:59 更新 添加具体操作步骤