Apache-LoggedAuthDBI

 view release on metacpan or  search on metacpan

AuthDBI.pm  view on Meta::CPAN


In case of 'valid-user' the request is accepted. 

In case of one or more user-names, they are compared with the given user-name 
until the first match. 

In case of one or more group-names, all groups of the given username are 
looked up in the cache. If the cache is not configured or if the user is not 
found in the cache, or if the requested group does not match the cached group, 
the groups are requested from the database. A comma separated list of all 
these groups is put into the environment variable REMOTE_GROUPS. Then these 
groups are compared with the required groups until the first match. 

If there is no match and the authoritative directive is set to 'on' the 
request is rejected. 

In case the authorization succeeds, the environment variable REMOTE_GROUP is 
set to the group name, which can be used by user scripts without accessing
the database again.

The SQL-select used for retrieving the groups is as follows (depending upon 
the existence of a grp_table): 

 SELECT grp_field FROM pwd_table WHERE uid_field = user
 SELECT grp_field FROM grp_table WHERE uid_field = user

This way the group-information can either be held in the main users table, or 
in an extra table, if there is an m:n relationship between users and groups. 
From all selected groups a comma-separated list is build, which is compared 
with the required groups. If you don't like normalized group records you can 
put such a comma-separated list of groups (no spaces) into the grp_field 
instead of single groups. 

If a grp_whereclause exists, it is appended to the SQL-select.

Cache:

The module maintains an optional cash for all passwords/groups. See the
method setCacheTime(n) on how to enable the cache. Every server has it's 
own cache. Optionally the cache can be put into a shared memory segment, 
so that it can be shared among all servers. See the CONFIGURATION section 
on how to enable the usage of shared memory. 

In order to prevent the cache from growing indefinitely a CleanupHandler can 
be initialized, which skips through the cache and deletes all outdated entries.
This can be done once per request after sending the response, hence without 
slowing down response time to the client. The minimum time between two successive 
runs of the CleanupHandler is configurable (see the CONFIGURATION section). The 
default is 0, which runs the CleanupHandler after every request. 

 
=head1 LIST OF TOKENS

=item *
Auth_DBI_data_source (Authentication and Authorization)

The data_source value has the syntax 'dbi:driver:dsn'. This parameter is 
passed to the database driver for processing during connect. The data_source 
parameter (as well as the username and the password parameters) may be a 
tilde ('~') separated list of several data_sources. All of these triples will 
be used until a successful connect is made. This way several backup-servers can 
be configured. if you want to use the environment variable DBI_DSN instead of 
a data_source, do not specify this parameter at all. 

=item *
Auth_DBI_username (Authentication and Authorization)

The username argument is passed to the database driver for processing during 
connect. This parameter may be a tilde ('~') separated list. See the data_source 
parameter above for the usage of a list. 

=item *
Auth_DBI_password (Authentication and Authorization)

The password argument is passed to the database driver for processing during 
connect. This parameter may be a tilde ('~')  separated list. See the data_source 
parameter above for the usage of a list. 

=item *
Auth_DBI_pwd_table (Authentication and Authorization)

Contains at least the fields with the username and the (possibly encrypted) 
password. The username should be unique. 

=item *
Auth_DBI_uid_field (Authentication and Authorization)

Field name containing the username in the Auth_DBI_pwd_table. 

=item *
Auth_DBI_pwd_field (Authentication only)

Field name containing the password in the Auth_DBI_pwd_table. 

=item *
Auth_DBI_pwd_whereclause (Authentication only)

Use this option for specifying more constraints to the SQL-select.

=item *
Auth_DBI_grp_table (Authorization only)

Contains at least the fields with the username and the groupname. 

=item *
Auth_DBI_grp_field (Authorization only)

Field-name containing the groupname in the Auth_DBI_grp_table. 

=item *
Auth_DBI_grp_whereclause (Authorization only)

Use this option for specifying more constraints to the SQL-select.

=item *
Auth_DBI_log_field (Authentication only)

Field name containing the log string in the Auth_DBI_pwd_table. 

=item *
Auth_DBI_log_string (Authentication only)



( run in 1.458 second using v1.01-cache-2.11-cpan-d06a3f9ecfd )