Annotation of embedaddon/lighttpd/doc/outdated/authentication.txt, revision 1.1
1.1 ! misho 1: ====================
! 2: Using Authentication
! 3: ====================
! 4:
! 5: ----------------
! 6: Module: mod_auth
! 7: ----------------
! 8:
! 9: :Author: Jan Kneschke
! 10: :Date: $Date$
! 11: :Revision: $Revision$
! 12:
! 13: :abstract:
! 14: The auth module provides ...
! 15:
! 16: .. meta::
! 17: :keywords: lighttpd, authentication
! 18:
! 19: .. contents:: Table of Contents
! 20:
! 21: Description
! 22: ===========
! 23:
! 24: Supported Methods
! 25: -----------------
! 26:
! 27: lighttpd supportes both authentication method described by
! 28: RFC 2617:
! 29:
! 30: basic
! 31: `````
! 32:
! 33: The Basic method transfers the username and the password in
! 34: cleartext over the network (base64 encoded) and might result
! 35: in security problems if not used in conjunction with a crypted
! 36: channel between client and server.
! 37:
! 38: digest
! 39: ``````
! 40:
! 41: The Digest method only transfers a hashed value over the
! 42: network which performs a lot of work to harden the
! 43: authentication process in insecure networks.
! 44:
! 45: Backends
! 46: --------
! 47:
! 48: Depending on the method lighttpd provides various way to store
! 49: the credentials used for the authentication.
! 50:
! 51: for basic auth:
! 52:
! 53: - plain_
! 54: - htpasswd_
! 55: - htdigest_
! 56: - ldap_
! 57:
! 58: for digest auth:
! 59:
! 60: - plain_
! 61: - htdigest_
! 62:
! 63:
! 64: plain
! 65: `````
! 66:
! 67: A file which contains username and the cleartext password
! 68: seperated by a colon. Each entry is terminated by a single
! 69: newline.::
! 70:
! 71: e.g.:
! 72: agent007:secret
! 73:
! 74:
! 75: htpasswd
! 76: ````````
! 77:
! 78: A file which contains username and the crypt()'ed password
! 79: seperated by a colon. Each entry is terminated by a single
! 80: newline. ::
! 81:
! 82: e.g.:
! 83: agent007:XWY5JwrAVBXsQ
! 84:
! 85: You can use htpasswd from the apache distribution to manage
! 86: those files. ::
! 87:
! 88: $ htpasswd lighttpd.user.htpasswd agent007
! 89:
! 90:
! 91: htdigest
! 92: ````````
! 93:
! 94: A file which contains username, realm and the md5()'ed
! 95: password seperated by a colon. Each entry is terminated
! 96: by a single newline. ::
! 97:
! 98: e.g.:
! 99: agent007:download area:8364d0044ef57b3defcfa141e8f77b65
! 100:
! 101: You can use htdigest from the apache distribution to manage
! 102: those files. ::
! 103:
! 104: $ htdigest lighttpd.user.htdigest 'download area' agent007
! 105:
! 106: Using md5sum can also generate the password-hash: ::
! 107:
! 108: #!/bin/sh
! 109: user=$1
! 110: realm=$2
! 111: pass=$3
! 112:
! 113: hash=`echo -n "$user:$realm:$pass" | md5sum | cut -b -32`
! 114:
! 115: echo "$user:$realm:$hash"
! 116:
! 117: To use it:
! 118:
! 119: $ htdigest.sh 'agent007' 'download area' 'secret'
! 120: agent007:download area:8364d0044ef57b3defcfa141e8f77b65
! 121:
! 122:
! 123:
! 124: ldap
! 125: ````
! 126:
! 127: the ldap backend is basically performing the following steps
! 128: to authenticate a user
! 129:
! 130: 1. connect anonymously (at plugin init)
! 131: 2. get DN for filter = username
! 132: 3. auth against ldap server
! 133: 4. disconnect
! 134:
! 135: if all 4 steps are performed without any error the user is
! 136: authenticated
! 137:
! 138: Configuration
! 139: =============
! 140:
! 141: ::
! 142:
! 143: ## debugging
! 144: # 0 for off, 1 for 'auth-ok' messages, 2 for verbose debugging
! 145: auth.debug = 0
! 146:
! 147: ## type of backend
! 148: # plain, htpasswd, ldap or htdigest
! 149: auth.backend = "htpasswd"
! 150:
! 151: # filename of the password storage for
! 152: # plain
! 153: auth.backend.plain.userfile = "lighttpd-plain.user"
! 154:
! 155: ## for htpasswd
! 156: auth.backend.htpasswd.userfile = "lighttpd-htpasswd.user"
! 157:
! 158: ## for htdigest
! 159: auth.backend.htdigest.userfile = "lighttpd-htdigest.user"
! 160:
! 161: ## for ldap
! 162: # the $ in auth.backend.ldap.filter is replaced by the
! 163: # 'username' from the login dialog
! 164: auth.backend.ldap.hostname = "localhost"
! 165: auth.backend.ldap.base-dn = "dc=my-domain,dc=com"
! 166: auth.backend.ldap.filter = "(uid=$)"
! 167: # if enabled, startTLS needs a valid (base64-encoded) CA
! 168: # certificate
! 169: auth.backend.ldap.starttls = "enable"
! 170: auth.backend.ldap.ca-file = "/etc/CAcertificate.pem"
! 171:
! 172: ## restrictions
! 173: # set restrictions:
! 174: #
! 175: # ( <left-part-of-the-url> =>
! 176: # ( "method" => "digest"/"basic",
! 177: # "realm" => <realm>,
! 178: # "require" => "user=<username>" )
! 179: # )
! 180: #
! 181: # <realm> is a string to display in the dialog
! 182: # presented to the user and is also used for the
! 183: # digest-algorithm and has to match the realm in the
! 184: # htdigest file (if used)
! 185: #
! 186:
! 187: auth.require = ( "/download/" =>
! 188: (
! 189: "method" => "digest",
! 190: "realm" => "download archiv",
! 191: "require" => "user=agent007|user=agent008"
! 192: ),
! 193: "/server-info" =>
! 194: (
! 195: "method" => "digest",
! 196: "realm" => "download archiv",
! 197: "require" => "valid-user"
! 198: )
! 199: )
! 200:
! 201: Limitations
! 202: ============
! 203:
! 204: - The implementation of digest method is currently not
! 205: completely compliant with the standard as it still allows
! 206: a replay attack.
! 207:
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to authentication.txt CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / lighttpd / doc / outdated