10.4. Variations on a theme of user identification

What we described in the previous section is a way to provide user authenticated access control. We used the Basic protocol and simple text files to store the userids, passwords and groups.

The Basic protocol can be replaced with the Digest protocol. This comes from module auth_digest_module from mod_auth_digest.so.

LoadModule      auth_digest_module     /usr/lib/apache2/mod_auth_digest.so
LoadModule      authn_file_module      /usr/lib/apache2/mod_authn_file.so
LoadModule      authz_user_module      /usr/lib/apache2/mod_authz_user.so
LoadModule      authz_groupfile_module /usr/lib/apache2/mod_authz_groupfile.so

<Directory /srv/www/WWW/bestiary>
  AuthType      Digest
  AuthName      "Restricted area"
  AuthDigestDomain /
  AuthUserFile  /etc/apache2/access/digest_passwd
  AuthGroupFile /etc/apache2/access/group
  Require       group managers

The password file is replaced with one with a different structure, but the group file is the same as it was before.

$ touch /etc/apache2/access/digest_password
$ htdigest /etc/apache2/access/digest_password "Restricted area" bob
Adding user bob in realm Restricted area
New password: password
Re-type new password: password

The other issue we mentioned was that text files were used to hold the users, passwords and groups. For a small number of users this is fine but if your users reach into the thousands you may want to consider alternatives that are faster to search. Alternatively, you may already have an LDAP authentication mechanism and want to use that. A series of other modules exist for providing authentication with passwords and groups held in other formats.