Man Page: httpauthd(5)
httpauthd.conf(5) BSD File Formats Manual httpauthd.conf(5)
NAME
httpauthd.conf - the configuration file for httpauthd(8)
DESCRIPTION
httpauthd(8) reads it's configuration from this file when starting up. It
contains global settings followed by the various authentication methods
and their settings.
SYNTAX
The settings are specified one per line. The setting name comes first
followed by a colon, and the value for that setting. Authentication
method sections are prefixed with a '[method]' on a line of it's own.
Lines beginning with a # mark are comments. An example:
# Sample Configuration File
Socket: 0.0.0.0:8020
AuthTypes: Basic Digest
[Simple]
Alias: MyAuth
PasswordFile: /srv/passwd.file
AUTHENTICATION METHODS
Methods are the various ways httpauthd can authenticate a user. A method
will use either LDAP, a file or some other means to determine if a user
is valid. The methods currently implemented are:
LDAP Authenticate against an LDAP server.
NTLM Authenticate via NTLM against a Windows Server.
MYSQL Authenticate against a MYSQL database
PGSQL Authenticate against a PostgreSQL database.
Simple Authenticate against a password file. For info on creating this
file see mkha1(8)
A method block in the configuration file needs to contain one of the
above method names as the header for it's section (ie: [LDAP]). It can be
given another name by specifying an alias for it.
This allows for the creation of various configurations with purpose spe-
cific names. These names are used by callers of httpauthd(8) to identify
how to authenticate a given HTTP connection.
Aliases are created by putting a colon and a name after the section type,
like this:
[Simple:MyName]
GLOBAL OPTIONS
These options affect httpauthd as a whole. They should be placed before
the beginning of the first authentication method section. In addition
certain options can be placed in this section which affect all the
authentication methods. These are outlined under the METHOD OPTIONS head-
ing further below.
Socket This is where httpauthd listens for connections. It can either be
a unix type socket by specifying a file path (eg:
/var/run/ha.sock), a port number (eg: 8030) or a IP address with
optional port number (eg: 192.168.2.38:8200). If you specify an
IP address without a port, 8020 will be used.
[ Default: /var/run/httpauthd.sock ]
MaxThreads This equals the amount of authentication connections that
httpauthd(8) will be able to have open at once.
[ Default: 32 ]
METHOD OPTIONS
These options change settings in how the various methods handle authenti-
cation. When they appear after a method section, they only affect that
method. Most of them can also appear in the inital section of the config-
uration file in which case they're used as defaults.
AuthTypes The allowed HTTP authentication types, separated by spaces. Any
combination of: Basic Digest NTLM
[ Default: Basic Digest NTLM ]
CacheMax The maximum amount of successful authentication requests a
method can cache.
[ Default: 1024 ]
CacheTimeout The length of time in seconds that a successful authentica-
tion remains cached. How this exactly works depends on the
method it applies to.
[ Default: 900 ]
DigestIgnoreNC When set to True allows the NC value in Digest authentica-
tion to be incorrect. This opens up various replay attacks.
[ Default: False ]
DigestIgnoreURI When set to True allows the URI value in Digest authenti-
cation to be mismatched with the URI requested. This opens up a
variety of replay attacks, but may be necessary in some cases.
[ Default: False ]
Realm The realm used in Basic and Digest authentication.
[ Default: (none) ]
SIMPLE METHOD OPTIONS
These are settings for the Simple authentication method. This method
authenticates against password hashes in a file.
PasswordFile The path of the file that contains the password hashes. This
file can be in either the format created by htpasswd(1) or
htdigest(1) (tools that come with apache). You can also use the
mkha1(8) tool that comes with httpauth.
[ Required ]
LDAP METHOD OPTIONS
Settings for the LDAP authentication method. This method authenticates
users against an LDAP server.
LDAPBase The base DN to use in the search for a user. This only applies
when no LDAPDNMap is specified.
[ Required when LDAPDNMap is missing ]
LDAPDNMap Specifies the DN for a user name. The %u and %r flags can be
used in the DN, which will substitute the user and realm respec-
tively.
[ Optional ]
LDAPDoBind When performing Basic authentication, httpauthd can try to
bind to the LDAP server as the user in question. This allows
authentication even when no access to cleartext passwords is
available. Note that this does not apply to Digest authentica-
tion.
[ Default: True ]
LDAPFilter The LDAP filter to use when querying the server. The %u and %r
flags can be used in the filter, which will substitute the user
and realm respectively. When used without a LDAPDNMap then this
is used to identify the LDAP entry for the user. In this case
care should be taken that the filter only returns one record.
[ Required when LDAPDNMap is missing ]
LDAPHA1Attr A HA1 is a special kind of digest containing the user name,
realm and password. This can be used in place of cleartext pass-
words when doing Digest authentication. This setting specifies
the attribute on the LDAP server that the hash can be found in.
Use the mkha1(8) tool for creating HA1 hashes.
httpauthd(8) can perform both Basic and Digest authentication
against this attribute. Note that the realm however is stored in
the hash and must match the realm being sent to the client in the
Realm setting.
[ Optional ]
LDAPMax The maximum amount of connections to make to the LDAP server.
[ Default: 10 ]
LDAPPasswsord The password to use with LDAPUser
[ Optional ]
LDAPPwAttr The name of the attribute on the LDAP server that contains the
user's password. This can be for Basic authentication (when
LDAPDoBind is off) or Digest authentication. When used with
Digest Auth (and no LDAPHA1Attr is specified) it needs to contain
a cleartext password.
[ Default: userPassword ]
LDAPScope When searching the LDAP for a user (ie: LDAPDNMap is not speci-
fied) this is the scope for the search. Specify one of the fol-
lowing: sub base one
[ Default: sub ]
LDAPServers The host names or IP addresses of the LDAP servers to authen-
ticate against. Separated by spaces. More than one can be speci-
fied for failover capability.
[ Required ]
LDAPTimeout The timeout for searches on the LDAP server (in seconds).
[ Default: 30 ]
LDAPUser When specified httpauthd will bind as this user after connecting
to the LDAP server. This is useful in the case where anonymous
users can't perform LDAP searches, for example.
[ Optional ]
NTLM METHOD OPTIONS
Settings for the NTLM authentication method. This method authenticates
users against NT domain server.
NTLMBackup The backup domain server to authenticate against. Used when
NTLMServer is not available.
[ Optional ]
NTLMDomain The domain which contains the users that will be authenti-
cated. This is the NT domain, not the DNS domain.
[ Required ]
NTLMServer The domain server to authenticate against. You should specify
a name here not an IP address.
[ Required ]
PendingMax The maximum amount of halfway authenticated NTLM connections
allowed. This corresponds directly to the amount of concurrent
connections made to NTLMServer
[ Default: 16 ]
PendingTimeout The maximum time a halfway authenticated NTLM connection
is allowed to remain that way (in seconds).
[ Default: 20 ]
MYSQL AND PGSQL METHOD OPTIONS
Here are the options for the MYSQL and PGSQL handlers.
DBDatabase The database on the DB server to connect to.
[ Required ]
DBHA1Column The name of the column in DBQuery that contains the HA1 for
the user. A HA1 is a special kind of digest containing the user
name, realm and password. This can be used in place of cleartext
passwords when doing Digest authentication. Use the mkha1(8) tool
for creating HA1 hashes.
[ Optional ]
DBMax The maximum number of connections to make to the database server.
[ Default: 10 ]
DBPassword The password for the DBUser option.
[ Optional ]
DBPort When connecting to the server via TCP this option specifies the
port to connect on.
[ Default: DB server's default port ]
DBPWColumn The name of the column in DBQuery that contains the password.
[ Default: First Column ]
DBPWType The type of password stored in the database. The options are:
clear crypt md5 sha1
[ Default: clear ]
DBQuery The query to execute when authenticating a user. The %u and %r
flags can be used in the query, which will substitute the user
and realm respectively. This should be a 'SELECT' type query or a
query that returns data.
[ Required ]
DBServer The address to connect to the database at. It can either be a IP
address, host name, or unix type socket. If this option is not
specified then the default connection (see MYSQL or PGSQL docs)
will be used.
[ Optional ]
DBTimeout Time in seconds to wait for a connection to the DB server.
[ Default: 30 ]
DBUser The user to connect to the database as.
[ Default: DB's default user ]
SEE ALSO
httpauthd(8)
AUTHOR
Stef Walter <stef@thewalter.net>
httpauth May 10, 2006 httpauth