summaryrefslogtreecommitdiffstats
path: root/docs/manual/mod/mod_authn_file.xml
blob: 111a77135255424349db3ad31d60dc120e28d4fb (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
<?xml version="1.0"?>
<!DOCTYPE modulesynopsis SYSTEM "../style/modulesynopsis.dtd">
<?xml-stylesheet type="text/xsl" href="../style/manual.en.xsl"?>
<modulesynopsis metafile="mod_authn_file.xml.meta">

<name>mod_authn_file</name>
<description>User authentication using text files</description>
<status>Base</status>
<sourcefile>mod_authn_file.c</sourcefile>
<identifier>authn_file_module</identifier>
<compatibility>Available in Apache 2.1 and later</compatibility>

<summary>
    <p>This module provides authentication front-ends such as
    <module>mod_auth_digest</module> and <module>mod_auth_basic</module>
    to authenticate users by looking up users in plain text password files.
    Similar functionality is provided by <module>mod_authn_dbm</module>.</p>

    <p>When using <module>mod_auth_basic</module> or
    <module>mod_auth_digest</module>, this module is invoked via the
    <directive module="mod_auth_basic">AuthBasicProvider</directive> or
    <directive module="mod_auth_digest">AuthDigestProvider</directive>
    with the <code>file</code> value.</p>
</summary>
<seealso>
  <directive module="mod_auth_basic">AuthBasicProvider</directive>
</seealso>
<seealso>
  <directive module="mod_auth_digest">AuthDigestProvider</directive>
</seealso>
<seealso><a href="../programs/htpasswd.html">htpasswd</a></seealso>
<seealso><a href="../programs/htdigest.html">htdigest</a></seealso>
 
<directivesynopsis>
<name>AuthUserFile</name>
<description>Sets the name of a text file containing the list of users and
passwords for authentication</description>
<syntax>AuthUserFile <var>file-path</var></syntax>
<contextlist><context>directory</context><context>.htaccess</context>
</contextlist>
<override>AuthConfig</override>

<usage>
    <p>The <directive>AuthUserFile</directive> directive sets the name
    of a textual file containing the list of users and passwords for
    user authentication. <var>File-path</var> is the path to the user
    file. If it is not absolute, it is treated as relative to the
    <directive module="core">ServerRoot</directive>.</p>

    <p>Each line of the user file contains a username followed by
    a colon, followed by the encrypted password. If the same user
    ID is defined multiple times, <module>mod_authn_file</module> will
    use the first occurrence to verify the password.</p>

    <p>The utility <a href="../programs/htpasswd.html">htpasswd</a>
    which is installed as part of the binary distribution, or which
    can be found in <code>src/support</code>, is used to maintain
    the password file for <em>HTTP Basic Authentication</em>. See the
    <a href="../programs/htpasswd.html">man page</a> for more details.
    In short:</p>

    <p>Create a password file <code>Filename</code> with
    <code>username</code> as the initial ID. It will prompt for
    the password:</p>

    <example>
      htpasswd -c Filename username
    </example>

    <p>Add or modify <code>username2</code> in the password file
    <code>Filename</code>:</p>

    <example>
      htpasswd Filename username2
    </example>

    <p>Note that searching large text files is <em>very</em>
    inefficient; <directive
    module="mod_authn_dbm">AuthDBMUserFile</directive> should be used
    instead.</p>

    <p>If you are using <em>HTTP Digest Authentication</em>, the <a
    href="../programs/htpasswd.html">htpasswd</a> tool is not sufficient.
    You have to use <a href="../programs/htdigest.html">htdigest</a>
    instead. Note that you cannot mix user data for Digest Authentication
    and Basic Authentication within the same file.</p>

    <note type="warning"><title>Security</title>
      <p>Make sure that the <directive>AuthUserFile</directive> is
      stored outside the document tree of the web-server. Do
      <strong>not</strong> put it in the directory that it protects.
      Otherwise, clients may be able to download the
      <directive>AuthUserFile</directive>.</p>
    </note>
</usage>
</directivesynopsis>

</modulesynopsis>