The default authentication scheme in limbas is HTTP Basis Access Authentication. Therefore, if you are not using encryption through SSL or SSH the credentials are sent as plain text (okay, it is Bas64 encoded, but NOT ENCRYPTED) on each and every request. http://tools.ietf.org/html/rfc2617
One may handle HTTP Basic Access Authentication with PHP (since 5.1.0 also Digest). But you have to protect your script against SQL-Injection and so on. http://php.net/manual/en/features.http-auth.php
After applying the following modifications ALL passwords stored in lmb_userdb are invalid. Be sure to have access to that table to be able to reset the password for the Administrator. The authentication realm is used three times and must be exactly the same: both AuthName directives and in the SQL-UPDATE statement between the colons.
Apache Configuration
The virtual host also provides a SVN-Repository with single-sign-on.
NameVirtualHost *:80
<VirtualHost*:80>
DocumentRoot /opt/openlimbas/dependent
DBDriver pgsql
DBDParams "dbname=limbas user=wwwrun password=wwwrunpasswd"
DBDMin 4
DBDKeep 8
DBDMax 10
DBDExptime 300
<Directory/opt/openlimbas/dependent>
Options FollowSymlinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (.*&)?(logout=1)(&.*)?
RewriteRule (.*) /logout.php? [R,L]
ErrorDocument 401 /logout.php
Order Allow,Deny
Allow from All
AuthType Digest
AuthName "ACME Ltd. - bitJournal"
AuthDigestProvider dbd
AuthDBDUserRealmQuery "SELECT passwort, EXTRACT(EPOCH FROM NOW()) AS TIME FROM lmb_userdb WHERE username = %s AND (VALIDDATE >= CURRENT_TIMESTAMP OR VALID = FALSE) AND lock = FALSE AND del = FALSE;"
Require valid-user
</Directory><Location/svn>
DAV svn
SVNReposName bitJournal
SVNPath /srv/svn/repos/openlimbas
AuthzSVNAccessFile /srv/svn/authz
AuthType Digest
AuthName "ACME Ltd. - bitJournal"
AuthDigestProvider dbd
AuthDBDUserRealmQuery "SELECT passwort FROM lmb_userdb WHERE username = %s AND (VALIDDATE >= CURRENT_TIMESTAMP OR VALID = FALSE) AND lock = FALSE AND del = FALSE;"
Require valid-user
</Location></VirtualHost>
Database modifications
CREATE ROLE www NOSUPERUSER NOINHERIT NOCREATEDB NOCREATEROLE;
GRANT SELECT ON TABLE lmb_userdb TO www;
CREATE ROLE wwwrun LOGIN PASSWORD 'wwwrunpasswd' NOSUPERUSER NOINHERIT NOCREATEDB NOCREATEROLE;
GRANT www TO wwwrun;
UPDATE lmb_userdb SET passwort = md5('admin:ACME Ltd.-bitJournal:limbas') WHERE user_id =1;/* {username}:{realm}:{password} */
The default authentication scheme in limbas is HTTP Basis Access Authentication. Therefore, if you are not using encryption through SSL or SSH the credentials are sent as plain text (okay, it is Bas64 encoded, but NOT ENCRYPTED) on each and every request. http://tools.ietf.org/html/rfc2617
One may handle HTTP Basic Access Authentication with PHP (since 5.1.0 also Digest). But you have to protect your script against SQL-Injection and so on. http://php.net/manual/en/features.http-auth.php
There is no universal way to log out of a HTTP-Auth-Session. The solution is very Browser dependent. http://www.berenddeboer.net/rest/authentication.html
The Apache HTTP-Server can check the Digest credentials against a SQL-Database using the modules dbd, auth_digest and authn_dbd. http://httpd.apache.org/docs/2.2/mod/mod_authn_dbd.html
After applying the following modifications ALL passwords stored in lmb_userdb are invalid. Be sure to have access to that table to be able to reset the password for the Administrator. The authentication realm is used three times and must be exactly the same: both AuthName directives and in the SQL-UPDATE statement between the colons.
Apache Configuration
The virtual host also provides a SVN-Repository with single-sign-on.
Database modifications
file system modifications
Source code modifications
in the SQL-Statement "CREATE ROLE wwwrun" drop the NOINHERIT option or change to INHERIT.