AnyDBM
A general-purpose DBM library

AnyDBM and Apache

The former rdbm-lite package is now integrated into AnyDBM, and is the basis for mod_auth_rdbm (Remote DBM authentication) with the Apache Web Server. This provides a lightweight but highly scaleable and efficient module for HTTP Basic Authentication over a network. RDBM authentication is similar to DBM or DB authentication, with the added benefits that:

• Multiple webservers can share a user database, without the penalties of NFS.
• Database locking is not an issue. So, for example, allowing write access to the database from CGI programs is much simplified.

As against that are the drawbacks:

• There is no provision for User namespace, so mod_auth_rdbm is not well suited to multi-user (eg virtual hosting) environments. It is best-suited to large single-site servers.
• mod_auth_rdbm can open new security holes (any user with an RDBM Client can talk to your server). To avoid this, use tcp access control (eg with /etc/hosts.deny and hosts.allow) to restrict access. A much weaker alternative is security-by-obscurity: change RDBM_P in rdbm.const to something nobody will ever guess.

Programs

The following are available from this server:

1. mod_auth_rdbm - Apache module for networked authentication using an AnyDBM server
2. rdbmmanage - CGI/SSI program to manage a DBM

License

mod_auth_rdbm is available under the Apache license (in contrast to the AnyDBM package, which is under the GNU LGPL). Both are of course free software with NO WARRANTY.

Availability

mod_auth_rdbm and rdbmmanage are included in the AnyDBM distribution.

mod_auth_rdbm

mod_auth_rdbm is a module for the Apache webserver. It can be used with any underlying structure, provided you have an RPC server meeting the AnyDBM/RDBM spec. Implementations for NDBM, GDBM and Berkeley DB are included with the AnyDBM distribution.

The code of this module is based on, and mostly identical to, "mod_auth_dbm.c" from the 1.3b6 distribution. Note that building it with earlier Apache distributions requires the deletion of "ap_" from the front of many function names, and building with 1.2.x will require you to convert (or comment out) the error logging functions.

Configuration

rdbmmanage.cgi

This is a simple CGI program that permits users to create their own username/password entries in an RDBM database. It can be used as-is (embedded in your own HTML page as an SSI), or you can incorporate the main function pw_update() in your own registration program (actually pw_update() itself is 'distilled' from a server-specific registration program).

Operations permitted are new (add an entry) and delete (guess what ;-) The code for "update" is there, but it isn't included in the HTML Form.

CGI Arguments are:

action	new(default) / update / delete
name	username to create. Any non-alphanumeric characters are stripped out, and it is converted to lowercase. May be modified by trunc and digits arguments (below). The update and delete actions use REMOTE_USER and ignore name.
group	group for this user
password	If none is supplied, it generates a random 5-digit PIN.
trunc	maximum number of characters in name, above which it will be truncated.
digits	Causes a number to be appended to name for uniqueness. Example: user enters name "nick" with digits set to 3, a name like "nick471" will be generated and is guaranteed unique. If digits is unset, names will not be modified, and a duplicate name will generate an error.

Whilst none of these are required, you will need to supply at least one of name and action for the CGI to do anything sensible.