Apache patch P14
DBM Files for User Authentication

First appears in Apache 0.4

Date:

March '95 ish

Purpose

It dramatically reduces the lookup time for a password for areas under user authentication, where the user database is larger than a couple hundred entries. This is what HotWired uses for its 150,000+ user database.

Old behaviour

User/password lookups would search through a flat file - if that flat file grew to more than a couple hundred entries that search would take an unacceptibly long time.

New behaviour

DBM files, native to most Unix platform, are an implementation of a self-maintaining hash table, where a given key maps to a stored value. DBM files are not ascii, and not portable between operating systems, but there is a perl tool called "dbmmanage" in the /support directory included with the apache distribution to modify and view (and even add a user, automatically encrypting their password) DBM files. Apache's version uses the "ndbm" library - there are other libraries, but this was chosen as it's the one implemented on most systems and the one Perl uses by default when binding a DBM file to an associative array. Be sure you are using ndbm and not GNU's "gdbm" if you run into trouble.

On some systems, when you open a DBM file named "filename", it will actually create two files, "filename.dir" and "filename.pag". Other systems will create a "filename.db". For the purposes of this documentation, when we refer to a DBM filename, it's to the root name, i.e. "filename". The "keys" of the DBM file are the usernames, and the "values" mapped to those keys are the encrypted passwords.

Configuration

To activate it, you must compile it with -DDBM_AUTH set in the CFLAGS variable in the Makefile. You might have to define "EXTRA_LIBS=-lcrypt" and/or "-lndbm".

This patch ensures backwards compatibility with the old mechanism by creating a new keyword, "AuthDBMUserFile", which can be dropped in place of "AuthUserFile" in your access.conf or .htaccess files (instead of changing the meaning of "AuthUserFile"). The argument to that keyword is the DBM filename. I.e.

	AuthDBMUserFile /www/passwords

These passwords are encrypted using standard Unix crypt(), which the utility "dbmmanage" can handle with the "adduser" option.