Apache > HTTP Server > Documentation > Version 2.4 > Modules

Apache Module mod_authz_dbd

Available Languages:  en  |  fr 

Description:Group Authorization and Login using SQL
Module Identifier:authz_dbd_module
Source File:mod_authz_dbd.c
Compatibility:Available in Apache 2.4 and later


This module provides authorization capabilities so that authenticated users can be allowed or denied access to portions of the web site by group membership. Similar functionality is provided by mod_authz_groupfile and mod_authz_dbm, with the exception that this module queries a SQL database to determine whether a user is a member of a group.

This module can also provide database-backed user login/logout capabilities. These are likely to be of most value when used in conjunction with mod_authn_dbd.

This module relies on mod_dbd to specify the backend database driver and connection parameters, and manage the database connections.



See also


The Require Directives

Apache's Require directives are used during the authorization phase to ensure that a user is allowed to access a resource. mod_authz_dbd extends the authorization types with dbd-group, dbd-login and dbd-logout.

Since v2.4.8, expressions are supported within the DBD require directives.

Require dbd-group

This directive specifies group membership that is required for the user to gain access.

      Require dbd-group team
      AuthzDBDQuery "SELECT group FROM authz WHERE user = %s"

Require dbd-login

This directive specifies a query to be run indicating the user has logged in.

      Require dbd-login
      AuthzDBDQuery "UPDATE authn SET login = 'true' WHERE user = %s"

Require dbd-logout

This directive specifies a query to be run indicating the user has logged out.

      Require dbd-logout
      AuthzDBDQuery "UPDATE authn SET login = 'false' WHERE user = %s"

Database Login

In addition to the standard authorization function of checking group membership, this module can also provide server-side user session management via database-backed login/logout capabilities. Specifically, it can update a user's session status in the database whenever the user visits designated URLs (subject of course to users supplying the necessary credentials).

This works by defining two special Require types: Require dbd-login and Require dbd-logout. For usage details, see the configuration example below.


Client Login integration

Some administrators may wish to implement client-side session management that works in concert with the server-side login/logout capabilities offered by this module, for example, by setting or unsetting an HTTP cookie or other such token when a user logs in or out.

To support such integration, mod_authz_dbd exports an optional hook that will be run whenever a user's status is updated in the database. Other s