Get additional fields in environment variable from Apache mod_authn_dbd

Question

In the documentation of apache 2.4 is mentioned, that it is possible to get additional columns from the db table when using mod_authn_dbd for authentication:

If httpd was built against APR version 1.3.0 or higher, any additional column values in the first row returned by the query statement will be stored as environment variables with names of the form AUTHENTICATE_COLUMN.

But eg the output of "phpinfo" doesn't show additional environment variables.

We use

openSUSE - 13.2 (x86_64)

apache2 - 2.4.10-28.1

libapr-util1-dbd-mysql

MySQL-Table:

CREATE TABLE IF NOT EXISTS `USERS` (
  `USER` varchar(20) NOT NULL,
  `PASSWORD` varchar(150) NOT NULL,
  `KUNDE` varchar(20) NOT NULL,
  `TIMESTAMP` datetime NOT NULL DEFAULT CURRENT_TIMESTAMP,
  `REMOTE_IP` varchar(15) NOT NULL,
  `CLIENT_IP` varchar(15) NOT NULL,
  PRIMARY KEY (`USER`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

Apache configuration:

# mod_dbd configuration
DBDriver mysql
DBDParams "host=127.0.0.1 dbname=Auth port=3306 user=Auth pass=XXXXXXXX"
DBDMin  2
DBDKeep 4
DBDMax  10
DBDExptime 60

Alias /test2/ "/path/test2/"
<Directory "/path/test2/">
    Options Indexes
    AllowOverride All
    require ip 192.168.xxx.0/24 10.xxx.xxx.0/24
</Directory>

<Directory "/path/test2/secure">
  AuthType Basic
  AuthName "Test"
  AuthBasicProvider socache dbd
  AuthnCacheProvideFor dbd
  AuthnCacheContext Test
  AuthnCacheTimeout 60
  AuthDBDUserPWQuery "SELECT PASSWORD FROM USERS WHERE USER = %s"
</Directory>

Maybe someone could help and knows how to use it.

Thanks.

Answer 1

Maybe because you don't have any other columns in your query? Try for example

AuthDBDUserPWQuery "SELECT KUNDE, PASSWORD FROM USERS WHERE USER = %s"

Please also note that this approach isn't really secure because you appear to be storing plain text passwords.