Apache::MultiAuth - Choose from a number of authentication modules at runtime


Put lines like this in your httpd.conf. In this example authorization is requested for accessing the directory /test. First the credentials (username, password) are checked against the module Apache::AuthSybase and then against the module Apache::AuthenSmb. If any of them succeeds, access to /test is granted.

  # in httpd.conf
  # Important : if not set apachectl configtest will complain about syntax errors
  PerlModule  Apache::MultiAuth

  <Location /test>
    AuthName Test 
    AuthType Basic

    # PerlSetVars for various Apache::Auth* modules
    # These here are example values for Apache::AuthenSmb
    PerlSetVar myPDC SAMBA

    # Define order and class of Auth modules to try
    AuthModule Apache::AuthSybase Apache::AuthenSmb

    PerlAuthenHandler Apache::MultiAuth
    require valid-user


Apache::MultiAuth allows you to specify multiple authentication modules, to be tried in order. If any module in the list returns OK, then the user is considered authenticated; if none return OK, then the MultiAuth module returns AUTH_REQUIRED and the user is reprompted for credentials. This, depending on the browser, results in a 401 authorization required message.

This is useful for cases where, for example, you have several authentication schemes: for example, NIS, SMB, and htpasswd, and some of your users are only registered in some of the auth databases. Using Apache::MultiAuth, they can be queried in order until the right one is found.

In the event that one of these modules returns OK, a note named "AuthenticatedBy" will be set, which contains the name of the module that returned OK, like so:

    $r->notes("AuthenticatedBy" => "Module::Name");

This can be retrieved by any handler that runs after the authentication phase, and can be very useful in logging:

    CustomLog "%h %l %u %t \"%r\" %>s %b %{AuthenticatedBy}n" common_auth

The last field in the common_auth log format will be the name of the module that handled the authentication.


Apache::MultiAuth allows you to name a number of authentication modules, using the AuthModule directive. These modules are queried, in the order they are provided, until one of them returns OK. Apache::MultiAuth then condiders authentication to be successful, and processing continues. If none of the provided authentication modules returns OK, Apache::MultiAuth passes AUTH_REQUIRED to apache, which results in a 401 Authorization required error.


    Stathy G. Touloumis
    Marcel M. Weber
    Darren Chamberlain