The "sqlauth" Module (v3)
Description
This module allows connecting users to be authenticated against an arbitrary SQL table.
It only allows checking clients are allowed to connect (the PASS command), and does not provide any sort of user accounts (ie. no nickname registration, NickServ, or SASL).
Configuration
To load this module use the following <module> tag:
<module name="sqlauth">
<sqlauth>
The <sqlauth> tag defines settings about how the sqlauth module should behave. This tag can only be defined once.
| Name | Type | Default Value | Description |
|---|---|---|---|
| allowpattern | Text | None | If defined then a glob pattern for nicknames that are exempted from the authentication requirement. |
| column | Text | None | The name of the column that the password is located in. |
| dbid | Text | None | Required! The name of the database connection to execute the query against. |
| hash | Text | md5,sha256 | A comma-delimited list of hash algorithms to check the password against. |
| kdf | Text | None | The name of a KDF to check the password against. |
| killreason | Text | None | Required! The message to kill users that fail to authenticate with. |
| query | Text | None | Required! The SQL query to authenticate users with. If this query returns one or more rows it is considered a success otherwise it is considered a failure. |
| verbose | Boolean | No | Whether to log failed authentications to snomask a (local) and snomask A (remote). |
The query field can contain any of the following template variables:
| Variable | Description |
|---|---|
| $host | The real hostname of the connecting user. |
| $ident | The username (ident) of the connecting user. |
| $ip | The IP address of the connecting user. |
| $md5pass | An MD5 hash of the password sent with /PASS by the connecting user (requires the md5 module). |
| $nick | The nickname of the connecting user. |
| $pass | The password sent with /PASS by the connecting user. |
| $real | The real name (gecos) of the connecting user. |
| $server | The name of the server the connecting user connected to. |
| $sha256pass | A SHA-256 hash of the password sent with /PASS by the connecting user (requires the sha256 module). |
| $uuid | The UUID of the connecting user. |
Example Usage
Checks the password using the existence of a row returned from the database:
<sqlauth allowpattern="Guest*"
hash="sha256"
dbid="sqlauth"
killreason="Access denied"
query="SELECT * FROM users WHERE name='$nick' AND password='$sha256pass' LIMIT 1"
verbose="no">
Checks the password by comparing against a database field specified in the config:
<sqlauth allowpattern="Guest*"
column="password"
kdf="bcrypt"
dbid="sqlauth"
killreason="Access denied"
query="SELECT * FROM users WHERE name='$nick' LIMIT 1"
verbose="no">
Special Notes
The following SQL modules are included with InspIRCd:
| Engine | Module | Description |
|---|---|---|
| mysql | mysql | Queries a MySQL database. |
| pgsql | pgsql | Queries a PostgreSQL database. |
| sqlite3 | sqlite3 | Queries an SQLite database. |