I believe that so far we've missed the OP's point.

The database is on a different server than the webserver, behind a(nother) firewall.

Authenticating users from infromation stored in the database has been done before with modules to make it fairly trivial - once an initial connection is opened from Apache to the db in order to submit the requests. It is the opening of this initial connection that the poster is concerned about. he wants the intiial db connection somehow done without the id,password being stored on the webserver.

And the only ways I see around this are:

• to have an entry for every user in the table that defines who can connect to mySQL and what they can do in mySQL, as well as possibly another table handling the same stuff for the webserver. But this implies a separate process for setting up these users. OR
• That the ID,password for db connection is stored in an encrypted file (eg using gpg) and the Apache startup process requires you to enter a passphrase at startup, after which the id,passwd are held by processes in RAM and used as needed. (The Agent thing for OpenSSL that stores users keys in RAM for use by other processes might be worth looking at in thgis regard.) But, even after you figure out how to do this, this may be a cure worse than the disease.

--Bob Niederman, http://bob-n.com