diff --git a/app/models/user.rb b/app/models/user.rb
index 5ae7a56..5e3b861 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -109,6 +109,19 @@ class User < Principal
         return nil unless user.auth_source.authenticate(login, password)
       else
         # authentication with local password
+
+        # Backwards compatibility: if the stored password is
+        # hex-encoded, convert it to base64 prepended with '{SHA}'
+        # to make it compatible with Apache.
+        if user.hashed_password[0,5] != '{SHA}'
+          pw_s = ""
+          user.hashed_password.unpack(
+                  'a2'*(user.hashed_password.length / 2)).collect do |x|
+            pw_s << x.hex
+          end
+          user.hashed_password = '{SHA}' + Base64.encode64(pw_s).chomp
+        end
+
         return nil unless User.hash_password(password) == user.hashed_password        
       end
     else
@@ -391,7 +404,9 @@ class User < Principal
     
   # Return password digest
   def self.hash_password(clear_password)
-    Digest::SHA1.hexdigest(clear_password || "")
+    # Prefix with {SHA} and use base64 encoding to be compatible with
+    # Apache basic authentication with mod_authn_dbd.
+    '{SHA}' + Base64.encode64(Digest::SHA1.digest(clear_password || "")).chomp
   end
 end
 
diff --git a/db/migrate/20100130000000_pw_hash_apache_compat.rb b/db/migrate/20100130000000_pw_hash_apache_compat.rb
new file mode 100644
index 0000000..a3e0e87
--- /dev/null
+++ b/db/migrate/20100130000000_pw_hash_apache_compat.rb
@@ -0,0 +1,31 @@
+class PwHashApacheCompat < ActiveRecord::Migration
+  def self.up
+    users = User.find(:all)
+    users.each do |user|
+      next if user.hashed_password.blank? or
+              (user.hashed_password[0,5] == '{SHA}')
+
+      # If the stored password is hex-encoded, convert it to base64
+      # prepended with '{SHA}' to make it compatible with Apache.
+      pw_s = ""
+      user.hashed_password.unpack(
+              'a2'*(user.hashed_password.length / 2)).collect do |x|
+        pw_s << x.hex
+      end
+      user.hashed_password = '{SHA}' + Base64.encode64(pw_s).chomp
+      user.save
+
+    end
+  end
+
+  def self.down
+    users = User.find(:all)
+    users.each do |user|
+      next if user.hashed_password.blank? or
+              (user.hashed_password[0,5] != '{SHA}')
+      pw_s = Base64.decode64(user.hashed_password[5..-1])
+      user.hashed_password = pw_s.unpack('H*').to_s
+      user.save
+    end
+  end
+end