https://issues.apache.org/bugzilla/show_bug.cgi?id=50028
Summary: Would like LDAP authentication to encrypt password
from browser to web server
Product: Apache httpd-2
Version: 2.2.11
Platform: Sun
OS/Version: Solaris
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_authz_ldap
AssignedTo: [email protected]
ReportedBy: [email protected]
We would like to have an *encrypted* password sent from *the browser to the
Apache web server* when authenticating via LDAP. I understand that encryption
is performed from the web server to the LDAP server by using ldaps, which we
are using, but we are getting complaints that the password is traveling from
the users' web browsers to our Apache web server in the clear (not encrypted).
The problem really requires that the web browsers and Apache support an
encrypted authentication over http instead of counting on wrapping everything
via https.
I understand that I could force the users to use an https URL instead of an
http URL, but that seems like it would be overkill.
I also understand that using the Digest method of authentication (vs. Basic)
does not work with LDAP.
There is a discussion from Aug. 2007 at
http://www.latenightpc.com/blog/archives/2007/08/31/no-authtype-digest-with-ldap-authentication-provider-for-apache-today.
Unfortunately, after more than 3 years, it doesn't appear that this issue has
been addressed.
I searched the ASF Bugzilla database for a request similar to this, but found
none. Are there any plans to support this in the near future?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
