Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
On Sat, 2013-03-30 at 13:51 -0400, Stormy wrote: At 12:05 PM 3/30/2013 +1000, Noel Butler wrote: Sounds like a package manager problem to me I'm not sure of that, but I'm not a php expert :( Just been doing some testing on the sandbox (dpkg --force-all, not apt), and it comes back to php lack of thread safety. Blowfish encryptation doesn't function without full php and libapache2-mod-php5, and if I leave Uhg, yeah, but this is because the way your operating system distro vendor has packaged these softwares. libapache2-mod-php5 is not an official package name Try getting httpd and php sources and build them, its why I wont touch things like that from certain distros, too much butchering goes on. php has a helpful mailing list for php related questions, but AFAIK, php is thread safe, but not all modules might be, again, a question for them as its not httpd related. th ose in place and go back to mpm-worker (faster, less overhead for my server usage) I seem to be in trouble with env vars (setlocale.php). Not sure if I can run FastCGI and remove mod-php? I've read that this would restore thread safety by taking php outside Apache (2.2.22 on U 12.04 LTS) By the way, is there a quick way of swapping between worker and prefork without re-compiling? That would make my testing a whole lot easier. httpd -l and look to see whats there I am using only 2.4 now, event (similar, but advanced to, worker) is now the default MPM, if you want prefork compile with --with-mpm=prefork signature.asc Description: This is a digitally signed message part
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
At 12:05 PM 3/30/2013 +1000, Noel Butler wrote: Sounds like a package manager problem to me I'm not sure of that, but I'm not a php expert :( Just been doing some testing on the sandbox (dpkg --force-all, not apt), and it comes back to php lack of thread safety. Blowfish encryptation doesn't function without full php and libapache2-mod-php5, and if I leave those in place and go back to mpm-worker (faster, less overhead for my server usage) I seem to be in trouble with env vars (setlocale.php). Not sure if I can run FastCGI and remove mod-php? I've read that this would restore thread safety by taking php outside Apache (2.2.22 on U 12.04 LTS) By the way, is there a quick way of swapping between worker and prefork without re-compiling? That would make my testing a whole lot easier. Thanks a million - Paul On Fri, 2013-03-29 at 19:30 -0400, Stormy wrote: At 07:11 PM 3/28/2013 -0400, Eric Covener wrote: [snip] mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have any provision to encrypt the password separately from the rest of the connection. mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can. (Slight tangent to this thread) does anyone know of an equivalent to php-crypt-blowfish that works with Apache2 compiled as worker? it seems to want to: The following packages will be REMOVED: apache2-mpm-worker The following NEW packages will be installed: apache2-mpm-prefork libapache2-mod-php5 php-crypt-blowfish php5 I'm not stuck on php and might prefer Perl or PEAR, whatever. Thanks - Paul - To unsubscribe, e-mail: mailto:users-unsubscr...@httpd.apache.orgusers-unsubscr...@httpd.apache.org For additional commands, e-mail: mailto:users-h...@httpd.apache.orgusers-h...@httpd.apache.org
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
At 07:11 PM 3/28/2013 -0400, Eric Covener wrote: [snip] mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have any provision to encrypt the password separately from the rest of the connection. mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can. (Slight tangent to this thread) does anyone know of an equivalent to php-crypt-blowfish that works with Apache2 compiled as worker? it seems to want to: The following packages will be REMOVED: apache2-mpm-worker The following NEW packages will be installed: apache2-mpm-prefork libapache2-mod-php5 php-crypt-blowfish php5 I'm not stuck on php and might prefer Perl or PEAR, whatever. Thanks - Paul - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
Sounds like a package manager problem to me On Fri, 2013-03-29 at 19:30 -0400, Stormy wrote: At 07:11 PM 3/28/2013 -0400, Eric Covener wrote: [snip] mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have any provision to encrypt the password separately from the rest of the connection. mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can. (Slight tangent to this thread) does anyone know of an equivalent to php-crypt-blowfish that works with Apache2 compiled as worker? it seems to want to: The following packages will be REMOVED: apache2-mpm-worker The following NEW packages will be installed: apache2-mpm-prefork libapache2-mod-php5 php-crypt-blowfish php5 I'm not stuck on php and might prefer Perl or PEAR, whatever. Thanks - Paul - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org signature.asc Description: This is a digitally signed message part
[users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
Hi - I've searched the archives and it looks like this was discussed back in 2010 with a WONTFIX. I just wanted to make sure this is still the case. Basically, using the mod_auth_ldap module, apart from using SSL (and associated overhead), is it still the case that there is no way to encrypt just the passing of username and password from the client (browser) back to the server? As others have pointed out, SSL is a fallback, but with associated overhead. Has this been fixed in later versions of Apache? Thanks, Ken - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
On Thu, Mar 28, 2013 at 5:33 PM, Ken Nishimura ken_nishim...@agilent.com wrote: Basically, using the mod_auth_ldap module, apart from using SSL (and associated overhead), is it still the case that there is no way to encrypt just the passing of username and password from the client (browser) back to the server? As others have pointed out, SSL is a fallback, but with associated overhead. Has this been fixed in later versions of Apache? mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have any provision to encrypt the password separately from the rest of the connection. mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can. What does your client support that would need a fixed mod_authnz_ldap? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
Eric - I'm not exactly sure what your last question means. However, I think you answered my question. In short, the situation has not changed. If we want to ensure that the password is passed from the client (browser) to the server securely (to be further passed on to the LDAP server), we have to use SSL (https). The path from the http server to the LDAP server is secure using SSL (ldaps), but from the client to the server is unencrypted unless the entire thing is SSL'ed. I'm pretty new at this, but it appears that the act of popping up a dialog box asking for username/password cannot be encrypted separately from the http connection. Thanks, Ken On 03/28/2013 04:11 PM, Eric Covener wrote: On Thu, Mar 28, 2013 at 5:33 PM, Ken Nishimura ken_nishim...@agilent.com wrote: Basically, using the mod_auth_ldap module, apart from using SSL (and associated overhead), is it still the case that there is no way to encrypt just the passing of username and password from the client (browser) back to the server? As others have pointed out, SSL is a fallback, but with associated overhead. Has this been fixed in later versions of Apache? mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have any provision to encrypt the password separately from the rest of the connection. mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can. What does your client support that would need a fixed mod_authnz_ldap? - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org - To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org