Digest does more then just encrypting the password.
http://en.wikipedia.org/wiki/Digest_access_authentication
and if you have a look at that RFC http://www.ietf.org/rfc/rfc2829.txt
LDAP it self possibly supports already digest-md5.
so really the LDAP auth should support the digest auth by maybe just
forwarding the digest-md5 to ldap?
http://www.latenightpc.com/blog/archives/2007/08/31/no-authtype-digest-with-ldap-authentication-provider-for-apache-today
seems to be a very known topic :)
Am 28.09.2010 23:04, schrieb Mark Tischler:
William,
Thanks. There is no way to make Digest authentication work with LDAP
from what I have found/read. But it seems to me that someone must
have already run up against this sometime before now. Is my
understanding correct that one can use Digest authentication to
encrypt the password between the browser and the web server? If so,
it seems like there ought to be a corresponding solution (to get that
same encryption capability) with LDAP. From the answers I've been
getting, I'm beginning to think that it might be time to submit an
enhancement request to the Apache developers. I'll wait a bit longer
to see if anyone else knows of a way to accomplish this with existing
capabilities (besides SSL, which is, as I said, my backup plan).
Mark
On 9/28/2010 3:52 PM, William A. Rowe Jr. wrote:
On 9/24/2010 4:28 PM, Mark Tischler wrote:
I have been looking through a lot of documentation on this
subject, both on apache.org
and elsewhere, and I can't seem to find an answer to the following
question:
Our Apache web server (version 2.2.11 running on Solaris 10) is
currently authenticating
users via LDAP successfully. But, we would like to have an
*encrypted* password sent from
*the browser to the Apache web server* when authenticating via
LDAP. I understand that
encryption is performed from the web server to the LDAP server by
using ldaps, which we
are using, but we are getting complaints that the password is
traveling from the users'
web browsers to our Apache web server in the clear (not encrypted).
The problem really
requires that the web browsers and Apache support an encrypted
authentication over http
instead of counting on wrapping everything via https. It would be
nice if the public key
encryption worked between the browser and Apache for the password part.
I understand that I could force the users to use an https URL
instead of an http URL, but
that seems like it would be overkill. If that is the only solution
to this issue, then we
would really want the user to authenticate over https, but then fall
back to http for all
of the rest of the communications to the web server so as not to
incur the inherent
performance penalty of https. Any hints on how to do that
effectively/efficiently would
be welcome in that case.
I also understand that using the Digest method of authentication
(vs. Basic) does not work
with LDAP, because, if I understand it correctly, this method
doesn't even send the
password, which, of course, LDAP would need.
The only way to secure Basic auth is with SSL. Basic is simply
encoded in 64 bit space
to make it safe for 7-bit transport. What you want is Digest auth,
which then ties the
digest key to the hashed user/pass/domain and secures the token from
being snarfed for
requests from yet a third IP address.
I don't know of any simple mechanism to store digest credentials in
ldap (see htdigest
and the mod_auth_digest module for further details).
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See<URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server
Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]
