Thanks. I found the provided links very helpful. I decided
to file an enhancement request in ASF Bugzilla, given that this
has been complained about for at least 3 years.
Also, thanks to Igor for suggesting Kerberos. I will look into
that.
Mark
On 9/28/2010 6:09 PM, [triplepack] info ([email protected]) wrote:
Digest does more then just encrypting the password.
http://en.wikipedia.org/wiki/Digest_access_authentication
and if you have a look at that RFC
http://www.ietf.org/rfc/rfc2829.txt LDAP it self possibly
supports already digest-md5.
so really the LDAP auth should support the digest auth by
maybe just forwarding the digest-md5 to ldap?
http://www.latenightpc.com/blog/archives/2007/08/31/no-authtype-digest-with-ldap-authentication-provider-for-apache-today
seems to be a very known topic :)
Am 28.09.2010 23:04, schrieb Mark Tischler:
William,
Thanks. There is no way to make Digest authentication work
with LDAP from what I have found/read. But it seems to me
that someone must have already run up against this sometime
before now. Is my understanding correct that one can use
Digest authentication to encrypt the password between the
browser and the web server? If so, it seems like there ought
to be a corresponding solution (to get that same encryption
capability) with LDAP. From the answers I've been getting,
I'm beginning to think that it might be time to submit an
enhancement request to the Apache developers. I'll wait a
bit longer to see if anyone else knows of a way to accomplish
this with existing capabilities (besides SSL, which is, as I
said, my backup plan).
Mark
On 9/28/2010 3:52 PM, William A. Rowe Jr. wrote:
On 9/24/2010 4:28 PM, Mark Tischler wrote:
I have been looking through a lot of documentation on
this subject, both on apache.org
and elsewhere, and I can't seem to find an answer to the
following question:
Our Apache web server (version 2.2.11 running on Solaris
10) is currently authenticating
users via LDAP successfully. But, we would like to have an
*encrypted* password sent from
*the browser to the Apache web server* when authenticating
via LDAP. I understand that
encryption is performed from the web server to the LDAP
server by using ldaps, which we
are using, but we are getting complaints that the password
is traveling from the users'
web browsers to our Apache web server in the clear (not
encrypted). The problem really
requires that the web browsers and Apache support an
encrypted authentication over http
instead of counting on wrapping everything via https. It
would be nice if the public key
encryption worked between the browser and Apache for the
password part.
I understand that I could force the users to use an https
URL instead of an http URL, but
that seems like it would be overkill. If that is the only
solution to this issue, then we
would really want the user to authenticate over https, but
then fall back to http for all
of the rest of the communications to the web server so as
not to incur the inherent
performance penalty of https. Any hints on how to do that
effectively/efficiently would
be welcome in that case.
I also understand that using the Digest method of
authentication (vs. Basic) does not work
with LDAP, because, if I understand it correctly, this
method doesn't even send the
password, which, of course, LDAP would need.
The only way to secure Basic auth is with SSL. Basic is
simply encoded in 64 bit space
to make it safe for 7-bit transport. What you want is
Digest auth, which then ties the
digest key to the hashed user/pass/domain and secures the
token from being snarfed for
requests from yet a third IP address.
I don't know of any simple mechanism to store digest
credentials in ldap (see htdigest
and the mod_auth_digest module for further details).
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP
Server Project.
See<URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest:
[email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [email protected]
" from the digest: [email protected]
For additional commands, e-mail: [email protected]
