On 9/24/2010 4:28 PM, Mark Tischler wrote: > I have been looking through a lot of documentation on this subject, both on apache.org > and elsewhere, and I can't seem to find an answer to the following question: > > Our Apache web server (version 2.2.11 running on Solaris 10) is currently authenticating > users via LDAP successfully. But, we would like to have an *encrypted* password sent from > *the browser to the Apache web server* when authenticating via LDAP. I understand that > encryption is performed from the web server to the LDAP server by using ldaps, which we > are using, but we are getting complaints that the password is traveling from the users' > web browsers to our Apache web server in the clear (not encrypted). The problem really > requires that the web browsers and Apache support an encrypted authentication over http > instead of counting on wrapping everything via https. It would be nice if the public key > encryption worked between the browser and Apache for the password part. > > I understand that I could force the users to use an https URL instead of an http URL, but > that seems like it would be overkill. If that is the only solution to this issue, then we > would really want the user to authenticate over https, but then fall back to http for all > of the rest of the communications to the web server so as not to incur the inherent > performance penalty of https. Any hints on how to do that effectively/efficiently would > be welcome in that case. > > I also understand that using the Digest method of authentication (vs. Basic) does not work > with LDAP, because, if I understand it correctly, this method doesn't even send the > password, which, of course, LDAP would need. The only way to secure Basic auth is with SSL. Basic is simply encoded in 64 bit space to make it safe for 7-bit transport. What you want is Digest auth, which then ties the digest key to the hashed user/pass/domain and secures the token from being snarfed for requests from yet a third IP address. I don't know of any simple mechanism to store digest credentials in ldap (see htdigest and the mod_auth_digest module for further details). --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|