William,Thanks. There is no way to make Digest authentication work with LDAP from what I have found/read. But it seems to me that someone must have already run up against this sometime before now. Is my understanding correct that one can use Digest authentication to encrypt the password between the browser and the web server? If so, it seems like there ought to be a corresponding solution (to get that same encryption capability) with LDAP. From the answers I've been getting, I'm beginning to think that it might be time to submit an enhancement request to the Apache developers. I'll wait a bit longer to see if anyone else knows of a way to accomplish this with existing capabilities (besides SSL, which is, as I said, my backup plan).
Mark On 9/28/2010 3:52 PM, William A. Rowe Jr. wrote:
On 9/24/2010 4:28 PM, Mark Tischler wrote:I have been looking through a lot of documentation on this subject, both on apache.org and elsewhere, and I can't seem to find an answer to the following question: Our Apache web server (version 2.2.11 running on Solaris 10) is currently authenticating users via LDAP successfully. But, we would like to have an *encrypted* password sent from *the browser to the Apache web server* when authenticating via LDAP. I understand that encryption is performed from the web server to the LDAP server by using ldaps, which we are using, but we are getting complaints that the password is traveling from the users' web browsers to our Apache web server in the clear (not encrypted). The problem really requires that the web browsers and Apache support an encrypted authentication over http instead of counting on wrapping everything via https. It would be nice if the public key encryption worked between the browser and Apache for the password part. I understand that I could force the users to use an https URL instead of an http URL, but that seems like it would be overkill. If that is the only solution to this issue, then we would really want the user to authenticate over https, but then fall back to http for all of the rest of the communications to the web server so as not to incur the inherent performance penalty of https. Any hints on how to do that effectively/efficiently would be welcome in that case. I also understand that using the Digest method of authentication (vs. Basic) does not work with LDAP, because, if I understand it correctly, this method doesn't even send the password, which, of course, LDAP would need.The only way to secure Basic auth is with SSL. Basic is simply encoded in 64 bit space to make it safe for 7-bit transport. What you want is Digest auth, which then ties the digest key to the hashed user/pass/domain and secures the token from being snarfed for requests from yet a third IP address. I don't know of any simple mechanism to store digest credentials in ldap (see htdigest and the mod_auth_digest module for further details). --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See<URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
--------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|