I have been looking through a lot of documentation on this
subject, both on apache.org and elsewhere, and I can't seem to
find an answer to the following question:
Our Apache web server (version 2.2.11 running on Solaris 10)
is currently authenticating users via LDAP successfully. But,
we would like to have an *encrypted* password sent from *the
browser to the Apache web server* when authenticating via
LDAP. I understand that encryption is performed from the web
server to the LDAP server by using ldaps, which we are using,
but we are getting complaints that the password is traveling
from the users' web browsers to our Apache web server in the
clear (not encrypted). The problem really requires that the
web browsers and Apache support an encrypted authentication
over http instead of counting on wrapping everything via
https. It would be nice if the public key encryption worked
between the browser and Apache for the password part.
I understand that I could force the users to use an https URL
instead of an http URL, but that seems like it would be
overkill. If that is the only solution to this issue, then we
would really want the user to authenticate over https, but
then fall back to http for all of the rest of the
communications to the web server so as not to incur the
inherent performance penalty of https. Any hints on how to do
that effectively/efficiently would be welcome in that case.
You can't do this with basic authentication, because your browser only
prompts you once but transmits the password every subsequent protected
page.
I also understand that using the Digest method of
authentication (vs. Basic) does not work with LDAP, because,
if I understand it correctly, this method doesn't even send
the password, which, of course, LDAP would need.
Any help in understanding what the best approach is would be
welcome. Thanks for your consideration. I'm hoping that this
is somehow supported. I did not see any kind of
bug/enhancement on this topic in Apache's Bugzilla.
Mark
P.S.
I have the following in my .htaccess file (with certain things
removed):
AuthName "Enter your Corporate Short Login (CSL)"
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthLDAPUrl ldaps://...:1793/dc=internal,dc=users,dc=alcatel?uid
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthLDAPBindDN
uid=admin.quality_records,dc=quality_records,dc=apps,dc=alcatel
AuthLDAPBindPassword ...
Require valid-user
I have the following in my httpd.conf file (I cut out a lot of
what I thought would be extraneous):
# This is the main Apache HTTP server configuration file. It
contains the
# configuration directives that give the server its instructions.
# See <URL:http://httpd.apache.org/docs/2.2> for detailed
information.
# In particular, see
# <URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
# for a discussion of each configuration directive.
#
# Do NOT simply read the instructions in here without
understanding
# what they do. They're here only as hints or reminders. If
you are unsure
# consult the online docs. You have been warned.
#
# Dynamic Shared Object (DSO) Support
#
# To be able to use the functionality of a module which was
built as a DSO you
# have to place corresponding `LoadModule' lines at this
location so the
# directives contained in it are actually available _before_
they are used.
# Statically compiled modules (those listed by `httpd -l') do
not need
# to be loaded here.
#
# Example:
# LoadModule foo_module modules/mod_foo.so
#
LoadModule authn_file_module modules/mod_authn_file.so
# dal - 2009-02-23 - comment out the dbm cause it no work
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_anon_module modules/mod_authn_anon.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_user_module modules/mod_authz_user.so
# dal - 2009-02-23 - comment out the dbm cause it no work
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_owner_module modules/mod_authz_owner.so
LoadModule authnz_ldap_module modules/mod_authnz_ldap.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule dbd_module modules/mod_dbd.so
LoadModule dumpio_module modules/mod_dumpio.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule include_module modules/mod_include.so
LoadModule filter_module modules/mod_filter.so
LoadModule substitute_module modules/mod_substitute.so
LoadModule deflate_module modules/mod_deflate.so
LoadModule ldap_module modules/mod_ldap.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule log_forensic_module modules/mod_log_forensic.so
LoadModule logio_module modules/mod_logio.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule ident_module modules/mod_ident.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule version_module modules/mod_version.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule php5_module modules/libphp5.so
# Configuration and logfile names: If the filenames you
specify for many
# of the server's control files begin with "/" (or "drive:/"
for Win32), the
# server will use that explicit path. If the filenames do
*not* begin
# with "/", the value of ServerRoot is prepended -- so
"logs/foo_log"
# with ServerRoot set to "/opt/exp/lib/apache2.2" will be
interpreted by the
# server as "/opt/exp/lib/apache2.2/logs/foo_log".
#
# ServerRoot: The top of the directory tree under which the
server's
# configuration, error, and log files are kept.
#
# Do not add a slash at the end of the directory path. If you
point
# ServerRoot at a non-local disk, be sure to point the
LockFile directive
# at a local disk. If you wish to share the same ServerRoot
for multiple
# httpd daemons, you will need to change at least LockFile and
PidFile.
#
ServerRoot "..."
# This is the main server configuration file. See URL
http://www.apache.org/
# for instructions.
# Do NOT simply read the instructions in here without
understanding
# what they do, if you are unsure consult the online docs. You
have been
# warned.
# Originally by Rob McCool
# Listen: Allows you to bind Apache to specific IP addresses
and/or
# ports, instead of the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown
below to
# prevent Apache from glomming onto all bound IP addresses.
Listen ...:...
# HostnameLookups: Log the names of clients or just their IP
numbers
# e.g. www.apache.org (on) or 204.62.129.132 (off)
HostnameLookups off
...cut...
# 'Main' server configuration
#
# The directives in this section set up the values used by the
'main'
# server, which responds to any requests that aren't handled by a
# <VirtualHost> definition. These values also provide
defaults for
# any <VirtualHost> containers you may define later in the file.
#
# All of these directives may appear inside <VirtualHost>
containers,
# in which case these default settings will be overridden for the
# virtual host being defined.
# ServerAdmin: Your address, where problems with the server
should be
# e-mailed. This address appears on some server-generated
pages, such
# as error documents. e.g. ad...@your-domain.com
#
#ServerAdmin web-mas...@mobility.ih.lucent.com
# ServerName gives the name and port that the server uses to
identify itself.
# This can often be determined automatically, but we recommend
you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its
IP address here.
ServerName ...
# DocumentRoot: The directory out of which you will serve your
# documents. By default, all requests are taken from this
directory, but
# symbolic links and aliases may be used to point to other
locations.
DocumentRoot "..."
# UserDir: The name of the directory which is appended onto a
user's home
# directory if a ~user request is received.
UserDir public_html
...cut...
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random
equivalent
# but a statically compiled-in mod_ssl.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
# The following directive disables keepalives and HTTP header
flushes for
# Netscape 2.x and browsers which spoof it. There are known
problems with
# these
BrowserMatch Mozilla/2 nokeepalive
# BindAddress: You can support virtual hosts with this option.
This option
# is used to tell the server which IP address to listen to. It
can either
# contain "*", an IP address, or a fully qualified Internet
domain name.
# See also the VirtualHost directive.
#BindAddress *
# TransferLog: The location of the transfer log file. If this
does not
# start with /, ServerRoot is prepended to it.
TransferLog logs/access_log
# PidFile: The file the server should log its pid to
PidFile logs/httpd.pid
# ScoreBoardFile: File used to store internal server process
information.
# Not all architectures require this. But if yours does
(you'll know because
# this file is created when you run Apache) then you *must*
ensure that
# no two invocations of Apache share the same scoreboard file.
ScoreBoardFile logs/apache_status
# CacheNegotiatedDocs: By default, Apache sends Pragma:
no-cache with each
# document that was negotiated on the basis of content. This
asks proxy
# servers not to cache the document. Uncommenting the
following line disables
# this behavior, and proxies will be allowed to cache the
documents.
# CacheNegotiatedDocs
# Timeout: The number of seconds before receives and sends
time out
Timeout 1200
# KeepAlive: Whether or not to allow persistent connections
(more than
# one request per connection). Set to "Off" to deactivate.
KeepAlive On
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an
unlimited amount.
# We reccomend you leave this number high, for maximum
performance.
MaxKeepAliveRequests 100
# KeepAliveTimeout: Number of seconds to wait for the next
request
KeepAliveTimeout 15
# Server-pool size regulation. Rather than making you guess
how many
# server processes you need, Apache dynamically adapts to the
load it
# sees --- that is, it tries to maintain enough server
processes to
# handle the current load, plus a few spare servers to handle
transient
# load spikes (e.g., multiple simultaneous requests from a single
# Netscape browser).
# It does this by periodically checking how many servers are
waiting
# for a request. If there are fewer than MinSpareServers, it
creates
# a new spare. If there are more than MaxSpareServers, some
of the
# spares die off. These values are probably OK for most sites
---
MinSpareServers 5
MaxSpareServers 16
# Number of servers to start --- should be a reasonable
ballpark figure.
StartServers 5
# Limit on total number of servers running, i.e., limit on the
number
# of clients who can simultaneously connect --- if this limit
is ever
# reached, clients will be LOCKED OUT, so it should NOT BE SET
TOO LOW.
# It is intended mainly as a brake to keep a runaway server
from taking
# Unix with it as it spirals down...
MaxClients 254
# MaxRequestsPerChild: the number of requests each child
process is
# allowed to process before the child dies.
# The child will exit so as to avoid problems after prolonged
use when
# Apache (and maybe the libraries it uses) leak. On most
systems, this
# isn't really needed, but a few (such as Solaris) do have
notable leaks
# in the libraries.
MaxRequestsPerChild 128
# Proxy Server directives. Uncomment the following line to
# enable the proxy server:
#ProxyRequests On
# To enable the cache as well, edit and uncomment the
following lines:
#CacheRoot /usr/local/etc/httpd/proxy
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache a_domain.com another_domain.edu joes.garage_sale.com
...cut...
# AccessFileName: The name of the file to look for in each
directory
# for access control information.
AccessFileName .htaccess
...cut...
<Directory />
Options FollowSymLinks ExecCGI Indexes Includes
AllowOverride None
Order deny,allow
Deny from all
</Directory>
<Directory /home>
AddType text/html .cgi .pl
AddHandler cgi-script .cgi .pl
AddType application/x-httpd-php .php
Options ExecCGI FollowSymLinks Includes Indexes
</Directory>
...cut...
LDAPSHaredCacheSize 20000
LDAPCacheEntries 1024
LDAPCacheTTL 600
LDAPOpCacheEntries 1024
LDAPOpCacheTTL 600
LDAPTrustedMode SSL
LDAPTrustedGlobalCert CA_BASE64 /info/www/rootCa.pem
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP
Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org