On 9/24/2010 4:28 PM, Mark Tischler wrote: > I have been looking through a lot of documentation on this subject, both on > apache.org > and elsewhere, and I can't seem to find an answer to the following question: > > Our Apache web server (version 2.2.11 running on Solaris 10) is currently > authenticating > users via LDAP successfully. But, we would like to have an *encrypted* > password sent from > *the browser to the Apache web server* when authenticating via LDAP. I > understand that > encryption is performed from the web server to the LDAP server by using > ldaps, which we > are using, but we are getting complaints that the password is traveling from > the users' > web browsers to our Apache web server in the clear (not encrypted). The > problem really > requires that the web browsers and Apache support an encrypted authentication > over http > instead of counting on wrapping everything via https. It would be nice if > the public key > encryption worked between the browser and Apache for the password part. > > I understand that I could force the users to use an https URL instead of an > http URL, but > that seems like it would be overkill. If that is the only solution to this > issue, then we > would really want the user to authenticate over https, but then fall back to > http for all > of the rest of the communications to the web server so as not to incur the > inherent > performance penalty of https. Any hints on how to do that > effectively/efficiently would > be welcome in that case. > > I also understand that using the Digest method of authentication (vs. Basic) > does not work > with LDAP, because, if I understand it correctly, this method doesn't even > send the > password, which, of course, LDAP would need.
The only way to secure Basic auth is with SSL. Basic is simply encoded in 64 bit space to make it safe for 7-bit transport. What you want is Digest auth, which then ties the digest key to the hashed user/pass/domain and secures the token from being snarfed for requests from yet a third IP address. I don't know of any simple mechanism to store digest credentials in ldap (see htdigest and the mod_auth_digest module for further details). --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
