William,
Thanks. There is no way to make Digest authentication work with
LDAP from what I have found/read. But it seems to me that
someone must have already run up against this sometime before
now. Is my understanding correct that one can use Digest
authentication to encrypt the password between the browser and
the web server? If so, it seems like there ought to be a
corresponding solution (to get that same encryption capability)
with LDAP. From the answers I've been getting, I'm beginning to
think that it might be time to submit an enhancement request to
the Apache developers. I'll wait a bit longer to see if anyone
else knows of a way to accomplish this with existing
capabilities (besides SSL, which is, as I said, my backup plan).
Mark
On 9/28/2010 3:52 PM, William A. Rowe Jr. wrote:
On 9/24/2010 4:28 PM, Mark Tischler wrote:
I have been looking through a lot of documentation on this subject, both on
apache.org
and elsewhere, and I can't seem to find an answer to the following question:
Our Apache web server (version 2.2.11 running on Solaris 10) is currently
authenticating
users via LDAP successfully. But, we would like to have an *encrypted*
password sent from
*the browser to the Apache web server* when authenticating via LDAP. I
understand that
encryption is performed from the web server to the LDAP server by using ldaps,
which we
are using, but we are getting complaints that the password is traveling from
the users'
web browsers to our Apache web server in the clear (not encrypted). The
problem really
requires that the web browsers and Apache support an encrypted authentication
over http
instead of counting on wrapping everything via https. It would be nice if the
public key
encryption worked between the browser and Apache for the password part.
I understand that I could force the users to use an https URL instead of an
http URL, but
that seems like it would be overkill. If that is the only solution to this
issue, then we
would really want the user to authenticate over https, but then fall back to
http for all
of the rest of the communications to the web server so as not to incur the
inherent
performance penalty of https. Any hints on how to do that
effectively/efficiently would
be welcome in that case.
I also understand that using the Digest method of authentication (vs. Basic)
does not work
with LDAP, because, if I understand it correctly, this method doesn't even send
the
password, which, of course, LDAP would need.
The only way to secure Basic auth is with SSL. Basic is simply encoded in 64
bit space
to make it safe for 7-bit transport. What you want is Digest auth, which then
ties the
digest key to the hashed user/pass/domain and secures the token from being
snarfed for
requests from yet a third IP address.
I don't know of any simple mechanism to store digest credentials in ldap (see
htdigest
and the mod_auth_digest module for further details).
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See<URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
" from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org