Eric -
I'm not exactly sure what your last question means. However, I think
you answered my question. In short, the situation has not changed. If
we want to ensure that the password is passed from the client (browser)
to the server securely (to be further passed on to the LDAP server), we
have to use SSL (https). The path from the http server to the LDAP
server is secure using SSL (ldaps), but from the client to the server is
unencrypted unless the entire thing is SSL'ed.
I'm pretty new at this, but it appears that the act of popping up a
dialog box asking for username/password cannot be encrypted separately
from the http connection.
Thanks,
Ken
On 03/28/2013 04:11 PM, Eric Covener wrote:
On Thu, Mar 28, 2013 at 5:33 PM, Ken Nishimura
<ken_nishim...@agilent.com> wrote:
Basically, using the mod_auth_ldap module, apart from using SSL (and
associated overhead), is it still the case that there is no way to encrypt
just the passing of username and password from the client (browser) back to
the server?
As others have pointed out, SSL is a fallback, but with associated overhead.
Has this been fixed in later versions of Apache?
mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have
any provision to encrypt the password separately from the rest of the
connection.
mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can.
What does your client support that would need a "fixed" mod_authnz_ldap?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org
