httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Johnny Edge" <je...@visafirst.com>
Subject RE: [users@httpd] AuthType, Content hashing for LDAP
Date Fri, 05 Dec 2008 18:58:09 GMT
Nick,

No option that I am aware off - I think server variables could be left unregistered as a group
within php.ini conf file which of course results in a functionality disaster.

One way to deal with this is to recompile PHP and opt not to register PHP_AUTH_PW (in main/php_variables.c).
I thought there might be a more friendly (Apache) approach to deal with this problem. 

Apparently authnz_ldap won't work with AuthType Digest either.

-JE

-----Original Message-----
From: Nick Kew [mailto:nick@webthing.com] 
Sent: 05 December 2008 20:30
To: users@httpd.apache.org
Subject: Re: [users@httpd] AuthType, Content hashing for LDAP

On Fri, 5 Dec 2008 17:28:17 +0200
"Johnny Edge" <jedge@visafirst.com> wrote:

> Everything is fine and works as expected, however I much prefer to 
> have the 'Authorization: Basic YXBhY2hldXNlcjphcGFjaGVwYXNz' header 
> encrypted and not available to a var such as $_SERVER["PHP_AUTH_PW"] 
> in PHP while not harming the ldap functionality.

Isn't there a PHP option to suppress that?  With CGI the password is always withheld unless
you compile with BIG_SECURITY_HOLE?

You could use RequestHeader.

> Do you reckon there is a work around for this, i.e. w/ mod Digest or 
> other means?

That'll work around it too, to the extent that the credentials exposed to PHP will be of no
use to a cracker.  But better just to remove it, or replace it with a dummy value.

--
Nick Kew

Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Mime
View raw message