httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "[triplepack] info (info@pack3.ch)" <i...@pack3.ch>
Subject Re: [users@httpd] LDAP authentication with password encryption from browser to web server
Date Tue, 28 Sep 2010 23:09:41 GMT
  Digest does more then just encrypting the password.

http://en.wikipedia.org/wiki/Digest_access_authentication

and if you have a look at that RFC http://www.ietf.org/rfc/rfc2829.txt 
LDAP it self possibly supports already digest-md5.

so really the LDAP auth should support the digest auth by maybe just 
forwarding the digest-md5 to ldap?


http://www.latenightpc.com/blog/archives/2007/08/31/no-authtype-digest-with-ldap-authentication-provider-for-apache-today

seems to be a very known topic :)

Am 28.09.2010 23:04, schrieb Mark Tischler:
>  William,
>
> Thanks.  There is no way to make Digest authentication work with LDAP 
> from what I have found/read.  But it seems to me that someone must 
> have already run up against this sometime before now.  Is my 
> understanding correct that one can use Digest authentication to 
> encrypt the password between the browser and the web server?  If so, 
> it seems like there ought to be a corresponding solution (to get that 
> same encryption capability) with LDAP.  From the answers I've been 
> getting, I'm beginning to think that it might be time to submit an 
> enhancement request to the Apache developers.  I'll wait a bit longer 
> to see if anyone else knows of a way to accomplish this with existing 
> capabilities (besides SSL, which is, as I said, my backup plan).
>
> Mark
>
> On 9/28/2010 3:52 PM, William A. Rowe Jr. wrote:
>> On 9/24/2010 4:28 PM, Mark Tischler wrote:
>>>   I have been looking through a lot of documentation on this 
>>> subject, both on apache.org
>>> and elsewhere, and I can't seem to find an answer to the following 
>>> question:
>>>
>>> Our Apache web server (version 2.2.11 running on Solaris 10) is 
>>> currently authenticating
>>> users via LDAP successfully.  But, we would like to have an 
>>> *encrypted* password sent from
>>> *the browser to the Apache web server* when authenticating via 
>>> LDAP.  I understand that
>>> encryption is performed from the web server to the LDAP server by 
>>> using ldaps, which we
>>> are using, but we are getting complaints that the password is 
>>> traveling from the users'
>>> web browsers to our Apache web server in the clear (not encrypted).  
>>> The problem really
>>> requires that the web browsers and Apache support an encrypted 
>>> authentication over http
>>> instead of counting on wrapping everything via https.  It would be 
>>> nice if the public key
>>> encryption worked between the browser and Apache for the password part.
>>>
>>> I understand that I could force the users to use an https URL 
>>> instead of an http URL, but
>>> that seems like it would be overkill.  If that is the only solution 
>>> to this issue, then we
>>> would really want the user to authenticate over https, but then fall 
>>> back to http for all
>>> of the rest of the communications to the web server so as not to 
>>> incur the inherent
>>> performance penalty of https.  Any hints on how to do that 
>>> effectively/efficiently would
>>> be welcome in that case.
>>>
>>> I also understand that using the Digest method of authentication 
>>> (vs. Basic) does not work
>>> with LDAP, because, if I understand it correctly, this method 
>>> doesn't even send the
>>> password, which, of course, LDAP would need.
>> The only way to secure Basic auth is with SSL.  Basic is simply 
>> encoded in 64 bit space
>> to make it safe for 7-bit transport.  What you want is Digest auth, 
>> which then ties the
>> digest key to the hashed user/pass/domain and secures the token from 
>> being snarfed for
>> requests from yet a third IP address.
>>
>> I don't know of any simple mechanism to store digest credentials in 
>> ldap (see htdigest
>> and the mod_auth_digest module for further details).
>>
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server 
>> Project.
>> See<URL:http://httpd.apache.org/userslist.html>  for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>>     "   from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server 
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>   "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message