httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Nishimura <>
Subject Re: [users@httpd] Followup to [Bug 50028] (LDAP authentication with encrypted passwords)
Date Fri, 29 Mar 2013 01:16:24 GMT
Eric -

I'm not exactly sure what your last question means.  However, I think 
you answered my question.  In short, the situation has not changed.  If 
we want to ensure that the password is passed from the client (browser) 
to the server securely (to be further passed on to the LDAP server), we 
have to use SSL (https).  The path from the http server to the LDAP 
server is secure using SSL (ldaps), but from the client to the server is 
unencrypted unless the entire thing is SSL'ed.

I'm pretty new at this, but it appears that the act of popping up a 
dialog box asking for username/password cannot be encrypted separately 
from the http connection.


On 03/28/2013 04:11 PM, Eric Covener wrote:
> On Thu, Mar 28, 2013 at 5:33 PM, Ken Nishimura
> <> wrote:
>> Basically, using the mod_auth_ldap module, apart from using SSL (and
>> associated overhead), is it still the case that there is no way to encrypt
>> just the passing of username and password from the client (browser) back to
>> the server?
>> As others have pointed out, SSL is a fallback, but with associated overhead.
>> Has this been fixed in later versions of Apache?
> mod_authnz_ldap requires HTTP Basic Authentication, which doesn't have
> any provision to encrypt the password separately from the rest of the
> connection.
> mod_authnz_ldap doesn't work with Digest authentication -- I don't think it can.
> What does your client support that would need a "fixed" mod_authnz_ldap?
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message