You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2010/09/29 20:12:44 UTC
DO NOT REPLY [Bug 50028] New: Would like LDAP authentication to
encrypt password from browser to web server
https://issues.apache.org/bugzilla/show_bug.cgi?id=50028
Summary: Would like LDAP authentication to encrypt password
from browser to web server
Product: Apache httpd-2
Version: 2.2.11
Platform: Sun
OS/Version: Solaris
Status: NEW
Severity: enhancement
Priority: P2
Component: mod_authz_ldap
AssignedTo: bugs@httpd.apache.org
ReportedBy: mark.tischler@alcatel-lucent.com
We would like to have an *encrypted* password sent from *the browser to the
Apache web server* when authenticating via LDAP. I understand that encryption
is performed from the web server to the LDAP server by using ldaps, which we
are using, but we are getting complaints that the password is traveling from
the users' web browsers to our Apache web server in the clear (not encrypted).
The problem really requires that the web browsers and Apache support an
encrypted authentication over http instead of counting on wrapping everything
via https.
I understand that I could force the users to use an https URL instead of an
http URL, but that seems like it would be overkill.
I also understand that using the Digest method of authentication (vs. Basic)
does not work with LDAP.
There is a discussion from Aug. 2007 at
http://www.latenightpc.com/blog/archives/2007/08/31/no-authtype-digest-with-ldap-authentication-provider-for-apache-today.
Unfortunately, after more than 3 years, it doesn't appear that this issue has
been addressed.
I searched the ASF Bugzilla database for a request similar to this, but found
none. Are there any plans to support this in the near future?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50028] Would like LDAP authentication to encrypt
password from browser to web server
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50028
--- Comment #4 from Mark Tischler <ma...@alcatel-lucent.com> 2010-09-29 17:50:31 EDT ---
ldap and ldaps exist for the route between the web server and the LDAP server.
But I'm talking about the route between the browser and the web server.
I'm not sure what you mean by an "ldap data store", though.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50028] Would like LDAP authentication to encrypt
password from browser to web server
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50028
Eric Covener <co...@gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|REOPENED |RESOLVED
Resolution| |WONTFIX
--- Comment #6 from Eric Covener <co...@gmail.com> 2010-12-04 07:26:20 EST ---
> was suggesting that someone come up with a way to allow the password to be
> encrypted between the browser and the web server before it gets sent to
> the LDAP server
Closing as WONTFIX as we won't be inventing some protocol to encrypt an LDAP
password between the browser and server.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50028] Would like LDAP authentication to encrypt
password from browser to web server
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50028
Stefan Fritsch <sf...@sfritsch.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #1 from Stefan Fritsch <sf...@sfritsch.de> 2010-09-29 17:28:55 EDT ---
It simply can't work. Citing a comment from the URL you have given:
'It is impossible to use Digest and LDAP together. This is because the LDAP
server can only answer to a query like "is password Y correct for user X?", but
it will never give the password. Digest, then, does not send a password to the
server. This means Apache doesn't have a password Y to query the LDAP server.'
You will have to use https instead.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50028] Would like LDAP authentication to encrypt
password from browser to web server
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50028
--- Comment #2 from Mark Tischler <ma...@alcatel-lucent.com> 2010-09-29 17:36:02 EDT ---
I wasn't suggesting that you make LDAP work with Digest. I was suggesting that
someone come up with a way to allow the password to be encrypted between the
browser and the web server before it gets sent to the LDAP server. There must
be a way to do this, even if it means creating a completely new mechanism to do
it. It is unacceptable to ask users to wrap their applications in SSL, given
that SSL incurs performance hits. There ought to be a way for the equivalent
of Digest (read: not *actually* Digest) to work with LDAP. That is, it would
be nice if the public key encryption worked between the browser and Apache for
the password part. Would it be reasonable to re-open this or reassign it so
that you or others might be able to suggest ways to do this?
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50028] Would like LDAP authentication to encrypt
password from browser to web server
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50028
--- Comment #5 from William A. Rowe Jr. <wr...@apache.org> 2010-09-29 18:19:47 EDT ---
For user agent to server communications, there are only two, basic and digest,
and we aren't inventing protocols here, take it to the IETF.
You would prefer the phrase 'attribute' for the user/pass/realm hash, I
presume.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50028] Would like LDAP authentication to encrypt
password from browser to web server
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50028
William A. Rowe Jr. <wr...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |REOPENED
Platform|Sun |All
Version|2.2.11 |2.3-HEAD
Resolution|INVALID |
OS/Version|Solaris |All
--- Comment #3 from William A. Rowe Jr. <wr...@apache.org> 2010-09-29 17:47:48 EDT ---
This won't happen. ldaps and ldap StartTLS exist for this purpose.
It is not unreasonable to ask for an enhancement to use an ldap data store for
digest authentication credentials; that we are willing to investigate when
someone has free time to do so. Perhaps a local ldap procedure for validating
a user/pass/realm token?
It is not likely to happen for 2.2.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org