You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Johnny Edge <je...@visafirst.com> on 2008/12/05 16:28:17 UTC
[users@httpd] AuthType, Content hashing for LDAP
Hi folks,
I have a simple mod_authnz_ldap setup which grants access to a valid Domain User to the u1 location.
<Location /u1/>
AuthType Basic
AuthBasicProvider ldap
AuthzLDAPAuthoritative off
AuthUserFile /dev/null
AuthLDAPBindDN "ADC\\apacheuser"
AuthLDAPBindPassword apachepass
AuthLDAPUrl ldap://adc.example.net:389/DC=adc,DC=example,DC=net?sAMAccountName
AuthName "Authorization required"
require valid-user
</Location>
Everything is fine and works as expected, however I much prefer to have the 'Authorization: Basic YXBhY2hldXNlcjphcGFjaGVwYXNz' header encrypted and not available to a var such as $_SERVER["PHP_AUTH_PW"] in PHP while not harming the ldap functionality.
SSL is little help as the var is still plainly available in code.
Do you reckon there is a work around for this, i.e. w/ mod Digest or other means?
Many thanks,
-JE
RE: [users@httpd] AuthType, Content hashing for LDAP
Posted by Johnny Edge <je...@visafirst.com>.
Nick,
No option that I am aware off - I think server variables could be left unregistered as a group within php.ini conf file which of course results in a functionality disaster.
One way to deal with this is to recompile PHP and opt not to register PHP_AUTH_PW (in main/php_variables.c). I thought there might be a more friendly (Apache) approach to deal with this problem.
Apparently authnz_ldap won't work with AuthType Digest either.
-JE
-----Original Message-----
From: Nick Kew [mailto:nick@webthing.com]
Sent: 05 December 2008 20:30
To: users@httpd.apache.org
Subject: Re: [users@httpd] AuthType, Content hashing for LDAP
On Fri, 5 Dec 2008 17:28:17 +0200
"Johnny Edge" <je...@visafirst.com> wrote:
> Everything is fine and works as expected, however I much prefer to
> have the 'Authorization: Basic YXBhY2hldXNlcjphcGFjaGVwYXNz' header
> encrypted and not available to a var such as $_SERVER["PHP_AUTH_PW"]
> in PHP while not harming the ldap functionality.
Isn't there a PHP option to suppress that? With CGI the password is always withheld unless you compile with BIG_SECURITY_HOLE?
You could use RequestHeader.
> Do you reckon there is a work around for this, i.e. w/ mod Digest or
> other means?
That'll work around it too, to the extent that the credentials exposed to PHP will be of no use to a cracker. But better just to remove it, or replace it with a dummy value.
--
Nick Kew
Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
RE: [users@httpd] AuthType, Content hashing for LDAP
Posted by Johnny Edge <je...@visafirst.com>.
In fact, auto_prepend_file could be used to include a script that unsets the var in question, which atm seems a harmless workaround.
-----Original Message-----
From: Nick Kew [mailto:nick@webthing.com]
Sent: 05 December 2008 20:30
To: users@httpd.apache.org
Subject: Re: [users@httpd] AuthType, Content hashing for LDAP
On Fri, 5 Dec 2008 17:28:17 +0200
"Johnny Edge" <je...@visafirst.com> wrote:
> Everything is fine and works as expected, however I much prefer to
> have the 'Authorization: Basic YXBhY2hldXNlcjphcGFjaGVwYXNz' header
> encrypted and not available to a var such as $_SERVER["PHP_AUTH_PW"]
> in PHP while not harming the ldap functionality.
Isn't there a PHP option to suppress that? With CGI the password is always withheld unless you compile with BIG_SECURITY_HOLE?
You could use RequestHeader.
> Do you reckon there is a work around for this, i.e. w/ mod Digest or
> other means?
That'll work around it too, to the extent that the credentials exposed to PHP will be of no use to a cracker. But better just to remove it, or replace it with a dummy value.
--
Nick Kew
Application Development with Apache - the Apache Modules Book http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] AuthType, Content hashing for LDAP
Posted by Nick Kew <ni...@webthing.com>.
On Fri, 5 Dec 2008 17:28:17 +0200
"Johnny Edge" <je...@visafirst.com> wrote:
> Everything is fine and works as expected, however I much prefer to
> have the 'Authorization: Basic YXBhY2hldXNlcjphcGFjaGVwYXNz' header
> encrypted and not available to a var such as $_SERVER["PHP_AUTH_PW"]
> in PHP while not harming the ldap functionality.
Isn't there a PHP option to suppress that? With CGI the password
is always withheld unless you compile with BIG_SECURITY_HOLE?
You could use RequestHeader.
> Do you reckon there is a work around for this, i.e. w/ mod Digest or
> other means?
That'll work around it too, to the extent that the credentials
exposed to PHP will be of no use to a cracker. But better just
to remove it, or replace it with a dummy value.
--
Nick Kew
Application Development with Apache - the Apache Modules Book
http://www.apachetutor.org/
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org