You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by ap...@buglecreek.com on 2009/04/16 18:24:11 UTC
[users@httpd] Apache ldap authentication and secrurity
Server - RH5 httpd-2.2.3
I have setup a server that uses ssl ldap authentication. This all works
fine. I am trying to understand the connection from a client browser to
the server. I am sniffing the packets on the server with tcpdump and
also have tried wireshark. Since the server is using http not https I
assumed that all traffic from the client browser to the server would be
in clear text. So, when I connect to the server with the client browser
I get the authentication window. I enter a username and passwd.
Looking at the traffic on the server I see everything but the username
and passwd. I would of thought that it would transmit the username and
pass in clear text to the server since it is using http. The web server
goes to the ldap server using ssl, so that traffic is encrypted as I
expected. I'm just confused as to why the username and pass is not seen
when looking at the packets. This is of course good behavior, but I
am just trying to understand how it works. It seems that I have done
this before with earlier versions and have seen the username and pass.
Maybe I'm just remembering this wrong. Anyone know how this works?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Apache ldap authentication and secrurity
Posted by Eric Covener <co...@gmail.com>.
On Thu, Apr 16, 2009 at 12:24 PM, <ap...@buglecreek.com> wrote:
> Server - RH5 httpd-2.2.3
>
> I have setup a server that uses ssl ldap authentication. This all works
> fine. I am trying to understand the connection from a client browser to
> the server. I am sniffing the packets on the server with tcpdump and
> also have tried wireshark. Since the server is using http not https I
> assumed that all traffic from the client browser to the server would be
> in clear text. So, when I connect to the server with the client browser
> I get the authentication window. I enter a username and passwd.
> Looking at the traffic on the server I see everything but the username
> and passwd
It's base64-encoded in the Authorization request header.
--
Eric Covener
covener@gmail.com
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org