How to direct Apache Basic authentication over SSL?
You will never be able to use digest authentication with LDAP because digest auth obscures (via MD5) the password so it cannot be compared with the ldap password.
You can solve this problem by using cookies rather than basic auth. See, e.g., pubcookie http://www.pubcookie.org/ or Apache2::AuthCookie http://search.cpan.org/~mschout/Apache-AuthCookie-3.15/lib/Apache2/AuthCookie.pm
Really, though, what is the problem with using SSL everywhere? You're wasting effort to remove security.
Related videos on Youtube
02 : 25
13 : 12
05 : 32
53 : 15
01 : 55
phirschybar
Updated on September 17, 2022Comments
-
phirschybar over 1 year
Our intranet use mod_ldap to authenticate users to our internal Active Directory server as follows:
<Location /***/> AuthType Basic AuthName "***" AuthBasicProvider ldap AuthLDAPUrl "***" require valid-user </Location>We want to allow our users to hit our site over the internet, but unfortunately Basic authentication is done in plain-text, which would expose our AD credentials on the net.
I realize that I could protect the entire site with ssl, but the only thing I'm really concerned about are the credentials themselves.
What is the best way to protect my AD credentials without using https:// for the entire site?
Note: I've tried substituting "Digest" for "Basic", but that doesn't work.
-
Zoredache over 13 yearsThe procedure described in this question may apply. serverfault.com/questions/62570/cookie-authentication-in-apache/…
-
danlefree over 13 yearsWhichever resources you intend to protect (i.e. things only employees should see - which is why you're requiring authentication to begin with, right?) will be sent in plain-text over the internet if you're not using SSL - seems like more than the AD credentials are at stake here..?
-
phirschybar over 13 yearsThe system has the likelihood of containing network topology information and internal IP addresses. Not something I want on the public internet, but also not something sensitive enough to worry too much about. It is really only the credentials I am concerned about.
-
-
phirschybar over 13 yearsIf I'm understanding you correctly, since the user must authenticate before viewing ANY of the site, this is the equivalent of redirecting the entire site to https:// Correct? Or is there a way to redirect to https:// only if the user hasn't yet authenticated?
-
BillThor over 13 yearsSee edits. You can match URLS. Once they have been switch to HTTPS. they will stay there unless redirected back to HTTP. You can reverse the rewrite rules for unsecured areas. (Don't rewrite shared resourse areas like css and graphics.) With basic authentication, the credential are passed on subsequent requests to that URL.
-
phirschybar over 13 years+1 for pointing out that credentials are passed on subsequent requests. I had forgotten about that. This therefore necessitates that the entire site be secured.
