Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

HTTP Digest authentication to backend LDAP server

Posted on 2007-10-18
10
Medium Priority
?
2,588 Views
Last Modified: 2013-12-19
I would like to figure if it is possible to use HTTP digest to authenticate against the backend LDAP directory. Basically, a gateway receives an HTTP digest message, and uses it to authenticate against LDAP.

Can SASL with digest-md5 mechanism be used? From the documentation, it seems that SASL digest-md5 works only if the cleartext password is available.

Thank you!
0
Comment
Question by:aquarius003
  • 4
  • 2
  • 2
  • +1
9 Comments
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20108043
should be possible with apache, see
http://httpd.apache.org/docs/2.0/mod/mod_auth_ldap.html

obviously this requires that apache can bind as process user to LDAP and access the use's dn and the password hash, this way a clear text password is not needed except for apache itself
0
 

Author Comment

by:aquarius003
ID: 20108404
Thanks, but that is applicable to HTTP Basic authentication, not HTTP Digest.  Digest comes wiht a hash that can't be used for authentication.
0
 

Author Comment

by:aquarius003
ID: 20108465
Btw, the only reference to this issue I found was http://www.openldap.org/lists/openldap-software/200111/msg00592.html, and it's not encouraging...
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 

Author Comment

by:aquarius003
ID: 20113393
Ok, I searched some more and I'm thinking this is not possible.

The reason is that HTTP digest comes as a hash of hash, and server's nonce, poq, realm and other stuff are one-way hashed.

The only way I see is to have a directory server store cleartext passwords. It would also need an authentication pug-in to produce a hash (domain, user name, password, nonce, cnonce, poq, etc) and then compare it to the HTTP hash.

This can be implemented as a solution only from the very begining, or, optionally, you'd recreate the whole server store - fat chance anyone would bother with that.

I'll leave this issue open for a while, maybe someone smarter will come up with an answer.

Thanks!
0
 

Author Comment

by:aquarius003
ID: 20113395
Additional issue: since IIS can be configured to work this way with AD, would anyone know if there is away to configure other web servers (Tomcat, for example) to integrate with AD for this purpose?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20117174
IIRC, tomcat itself does not have auhentication build in, you need to write it yourself or use the proxy in-front of tomcat.

According digest and LDAP, seems that you dig the behaviour correctly, sigh.
0
 
LVL 27

Expert Comment

by:Nopius
ID: 20161227
> The only way I see is to have a directory server store cleartext passwords.

Exactly.

> Additional issue: since IIS can be configured to work this way with AD, would anyone know if there is away to configure other web servers (Tomcat, for example) to integrate with AD for this purpose?

That means also that AD keeps plaintext passwords OR that IIS always uses the same (stale) digest-challenge value and keeps one more hashed password value in AD for each user.

Now back to your problem. You may use a squid proxy as a front-end for your server. It can  be used as an accelerating server performing digest + LDAP: http://wiki.squid-cache.org/KnowledgeBase/Using_the_digest_LDAP_authetication_helper
0
 
LVL 27

Accepted Solution

by:
Nopius earned 2000 total points
ID: 20161256
Also Sun Java Web server 7.0 supports LDAP based digest authentication: http://docs.sun.com/app/docs/doc/819-2629/6n4tgd1t3?l=ru&a=view
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20526456
Forced accept.

Computer101
EE Admin
0

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Still wondering grappling over to strengthen your password, worry no more. Choose a Strong Passphrase instead though second factor is highly recommended. Read on more on the how-to and tips to enhance your "password" using easier to remember passphr…
With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

571 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question