IIRC Apache (with or without modssl) passes the PHP_AUTH_USER and PHP_AUTH_PASSWORD values from logged in sessions to PHP. It is possible to use PHP to handle the authentication itself. A simple way to clear them is to explicitly set these values to NULL, 0,"" or whatever your prefer at the start of a script. As I hope that you are aware, using the LDAP module over SSL still ensures that the username and password are encrypted, so I don't actually see that there is an issue with having these variables set. As for writing your logged in name into the log, that is what Apache does whenever you authenticate with the auth module. I've been trying to find a way to capture NT or Netware usernames this way, but have had no success so far. There used to be a trick where an image on a Samba share could be put on a web page and NT would kindly send it's username and password in cleartext when you access the file. Since SP3 this has been disabled. No doubt I'm entirely wrong and flames will follow... - John Airey Internet Systems Support Officer, ITCSD, Royal National Institute for the Blind, Bakewell Road, Peterborough PE2 6XU, Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED] > -----Original Message----- > From: Michael Weisbach [mailto:[EMAIL PROTECTED]] > Sent: 29 March 2001 11:57 > To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; > [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: OT?: paranoide installation of php4 and auth_ldap > > > > Hello PHP-folks, Apache-folks and mod_ssl-folks, > > I'v a little mysterious phaenomen and I hope, anyone can help me:) > > First of all, my configuration: > apache_1.3.19 > mod_ssl-2.8.1-1.3.19 > auth_ldap-1.5.3 > and php-4.0.4pl1 > ... very nice at all. > > On my server I've a test-directory /tests/ with > php-info.html, that works > fine (php4 up'n'running). It's only ssl-secured and does'nt > use any kind > of auth-features! > > Secondly I've configured /server-info on same host with SSL > (of course;) > and with ldap_auth authentification, that works also fine. > > If I access php-info.html with netscape newly started there is no > 'problem'. The access_log looks like > > 123.123.123.123 - - [29/Mar/2001:12:38:46 +0200] "GET > > /tests/php-info.html?=PHPE9568F35-D428-11d2-A769-00AA001ACF42 > HTTP/1.0" > 200 4440 "https://tirnanog.tuts.nu/tests/php-info.html" "Mozilla/4.76 > [en] (X11; U; Linux 2.2.17 i686)" > > Fine, is'nt it? (php appends session informations?... maybe > bad, but okay) > > Now I access /server-info and type in my uid and password, > the apache/auth_ldap works fine, I get the page: > > 123.123.123.123 - - [29/Mar/2001:12:43:08 +0200] "GET /server-info > HTTP/1.0" 401 471 "-" "Mozilla/4.76 [en] (X11; U; Linux 2.2.17 i686)" > 123.123.123.123 - mwei [29/Mar/2001:12:43:16 +0200] "GET /server-info > HTTP/1.0" 200 46109 "-" "Mozilla/4.76 [en] (X11; U; Linux > 2.2.17 i686)" > > Fine. > > Now I access /tests/php-info.html once again: > (Remember - there is no password-check at all!) > > 123.123.123.123 - mwei [29/Mar/2001:12:44:26 +0200] "GET > /tests/php-info.html HTTP/1.0" 200 72068 "-" "Mozilla/4.76 > [en] (X11; U; > Linux 2.2.17 i686)" > > Huh? First of all 'mwei' (my ldap autheticated user-id) is > being logged?! > But the real bad thing: PHP_AUTH_USER and the uncrypted > PHP_AUTH_PASSWORD > (because auth_ldap works with AuthType=Basic) is set! Not very nice at > all, I thing. > > What's happen? How can I prevend this stupid password-passing > thru php4? > > IMHO there is no need to pass auth-informations to php4 (okay, the > PHP_AUTH_USER is needed; but password not!) because I want > only auth_ldap > checked auth-areas on my w3-server and this workx very well. > > Thnx a lot 4 help or hints, > > -- Micha > > P.S. Pls. make a Cc: on my email account too. Thnx. > > -- > 42rd Law of Computing: Anything that can go wro > pine: Segmentation violation: Core dumped ^J&6§4^+^)NO CARRIER > ______________________________________________________________________ > Apache Interface to OpenSSL (mod_ssl) www.modssl.org > User Support Mailing List [EMAIL PROTECTED] > Automated List Manager [EMAIL PROTECTED] > -- PHP Install Mailing List (http://www.php.net/) To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] To contact the list administrators, e-mail: [EMAIL PROTECTED]
