I'm beginning to think
we're chasing our tails. IE is going to pass the credentials in NTLM
format, I believe. Even if we got the username right, I'm thinking maybe
the password won't be readable by mod_authn_ldap. I don't know.
IE can do either of 3 things, as far as I know :
1) if it is doing Basic authentication, it will pass the user-id and
password (as entered by the user in the pop-up login dialog), both
merely encoded in a Base64 format.
It passes that in a "Authorization:" request header.
2) if it is doing Digest authentication, it will pass the user-id and a
cryptic "token" based on the user-id and password entered by the user in
a pop-up login dialog. The server-side must then somehow verify that
this token matches one generated server-side on the base of the user
password.
It passes that in a "Authorization:" request header.
That is anyway not what you want here.
3) if it is doing NTLM authentication, then it will also pass the
user-id and a token, but as a result of a multi-step negociation with an
appropriate NTLM module on the server, which itself needs to talk to a
Windows Domain Controller etc..
At the end of all that, IE will pass the user-id and token to the server
with the request, in, I believe, a WWW-authenticate: header.
But that token does not contain the password, and IE at no point gets to
know the password.
But maybe do not give up yet.
If you are in a Windows Domain, and it is inside a corporate
environment, then presumably this REMOTE_USER that IE is sending, is
already the result of some secure Domain authentication which happened
before.
And if so, you might be able to accept it as secure enough, and use its
content as a user-id.
The whole point now is to know whether you really need to know the user
password, or if the mere fact of verifying that the user indeed exists
in the LDAP system is enough (and maybe not even that).
It all depends if you want to provide a reall secure login system, or if
your purpose is to provide a user-friendly SSO mechanism for Apache
applications.
One item just to clear up a lingering doubt : when you show the user-id
that auth_ldap is dumping to the logfile, was that the result of a popup
login dialog in IE, or was there no such popup dialog involved ?
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: [EMAIL PROTECTED]
" from the digest: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
