Buchan Milne wrote:
On Thursday 26 June 2008 12:32:04 Michael Ströder wrote:
> Bear in mind that in a single password environmemt proxy authentication
> (like with Squid) is somewhat a security risk anyway since the password
> is transferred in clear over the wire to the proxy for each HTTP hit
> going through the proxy.
Unfortunately, however, it does not seem that there is any secure proxy
authentication scheme for an entirely Unix environment (Mozilla on Unix as
the client, Squid on Unix as the proxy server), even with Kerberos
infrastructure in place.
Hmm, Mozilla has NTLM support. I'm using it with SPNEGO/Kerberos
(together with CAS). Not sure whether that would work with
>> I have also started discussions with some web application
>> (e.g. Catalyst).
> I'd rather recommend to use a decent WebSSO system and integrate web
> servers/applications with that central authentication component because
> when using centralized passwords you don't want to transmit the password
> to every integrated system. Rather in a SSO system system see only
> short-time tickets. I'm successfully using CAS for that in one customer
> project. It works pretty well and the developers are very responsive.
Indeed, but if you have existing applications on an existing framework that
has LDAP support (we use SSL end-to-end), then it should have support for
But it may be less overall work to add support for expiring passwords to
one central authc instance and integrate systems with that. Because you
always have to redirect the user to a password change form. Implementing
this interaction is the problem for most systems. Look at Apache's
mod_auth_ldap which does not provide a interactive UI at all. It simply
cannot provide the user interaction needed.
Migrating to an SSO system would be an option, but I have
many more features which have higher priority ...
Your mileage may vary...
In this specific case,
there are also advantages to the application having access to the clear-text
password (as it can then be used with the logged-in users credentials to
perform operations on other devices which authenticate against the same
system, but have no SSO support).
Yes, web2ldap is working like that.
Either people should stop shipping web server authentication
modules for LDAP, or they should have password policy support.
Let's look at a very simply case: How should a web server which
implements HTTP basic authc implement the user interaction needed? It
simply relies on the browser popping up the login window, nothing else.
What you could do is redirect the user to an error page implemented as
CGI-BIN which makes further checks. You can do that yourself.